Runtime Analysis of Whole-System Provenance

Pasquier, Thomas; Han, Xueyuan; Moyer, Thomas; Bates, Adam; Hermant, Olivier; Eyers, David; Bacon, Jean; Seltzer, Margo

doi:10.1145/3243734.3243776

Cited by 67 publications

(33 citation statements)

References 65 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use CamFlow [100] as the reference implementation throughout the paper, although there exist other whole-system provenance implementations; in § VI, we show that UNI-CORN works seamlessly with other capture mechanisms as well. CamFlow adopts the Linux Security Modules (LSM) framework [89] to ensure high-quality, reliable recording of information flows among data objects [45], [101]. LSM eliminates race conditions (e.g., TOCTTOU attacks) by placing mediation points inside the kernel instead of at the system call interface [61].…”

Section: B Whole-system Provenancementioning

confidence: 99%

“…1 only on newly-arriving vertices and on vertices whose in-coming neighborhood is affected by new edges. In provenance graphs that use multiple vertices per provenance entity or activity to represent different versions or states of the corresponding object [90], we need to compute/update only the neighborhood of the destination vertex for each new edge, because all incoming edges to a vertex arrive before any outgoing ones [101]. UNICORN takes advantage of this partial ordering to minimize computation ( Fig.…”

Section: Algorithm 1: Graph Histogram Generationmentioning

confidence: 99%

See 1 more Smart Citation

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

119

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: B Whole-system Provenancementioning

confidence: 99%

Section: Algorithm 1: Graph Histogram Generationmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

119

111

View full text Add to dashboard Cite

show abstract

“…Recent studies [22], [44], [50] have used system-call level logs for real-time analytics. SLEUTH [22] presents tag-based techniques for attack detection and in-situ forensics.…”

Section: G Live Experimentsmentioning

confidence: 99%

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Milajerdi

Gjomemo

Eshete

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

226

161

View full text Add to dashboard Cite

In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.

show abstract

“…This line of work typically parses system logs into dependency graphs (also known as provenance graphs) that allow to derive insights and scrutinize the causal relationships between events. Several methods have been proposed to automatically recognize security incidents from these graphs [23], [45], [83], [42], [11], [93], [35], [98], [124], to more precisely and accurately reason about the stream of events [67], [75], [65], [74], [5], or to more efficiently process queries to these graphs [71], [29], [30], [54], [55], [96]. Notably, all this work fully trusts the integrity of the logs used as input to their systems.…”

Section: B Data Provenance and Attack Investigationmentioning

confidence: 99%

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

Paccagnella

Datta

Hassan

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a breakin, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS' tamper-evident logging protocol is three orders of magnitude (1000×) faster than prior solutions and incurs only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS' auditing protocol can detect violations in near realtime even in the presence of a powerful distributed adversary and with minimal (3%) network overhead. Our case study on a real-world APT attack scenario demonstrates that CUSTOS forces anti-forensic attackers into a "lose-lose" situation, where they can either be covert and not tamper with logs (which can be used for forensics), or erase logs but then be detected by CUSTOS.

show abstract

Runtime Analysis of Whole-System Provenance

Cited by 67 publications

References 65 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

Contact Info

Product

Resources

About