Practical whole-system provenance capture

Pasquier, Thomas; Han, Xueyuan; Goldstein, Martin; Moyer, Thomas; Eyers, David; Seltzer, Margo; Bacon, Jean

doi:10.1145/3127479.3129249

Cited by 99 publications

(98 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Hosts that exhibit more diverse behaviors, such as workstations [18], pose a greater challenge for IDS in general. Modern provenance capture systems (e.g., CamFlow) help mitigate this issue as they can separate provenance data based on, e.g., namespaces and control groups [100]. However, we acknowledge that endpoint security for workstations presents extra challenges that UNICORN does not attempt to address in this work, as it was originally designed to protect more stable environments.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

“…Provenance systems construct a single, wholesystem provenance DAG with a partial-order guarantee, which allows for efficient streaming computation ( § IV-B) and fully contextualized analysis ( L2 ). We present UNICORN using CamFlow [100], although it can obtain provenance from other systems, such as LPM [16] and Spade [44], the latter of which interoperates with commodity audit systems such as Linux Audit and Windows ETW. 2 Builds at runtime an in-memory histogram.…”

Section: Designmentioning

confidence: 99%

“…There exist many graph similarity measures, but many approaches (e.g., graph isomorphism) are too restrictive (i.e., require two graphs to be exactly or largely identical) [110], because even normal executions often produce slightly different provenance graphs. Wholesystem provenance graphs can grow large quickly [100], so NP-complete [42], [95] and even polynomial algorithms [71], [122] are too computationally expensive for streaming settings. As we show in the following sections, UNICORN's graph similarity algorithm does not exhibit these problems.…”

Section: A Provenance Graphmentioning

confidence: 99%

“…In the previous section, we show how UNICORN's parameters influence detection performance; this section and the one that follows examine UNICORN's runtime overhead. These sections consider only the CamFlow implementation, which has been shown to produce negligible overhead [100], allowing us to isolate UNICORN's performance characteristics. We use Amazon EC2 i3.2xlarge Linux machines with 8 vCPUs and 61GiB of memory.…”

Section: E Processing Speedmentioning

confidence: 99%

See 3 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

119

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Discussion and Limitationsmentioning

confidence: 99%

Section: Designmentioning

confidence: 99%

Section: A Provenance Graphmentioning

confidence: 99%

Section: E Processing Speedmentioning

confidence: 99%

See 2 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

119

111

View full text Add to dashboard Cite

show abstract

“…We built CamQuery on top of the CamFlow provenance capture system [3,79,80], our actively-maintained provenance monitor built as a stackable Linux Security Module (LSM) [69]. Compared to other existing capture techniques [34,72], an LSM-based approach ensures that CamFlow can observe and mediate all information flows between processes and kernel objects [27,31,36,51] (see § 4.2 for further discussion).…”

Section: Capture Mechanismmentioning

confidence: 99%

Runtime Analysis of Whole-System Provenance

Pasquier

Han

Moyer

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security. * Part of this work was completed at Harvard University and at the University of Cambridge.

show abstract