Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
184 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SPARSE: Semantic Tracking and Path Analysis for Attack Investigation in Real-time (2405.02629v1)

Published 4 May 2024 in cs.CR

Abstract: As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. “What twitter’s 200 million-user email leak actually means,” https://www.wired.com/story/twitter-leak-200-million-user-email-addresses/.
  2. “Mitre att&ck,” https://attack.mitre.org/.
  3. “System administration utilities,” https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing.
  4. “About event tracing,” https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing.
  5. A. Gehani and D. Tariq, “Spade: Support for provenance auditing in distributed environments,” in ACM/IFIP/USENIX Int. Middleware Conf., MIDDLEWARE.   Springer, 2012, pp. 101–120.
  6. S. Ma et al., “Kernel-supported cost-effective audit logging for causality tracking,” in USENIX ATC, 2018, pp. 241–254.
  7. A. Bates et al., “Trustworthy whole-system provenance for the linux kernel,” in USENIX), 2015, pp. 319–334.
  8. M. A. Inam et al., “Sok: History is a vast early warning system: Auditing the provenance of system intrusions,” in S&P.   IEEE, 2022, pp. 307–325.
  9. K. H. Lee et al., “High accuracy attack provenance via binary-based execution partition.” in NDSS, vol. 16, 2013.
  10. Y. Tang et al., “Nodemerge: Template based efficient data reduction for big-data causality analysis,” in CCS, 2018, pp. 1324–1337.
  11. Z. Xu et al., “High fidelity data reduction for big data security dependency analyses,” in CCS, 2016, pp. 504–516.
  12. S. M. Milajerdi et al., “Holmes: real-time apt detection through correlation of suspicious information flows,” in S&P.   IEEE, 2019, pp. 1137–1152.
  13. W. U. Hassan et al., “Tactical provenance analysis for endpoint detection and response systems,” in S&P.   IEEE, 2020, pp. 1172–1189.
  14. T. Zhu et al., “Aptshield: A stable, efficient and real-time apt detection system for linux hosts,” TDSC, 2023.
  15. W. U. Hassan et al., “Nodoze: Combatting threat alert fatigue with automated provenance triage,” in NDSS, 2019.
  16. Hassan et al., “This is why we can’t cache nice things: Lightning-fast threat hunting using suspicion-based hierarchical storage,” in ACSAC, 2020, pp. 165–178.
  17. Y. Liu et al., “Towards a timely causality analysis for enterprise security.” in NDSS, 2018.
  18. P. Fang et al., “Back-propagating system dependency impact for attack investigation,” in USENIX, 2022, pp. 2461–2478.
  19. A. Alsaheel et al., “Atlas: A sequence-based learning approach for attack investigation.” in USENIX, 2021, pp. 3005–3022.
  20. Z. Xu, P. Fang, C. Liu, X. Xiao, Y. Wen, and D. Meng, “Depcomm: Graph summarization on system audit logs for attack investigation,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 540–557.
  21. J. Zeng et al., “Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics.” in NDSS, 2021.
  22. C. Xiong et al., “Conan: A practical real-time apt detection system with high accuracy and efficiency,” TDSC, vol. 19, no. 1, pp. 551–565, 2020.
  23. “Lateral movement,” https://www.crowdstrike.com/cybersecurity-101/lateral-movement/.
  24. “Apt notes,” https://github.com/aptnotes/data/.
  25. Y. Kwon et al., “Mci: Modeling-based causality inference in audit logging for attack investigation.” in NDSS, vol. 2, 2018, p. 4.
  26. P. Gao et al., “{{\{{AIQL}}\}}: Enabling efficient attack investigation from system monitoring data,” in USENIX, 2018, pp. 113–126.
  27. S. Ma et al., “Protracer: Towards practical provenance tracing by alternating between logging and tainting.” in NDSS, vol. 2, 2016, p. 4.
  28. S. T. King and P. M. Chen, “Backtracking intrusions,” in SOSP, 2003, pp. 223–236.
  29. “Darpa.” https://www.darpa.mil/program/transparent-computing.
