ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation with different realistic system workloads and a number of attack cases show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The run-time overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.

[1]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[2]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[3]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[4]  Yulai Xie,et al.  A hybrid approach for efficient provenance storage , 2012, CIKM '12.

[5]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[6]  Naren Ramakrishnan,et al.  Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery , 2014, AsiaCCS.

[7]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[8]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[9]  Haoxiang Lin,et al.  G2: A Graph Processing System for Diagnosing Distributed Systems , 2011, USENIX Annual Technical Conference.

[10]  Margo I. Seltzer,et al.  Issues in Automatic Provenance Collection , 2006, IPAW.

[11]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[12]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[13]  Xiangyu Zhang,et al.  Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows , 2015, ACSAC.

[14]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[15]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[16]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[17]  Chun Zhang,et al.  vPath: Precise Discovery of Request Processing Paths from Black-Box Observations of Thread and Network Activities , 2009, USENIX Annual Technical Conference.

[18]  Adrian Perrig,et al.  XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms , 2011, 2011 44th Hawaii International Conference on System Sciences.

[19]  Ahmed Amer,et al.  Compressing Provenance Graphs , 2011, TaPP.

[20]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[21]  Dan Feng,et al.  Evaluation of a Hybrid Approach for Efficient Provenance Storage , 2013, TOS.

[22]  Paul T. Groth,et al.  The requirements of recording and using provenance in e- Science experiments , 2005 .

[23]  Xiang Zhang,et al.  Tracing Lineage Beyond Relational Operators , 2007, VLDB.

[24]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[25]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[26]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[27]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[28]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[29]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[30]  Markus Jakobsson,et al.  Server-side detection of malware infection , 2009, NSPW '09.

[31]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[32]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[33]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[34]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[35]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[36]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[37]  R. Sunitha,et al.  DATA-PROVENANCE VERIFICATION FOR SECURE HOSTS , 2013 .

[38]  Erez Zadok,et al.  Selective Versioning in a Secure Disk System , 2008, USENIX Security Symposium.

[39]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[40]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[41]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[42]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[43]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[44]  Thomas Moyer,et al.  Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs , 2015, TaPP.