论文信息 - Applying Provenance in APT Monitoring and Analysis: Practical Challenges for Scalable, Efficient and Trustworthy Distributed Provenance

Applying Provenance in APT Monitoring and Analysis: Practical Challenges for Scalable, Efficient and Trustworthy Distributed Provenance

Advanced Persistent Threats (APT) are a class of security threats in which a well-resourced attacker targets a specific individual or organisation with a predefined goal. This typically involves exfiltration of confidential material, although increasingly attacks target the encryption or destruction of mission critical data. With traditional prevention and detection mechanisms failing to stem the tide of such attacks, there is a pressing need for new monitoring and analysis tools that reduce both false-positive rates and the cognitive burden on human analysts. We propose that local and distributed provenance metadata can simplify and improve monitoring and analysis of APTs by providing a single, authoritative sequence of events that captures the context (and side effects) of potentially malicious activities. Provenance metadata allows a human analyst to backtrack from detection of malicious activity to the point of intrusion and, similarly, to work forward to fully understand the consequences. Applying provenance to APT monitoring and analysis introduces some significantly different challenges and requirements in comparison to more traditional applications. Drawing from our experiences working with and adapting the OPUS (Observed Provenance in User Space) system to an APT monitoring and analysis use case, we introduce and discuss some of the key challenges in this space. These preliminary observations are intended Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. TaPP 2017, June 22-23, 2017, Seattle, Washington. Copyright remains with the owner/author(s). to prime a discussion within the community about the design space for scalable, efficient and trustworthy distributed provenance for scenarios that impose different constraints from traditional provenance applications such as workflow and data processing frameworks. CCS Concepts • Information systems → Data provenance; •Software and its engineering → Distributed systems organizing principles; •Security and privacy → Distributed systems security

[1] Andy Hopper,et al. HadoopProv: Towards Provenance as a First Class Citizen in MapReduce , 2013, TaPP.

[2] Randall Stewart,et al. Optimizing TLS for High–Bandwidth Applications in FreeBSD , 2015 .

[3] Ashish Gehani,et al. SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[4] Andy Hopper,et al. OPUS: A Lightweight System for Observational Provenance in User Space , 2013, TaPP.

[5] Geoff Holmes,et al. Security and Data Accountability in Distributed Systems: A Provenance Survey , 2013, 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing.

[6] Margo I. Seltzer,et al. Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[7] Eric Michael Hutchins,et al. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[8] Marianne Winslett,et al. The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance , 2009, FAST.

[9] Andreas Haeberlen,et al. Tracking Adversarial Behavior in Distributed Systems With Secure Network Provenance , 2010 .

[10] Vladimiro Sassone,et al. A Formal Model of Provenance in Distributed Systems , 2009, Workshop on the Theory and Practice of Provenance.