ProPatrol: Attack Investigation via Extracted High-Level Tasks

Milajerdi, Sadegh M.; Eshete, Birhanu; Gjomemo, Rigel; Venkatakrishnan, V.

doi:10.1007/978-3-030-05171-6_6

Cited by 11 publications

(3 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While a number of experimental audit frameworks have incorporated notions of data provenance [27], [31], [76], [98] and taint tracking [45], [29], the bulk of this work is also based on commodity audit frameworks such as Linux Audit. Techniques have also been proposed to efficiently extract threat intelligence from voluminous log data [99], [100], [46], [23], [30], [24], [101], [102], [32], [33], [34], [25], [85], [28], [103], [35], [104], [105]; in this work, we make the use of such techniques applicable to RTS through the design of a system audit framework that is compatible with temporally constrained applications. Our approach to template generation in Ellipsis shares similarities with the notion of execution partitioning of log activity [84], [32], [85], [23], [24], which decomposes long-lived applications into autonomous units of work to reduce false dependencies in forensic investigations.…”

Section: Related Workmentioning

confidence: 99%

“…Not only does this approach take the responsibility of event logging out of the hands of the application developer, it also provides a unified view of system activity in a way that application-specific logging simply cannot. In particular, systems logs can be iteratively parsed into a connected graph based on the shared dependencies of individual events, facilitating causal analysis over the history of events within a system [26], [27], [28], [29], [30], [31], [32], [32], [33], [34], [35]. This capability is invaluable to defenders when tracing suspicious activities [23], [25], [24], to the point that the vast majority of cyber analysts consider audit logs to be the most important resource when investigating threats [22].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Ellipsis: Towards Efficient System Auditing for Real-Time Systems

Bansal¹,

Kandikuppa²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS.In this paper, we demonstrate how to adapt commodity audit frameworks to RTS. Using Linux Audit as a case study, we first demonstrate that the volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. To address this, we present Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications to aggressively reduce the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications' expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation. Ellipsis demonstrates a promising path forward for auditing RTS.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Ellipsis: Towards Efficient System Auditing for Real-Time Systems

Bansal¹,

Kandikuppa²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The need to aggregate and analyze various data sources has been well researched, including network traffic [18], [19], processes/system events [20], and audit logs [21]. However, the collection of large quantities of data introduces storage and searching challenges, which requires techniques to reduce data quantity and dimensionality, as explored by [22].…”

Section: Related Workmentioning

confidence: 99%

Evaluating the Observability of Network Security Monitoring Strategies With TOMATO

Halvorsen

Waite²,

Hahn

2019

IEEE Access

View full text Add to dashboard Cite

Monitoring systems for malicious behavior increasingly requires aggregating and analyzing data from various sources, such as network flows, host logs, and end-point monitoring platforms. However, there's currently a lack of metrics and methodologies to compute the observability and efficiency of a security monitoring strategy. This manuscript introduces TOMATO (Threat Observability & Monitoring Assessment Tool), which is a platform to evaluate the effectiveness of a security monitoring strategy by exploring both the number of known adversarial techniques that can be detected within a network, along with evaluating the number of false-positives produced by the monitoring strategy. The output produces both an observability score and efficiency score of a set of deployed monitoring techniques, which are evaluated based on the data from the environment, and simulated attacks generated from MITRE ATT&CK. The proposed approach is then integrated into an ELK stack and evaluated on real SCADA devices within the WSU Smart City Testbed.

show abstract