SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data (1801.02062v1)

Abstract: We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.

Real-Time Reconstruction of Cyber Attack Scenarios

The paper presents a sophisticated system for real-time reconstruction of cyber attack scenarios targeted at enterprise hosts. Its focus lies in the development of a platform-neutral, main-memory based framework capable of efficiently processing audit-log data to detect and delineate the sequence of cyber attacks. The approach is defined by a dependency graph abstraction alongside a series of tag-based techniques intrinsic to attack detection, source identification, and impact analysis.

Key numerical results indicate the system’s exceptional processing capabilities — analyzing 79 hours' worth of FreeBSD audit data within 14 seconds using only 84MB of memory. This performance level swiftly outpaces contemporary solutions, achieving a rate approximately 20,000 times faster than the data generation rate.

The system distinguishes itself through the utilization of trustworthiness and confidentiality tags, which summarize the integrity and sensitivity of objects and subjects within the host environment. This tag-based paradigm enables in-depth forensic analysis by enhancing path resolution during backward search procedures — identifying attack entry points with precision using Dijkstra's algorithm to navigate tagged entities' dependencies.

A notable claim of the paper is the realistic scalability of the approach against modern APT campaigns. With a customizable policy framework allowing tag initialization and propagation, the system adeptly avoids false positives and negatives, refining alerts based on an analyst’s hypothetical model and clear sensitivity and trustworthiness criteria.

The implications of this research impact both practical and theoretical dimensions within the field of cyber defense. Practically, enterprise environments can benefit from expedited detection and response, minimizing potential damage and facilitating clearer understanding of attack mechanisms and their relations. Theoretically, the tag-based approach underscores the significance of provenance tracking in threat identification, suggesting a paradigm shift towards utilizing audit-based methodologies to bolster enterprise security infrastructure.

Future developments in AI-driven cyber defense may further enhance such systems by integrating finer granularity provenance tracking, leveraging machine learning models for behavior prediction, and automating policy refinement for tag propagation.

By adapting audit logs with real-time detection capabilities, the system offers a promising advancement toward comprehensive enterprise security solutions, ultimately contributing to the ongoing evolution of cyber defense mechanisms in complex networked environments.