Probabilistically Inferring Attack Ramifications Using Temporal Dependence Network

There is an increasing need of assessing and mitigating the effects of successful attacks. Uncovering malicious and contaminated objects in an attacked computing system is referred to as identification of attack ramifications. Previous methods identify the attack ramifications by directly tracking information flows (or dependences) from the intrusion root (i.e., the entry point of an attack). They face challenges such as undetermined intrusion root and dependence explosion. In this paper, we present a novel, light-weight method capable of identifying attack ramifications without the knowledge of intrusion root and less subject to dependency explosion. The method utilizes a probabilistic reasoning approach to fuse evidence derived from a subset of objects whose security states are known. It first splits the lifetime of an object into consecutive time slices (object-slices) to profile how the security state of this object changes over time. Then, a temporal dependence network (TDN) is constructed from system call traces to correlate object-slices according to information flows between them. Based on that, a Bayesian network (BN) model is built to characterize the uncertainties of infection propagations in the TDN. Finally, the method adopts loopy belief propagation on the BN model to infer the security state of an object. We evaluate the proposed method using a large data set of 389 attacks launched by the real-world malware samples including sophisticated ones such as Stuxnet. Extensive experiments demonstrate that our method is able to identify attack ramifications with a 97.47% precision at 97.21% recall without the knowledge of intrusion root.

[1]  Cesare Alippi,et al.  Model-Free Fault Detection and Isolation in Large-Scale Cyber-Physical Systems , 2017, IEEE Transactions on Emerging Topics in Computational Intelligence.

[2]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[3]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[4]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[5]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[7]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[8]  A. Vidhya,et al.  Malware Clearance for Secure Commitment of OS-Level Virtual Machines , 2014 .

[9]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[10]  Xiaoqi Jia,et al.  PEDA: Comprehensive Damage Assessment for Production Environment Server Systems , 2011, IEEE Transactions on Information Forensics and Security.

[11]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[12]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[13]  Ralf Möller,et al.  Context- and bias-free probabilistic mission impact assessment , 2017, Comput. Secur..

[14]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[15]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[16]  Judea Pearl,et al.  Probabilistic reasoning in intelligent systems - networks of plausible inference , 1991, Morgan Kaufmann series in representation and reasoning.

[17]  Sushil Jajodia,et al.  A Graphical Model to Assess the Impact of Multi-Step Attacks , 2018 .

[18]  R. Sekar,et al.  Provenance-based Integrity Protection for Windows , 2015, ACSAC.

[19]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[20]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[21]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[22]  Xin Wang,et al.  Growing Grapes in Your Computer to Defend Against Malware , 2014, IEEE Transactions on Information Forensics and Security.

[23]  Herbert Bos,et al.  System-Level Support for Intrusion Recovery , 2012, DIMVA.

[24]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[25]  Xiaoqi Jia,et al.  SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System , 2009, 2009 Annual Computer Security Applications Conference.

[26]  Somesh Jha,et al.  Automatic Generation of Remediation Procedures for Malware Infections , 2010, USENIX Security Symposium.

[27]  Stavros Ntalampiras,et al.  Detection of Integrity Attacks in Cyber-Physical Critical Infrastructures Using Ensemble Modeling , 2015, IEEE Transactions on Industrial Informatics.

[28]  Xuxian Jiang,et al.  Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach , 2008, IEEE Transactions on Parallel and Distributed Systems.

[29]  Gabriel Jakobson,et al.  Mission cyber security situation assessment using impact dependency graphs , 2011, 14th International Conference on Information Fusion.

[30]  Ashvin Goel,et al.  Reconstructing system state for intrusion analysis , 2008, OPSR.

[31]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[32]  Ralf Möller,et al.  Probabilistic Mission Impact Assessment based on Widespread Local Events , 2015 .

[33]  Shanchieh Jay Yang,et al.  Probabilistic Inference for Obfuscated Network Attack Sequences , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[34]  Abhinav Srivastava,et al.  Automatic Discovery of Parasitic Malware , 2010, RAID.

[35]  Ralf Möller,et al.  Indirect Causes in Dynamic Bayesian Networks Revisited , 2015, IJCAI.

[36]  Zhongmin Cai,et al.  Identifying Intrusion Infections via Probabilistic Inference on Bayesian Network , 2015, DIMVA.