Log2Evt: Constructing high-level events for IoT Systems through log-code execution path correlation

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Systems Architecture Pub Date : 2025-09-13 DOI:10.1016/j.sysarc.2025.103578

Teng Li , Baichuan Zheng , Yebo Feng , Xiaowen Quan , Jiahua Xu , Yang Liu , Jianfeng Ma

{"title":"Log2Evt: Constructing high-level events for IoT Systems through log-code execution path correlation","authors":"Teng Li , Baichuan Zheng , Yebo Feng , Xiaowen Quan , Jiahua Xu , Yang Liu , Jianfeng Ma","doi":"10.1016/j.sysarc.2025.103578","DOIUrl":null,"url":null,"abstract":"<div><div>The detection of cyberattacks in IoT ecosystems requires comprehensive log auditing across distributed devices, yet the volume and heterogeneity of IoT logs exceed traditional analysis capabilities. Therefore, it is essential to narrow down the scope of forensics precisely and efficiently to target attack-related events. Existing schemes have the disadvantage of low accuracy and flexibility. We propose a novel approach that synthesizes high-level security events from low-level IoT logs by correlating firmware execution traces with runtime call stack contexts. Our approach implements lightweight monitoring probes at critical IoT workflow points and employs an IoT-optimized Common Ancestor algorithm for log sequence analysis. The experiments demonstrate a 15% improvement in accuracy compared to the rule-based matching scheme. Additionally, the results highlight the influence of the threshold parameter and show that the approach has minimal impact on program operation. The approach effectively addresses the challenges of protocol fragmentation and resource constraints in IoT environments, providing a foundation for robust security monitoring in smart city deployments.</div></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"168 ","pages":"Article 103578"},"PeriodicalIF":4.1000,"publicationDate":"2025-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1383762125002504","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The detection of cyberattacks in IoT ecosystems requires comprehensive log auditing across distributed devices, yet the volume and heterogeneity of IoT logs exceed traditional analysis capabilities. Therefore, it is essential to narrow down the scope of forensics precisely and efficiently to target attack-related events. Existing schemes have the disadvantage of low accuracy and flexibility. We propose a novel approach that synthesizes high-level security events from low-level IoT logs by correlating firmware execution traces with runtime call stack contexts. Our approach implements lightweight monitoring probes at critical IoT workflow points and employs an IoT-optimized Common Ancestor algorithm for log sequence analysis. The experiments demonstrate a 15% improvement in accuracy compared to the rule-based matching scheme. Additionally, the results highlight the influence of the threshold parameter and show that the approach has minimal impact on program operation. The approach effectively addresses the challenges of protocol fragmentation and resource constraints in IoT environments, providing a foundation for robust security monitoring in smart city deployments.

查看原文本刊更多论文

Log2Evt：通过日志代码执行路径关联为物联网系统构建高级事件

物联网生态系统中的网络攻击检测需要对分布式设备进行全面的日志审计，但物联网日志的数量和异构性超出了传统的分析能力。因此，必须精确有效地缩小取证范围，以针对与攻击相关的事件。现有方案存在精度低、灵活性差的缺点。我们提出了一种新的方法，通过将固件执行跟踪与运行时调用堆栈上下文相关联，从低级物联网日志中综合高级安全事件。我们的方法在关键的物联网工作流程点上实现轻量级监控探针，并采用物联网优化的公共祖先算法进行日志序列分析。实验表明，与基于规则的匹配方案相比，准确率提高了15%。此外，结果突出了阈值参数的影响，并表明该方法对程序运行的影响最小。该方法有效地解决了物联网环境中协议碎片化和资源限制的挑战，为智能城市部署中强大的安全监控奠定了基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems Architecture 工程技术-计算机：硬件

CiteScore

8.70

自引率

15.60%

发文量

226

审稿时长

46 days

期刊介绍： The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.