  30. “Darap3 transparent engagement 3,” 2023, https://drive.google.com/drive/folders/1QlbUFWAGq3Hpl8wVdzOdIoZLFxkII4EK.
  31. T. Zhu et al., “General, efficient, and real-time data compaction strategy for apt forensic analysis,” TIFS, vol. 16, pp. 3312–3325, 2021.
  32. P. Gao et al., “Enabling efficient cyber threat hunting with cyber threat intelligence,” in ICDE.   IEEE, 2021, pp. 193–204.
  33. Gao et al., “{{\{{SAQL}}\}}: A stream-based query system for real-time abnormal system behavior detection,” in USENIX, 2018, pp. 639–656.
  34. D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems,” in CCS, 2002, pp. 255–264.
  35. “Insider threat monitoring software,” 2023, https://www.netwrix.com/insider_threat_detection.html.
  36. “Auditd,” 2023, https://linux.die.net/man/8/auditd.
  37. “Lttng,” 2023, https://lttng.org.
  38. “Sysdig,” 2023, https://github.com/draios/sysdig.
  39. “Redhat,” 2023, https://github.com/linux-audit/.
  40. W. U. Hassan et al., “This is why we can’t cache nice things: Lightning-fast threat hunting using suspicion-based hierarchical storage,” in ACSAC, 2020, pp. 165–178.
  41. “Exploit database,” Exploit Database, https://www.exploit-db.com/.
  42. “Cyber kill chain,” 2023, https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
  43. K. Pei et al., “Hercule: Attack story reconstruction via community discovery on correlated log graph,” in ACSAC, 2016, pp. 583–595.
  44. M. N. Hossain et al., “Sleuth: Real-time attack scenario reconstruction from cots audit data.” in USENIX, 2017, pp. 487–504.
  45. T. Kim, X. Wang, N. Zeldovich, M. F. Kaashoek et al., “Intrusion recovery using selective re-execution.” in OSDI, 2010, pp. 89–104.
  46. M. N. Hossain et al., “Dependence-preserving data compaction for scalable forensic analysis,” in USENIX, 2018, pp. 1723–1740.
  47. N. Michael et al., “On the forensic validity of approximated audit logs,” in ACSAC, 2020, pp. 189–202.
  48. S. Wang et al., “Heterogeneous graph matching networks,” arXiv preprint arXiv:1910.08074, 2019.
  49. X. Han et al., “Unicorn: Runtime provenance-based detector for advanced persistent threats,” arXiv preprint arXiv:2001.01525, 2020.
  50. “Carbon black,” https://www.carbonblack.com/global-incident-response-threatreport/november-2018/.
  51. T. Chen, Q. Song, X. Qiu, T. Zhu, Z. Zhu, and M. Lv, “Kellect: a kernel-based efficient and lossless event log collector,” arXiv preprint arXiv:2207.11530, 2022.
  52. J. Byrnes et al., “A modern implementation of system call sequence based host-based intrusion detection systems,” in TPS-ISA.   IEEE, 2020, pp. 218–225.
  53. S.-Y. Wang et al., “Design and implementation of an intrusion detection system by using extended bpf in the linux kernel,” JNCA, vol. 198, p. 103283, 2022.
  54. C. Zhong et al., “Automate cybersecurity data triage by leveraging human analysts’ cognitive process,” in HPSC.   IEEE, 2016, pp. 357–363.
  55. V. D. Blondel et al., “Fast unfolding of communities in large networks,” Journal of statistical mechanics: theory and experiment, vol. 2008, no. 10, p. P10008, 2008.
  56. “Vpnfilter: New router malware with destructive capabilities,” 2018, https://symc.ly/2IPGGVE.
  57. “Ebay.” Ebay Inc. to ask Ebay users to change pass-words, 2014, http://blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords/.
  58. “Schneier security: Router vulnerability the vpnfilter botnet,” 2018, https://www.schneier.com/blog/archives/2018/06/router_vulnerab.html.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets