The damage caused by Advanced Persistent Threat (APT) attacks to governments and large enterprises is gradually escalating. Once an attack event is detected, forensic analysis will use the dependencies between system audit logs to rapidly locate intrusion points and determine the impact of the attacks. Due to the high persistence of APT attacks, huge amounts of data will be stored to meet the needs of forensic analysis, which not only brings great storage overhead, but also sharply increases the computing costs. To compact data without affecting forensic analysis, several methods have been proposed. However, in real-world scenarios, we meet the problems of weak cross-platform capability, large data processing overhead, and poor real-time performance, rendering existing data compaction methods difficult to meet the usability and universality requirements jointly. To overcome these difficulties, this paper proposes a general, efficient, and real-time data compaction method at the system log level; it does not involve internal analysis of the program or depend on the specific operating system type, and it includes two strategies: 1) data compaction of maintaining global semantics (GS), which determines and deletes redundant events that do not affect global dependencies, and 2) data compaction based on suspicious semantics (SS). Given that the purpose of forensic analysis is to restore the attack chain, SS performs context analysis on the remaining events from GS and further deletes the parts that are not related to the attack. The results of the real-world experiments show that the compaction ratios of our method to system events are as high as $4.36\times $ to $13.18\times $ and $7.86\times $ to $26.99\times $ on GS and SS, respectively, which is better than state-of-the-art studies.

中文翻译：

---

用于 APT 取证分析的通用、高效和实时数据压缩策略

高级持续性威胁（APT）攻击对政府和大型企业造成的损害正在逐步升级。一旦检测到攻击事件，取证分析将利用系统审计日志之间的依赖关系快速定位入侵点并确定攻击的影响。由于APT攻击的高持久性，会存储大量数据以满足取证分析的需要，这不仅带来了巨大的存储开销，而且会急剧增加计算成本。为了在不影响取证分析的情况下压缩数据，已经提出了几种方法。但是在实际场景中，我们会遇到跨平台能力弱、数据处理开销大、实时性差的问题，使得现有的数据压缩方法难以同时满足可用性和通用性要求。为了克服这些困难，本文提出了一种通用的、高效的、实时的系统日志级别的数据压缩方法；它不涉及程序的内部分析，也不依赖于具体的操作系统类型，它包括两种策略：1）维护全局语义（GS）的数据压缩，它确定并删除不影响全局依赖的冗余事件，以及2）基于可疑语义（SS）的数据压缩。鉴于取证分析的目的是恢复攻击链，SS 对来自 GS 的剩余事件进行上下文分析，并进一步删除与攻击无关的部分。 $4.36\times $ 至 $13.18\times $ 和 $7.86\times $ 至 $26.99\times $ 分别在 GS 和 SS 上，这比最先进的研究更好。