Malicious Behavior Detection using Windows Audit Logs

As antivirus and network intrusion detection systems have increasingly proven insufficient to detect advanced threats, large security operations centers have moved to deploy endpoint-based sensors that provide deeper visibility into low-level events across their enterprises. Unfortunately, for many organizations in government and industry, the installation, maintenance, and resource requirements of these newer solutions pose barriers to adoption and are perceived as risks to organizations’ missions. To mitigate this problem we investigated the utility of agentless detection of malicious endpoint behavior, using only the standard build-in Windows audit logging facility as our signal. We found that Windows audit logs, while emitting manageable sized data streams on the endpoints, provide enough information to allow robust detection of malicious behavior. Audit logs provide an effective, low-cost alternative to deploying additional expensive agent-based breach detection systems in many government and industrial settings, and can be used to detect, in our tests, 83% percent of malware samples with a 0.1% false positive rate. They can also supplement already existing host signature-based antivirus solutions, like Kaspersky, Symantec, and McAfee, detecting, in our testing environment, 78% of malware missed by those antivirus systems.

💡 Research Summary

The paper “Malicious Behavior Detection using Windows Audit Logs” investigates whether the built‑in Windows audit logging facility can serve as a low‑cost, agent‑less source of telemetry for detecting malicious endpoint activity. Recognizing that modern advanced threats often evade signature‑based antivirus and network intrusion detection systems, the authors propose leveraging the audit logs already collected by many enterprises for compliance and forensic purposes.

Data collection is performed in two stages. First, a minimal audit policy is deployed across an enterprise network, capturing only file and registry write, delete, and execute events, as well as process spawn events. Read events and network traffic are deliberately omitted to keep the volume manageable; the resulting logs amount to roughly 100–200 MB per machine per day (≈300–600 k events), which can be compressed at a 16:1 ratio with negligible performance impact. Second, a sandbox environment based on CuckooBox and VirtualBox is used to generate audit logs for a large corpus of binaries. The binary set includes over two million samples from the MAL2M collection, a thousand manually crafted malware samples (MAL3P), several high‑profile APT families (MALAPT), about sixteen thousand binaries downloaded by VPN users (UVPN), and known‑good system files (OS).

Labeling of the data relies on VirusTotal scores: binaries with a score of 0 are labeled benign, those with a score ≥ 0.3 are labeled malicious, and ambiguous samples (0 < score < 0.3) are discarded. Known‑good OS files and the explicitly malicious MAL3P and MALAPT sets are forced to their respective classes. This yields a balanced dataset containing both malicious and benign audit logs, with 981 distinct malware families represented.

For feature extraction, each audit event is represented as a tuple (action, normalized path). Paths are abstracted (e.g., user directories become %USERPROFILE%) to reduce over‑fitting to specific file locations. A bag‑of‑words model is built over these tuples, and TF‑IDF weighting is applied so that frequent yet discriminative events receive higher importance. After L2 normalization, the high‑dimensional vectors are fed into a linear classifier—either a Support Vector Machine with a linear kernel or logistic regression. Feature selection reduces the model to roughly 5 000 most informative event types, keeping the model lightweight and interpretable.

Evaluation uses 5‑fold cross‑validation and a held‑out test set. At a false‑positive rate of 0.1 %, the classifier achieves an 83 % detection rate for malicious samples, with an area under the ROC curve of approximately 0.98. When compared against three commercial antivirus products (Kaspersky, McAfee, Symantec), the audit‑log‑based detector identifies an additional 78 % of the malware that these products miss, demonstrating strong complementary value. Feature importance analysis reveals that file writes, registry modifications, and process spawns are the dominant signals, and these behaviors are consistent across diverse malware families, indicating that the detector is learning true malicious behavior rather than superficial signatures.

The authors acknowledge several limitations. Excluding network events may miss certain classes of attacks that manifest primarily through communication. The sandbox environment, while extensive, may not capture all nuances of real‑world user interaction, potentially leading to distribution shift when deployed in production. Moreover, expanding the audit policy to capture more event types would increase storage and bandwidth requirements, potentially offsetting the low‑cost advantage.

Future work is outlined as follows: (1) integrating network‑level audit events to create a multimodal detection framework; (2) deploying the model in a real‑time SIEM pipeline to enable automated response; (3) exploring adaptive audit policies that dynamically adjust logging granularity based on observed risk; and (4) investigating hybrid approaches that combine anomaly detection with the supervised model to further reduce false positives.

In conclusion, the study demonstrates that Windows audit logs, a native and widely available data source, can be transformed into an effective, scalable, and inexpensive detection mechanism for malicious endpoint behavior. The approach offers a practical path for government agencies and industrial organizations to augment or replace costly agent‑based breach detection solutions while maintaining high detection performance and minimal operational overhead.