MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning

Traditional auditing techniques generate large and inaccurate causal graphs. To overcome such limitations, researchers proposed to leverage execution partitioning to improve analysis granularity and hence precision. However, these techniques rely on a low level programming paradigm (i.e., event handling loops) to partition execution, which often results in low level graphs with a lot of redundancy. This not only leads to space inefficiency and noises in causal graphs, but also makes it difficult to understand attack provenance. Moreover, these techniques require training to detect low level memory dependencies across partitions. Achieving correctness and completeness in the training is highly challenging. In this paper, we propose a semantics aware program annotation and instrumentation technique to partition execution based on the application specific high level task structures. It avoids training, generates execution partitions with rich semantic information and provides multiple perspectives of an attack. We develop a prototype and integrate it with three different provenance systems: the Linux Audit system, ProTracer and the LPM-HiFi system. The evaluation results show that our technique generates cleaner attack graphs with rich high-level semantics and has much lower space and time overheads, when compared with the event loop based partitioning techniques BEEP and ProTracer.

[1]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[3]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[4]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[5]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[6]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[7]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[8]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[9]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[10]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[11]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[12]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[13]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[14]  Margo I. Seltzer,et al.  Issues in Automatic Provenance Collection , 2006, IPAW.

[15]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[16]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[17]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[18]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[19]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .

[20]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[21]  Erez Zadok,et al.  Selective Versioning in a Secure Disk System , 2008, USENIX Security Symposium.

[22]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[23]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[24]  Michael I. Jordan,et al.  Detecting large-scale system problems by mining console logs , 2009, SOSP '09.

[25]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[26]  Ahmed Amer,et al.  Compressing Provenance Graphs , 2011, TaPP.

[27]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[28]  Haoxiang Lin,et al.  G2: A Graph Processing System for Diagnosing Distributed Systems , 2011, USENIX Annual Technical Conference.

[29]  Paul T. Groth,et al.  PrIMe: A methodology for developing provenance-aware applications , 2011, TSEM.

[30]  Yuriy Brun,et al.  Leveraging existing instrumentation to automatically infer invariant-constrained models , 2011, ESEC/FSE '11.

[31]  Yulai Xie,et al.  A hybrid approach for efficient provenance storage , 2012, CIKM '12.

[32]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[33]  Jennifer Neville,et al.  Structured Comparative Analysis of Systems Logs to Diagnose Performance Problems , 2012, NSDI.

[34]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[35]  Randall F. Trzeciak,et al.  Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector , 2012 .

[36]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[37]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[38]  Dan Feng,et al.  Evaluation of a Hybrid Approach for Efficient Provenance Storage , 2013, TOS.

[39]  Krzysztof Z. Gajos,et al.  Evaluation of Filesystem Provenance Visualization Tools , 2013, IEEE Transactions on Visualization and Computer Graphics.

[40]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[41]  Michael Chow,et al.  Eidetic Systems , 2014, OSDI.

[42]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[43]  Xiangyu Zhang,et al.  Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows , 2015, ACSAC.

[44]  Thomas Moyer,et al.  Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs , 2015, TaPP.

[45]  Luo Si,et al.  LEAPS: Detecting Camouflaged Attacks with Statistical Learning Guided by Program Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[46]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[47]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[48]  Kevin R. B. Butler,et al.  ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices , 2016, CCS.