ryan Holeman

Date of Award

Fall 10-2025

Document Type

Dissertation

Degree Name

Doctor of Philosophy in Cyber Defense (PhDCD)

First Advisor

Varghese Vaidyan

Second Advisor

John Hastings

Third Advisor

David Kenley

Abstract

This research study conducts an analysis and provides a method for the measurement of the effectiveness of various logging standards through a design science methodology with an applied experimentation evaluation. The design science method of this research introduces a purpose-created tool, the Security Exploit Telemetry Collection (SETC) framework, to provide a robust lab environment that records rich, repeatable, and highly configurable security telemetry of attacks against vulnerable services. The framework achieves the collection of security telemetry by hosting and exploiting vulnerable services in a controlled container environment. The applied experimentation component of this research utilizes data produced by SETC to evaluate the effectiveness of logging standards through a novel measurement approach. This data is analyzed using both effectiveness scores, which quantify telemetry preservation from raw logs to standardized formats, and cardinal detection scores, which assess practical security monitoring capabilities across a defined attack chain. Through controlled experimentation involving 50 remote code execution vulnerabilities, this research establishes the first quantitative comparison of modern logging standards from a security perspective. The findings reveal that the evaluated standards show varying degrees of telemetry preservation. All examined standards exhibit substantial gaps in detecting initial compromise, with network service-based vulnerabilities proving to exhibit the most significant gap. A critical discovery is that the absence of HTTP POST body and header data in standardized formats required fields renders the majority of web-based exploits undetectable. The research also demonstrates that post-exploitation activities maintain significantly better visibility across all logging standards. These findings provide evidence-based insights for security practitioners and identify systematic blind spots in logging standards that have immediate implications for enterprise security monitoring and incident detection capabilities.

Download

Share

COinS