TY - GEN
T1 - Towards a Timely Causality Analysis for Enterprise Security
AU - Liu, Yushan
AU - Zhang, Mu
AU - Li, Ding
AU - Jee, Kangkook
AU - Li, Zhichun
AU - Wu, Zhenyu
AU - Rhee, Junghwan
AU - Mittal, Prateek
N1 - Publisher Copyright:
© 2018 25th Annual Network and Distributed System Security Symposium, NDSS 2018. All Rights Reserved.
PY - 2018
Y1 - 2018
N2 - The increasingly sophisticated Advanced Persistent Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop causal relationships between files and processes to diagnose attack provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since attack causality analysis is a time-critical mission, it is essential to design causality tracking systems that extract useful attack information in a timely manner. However, prior work is limited in serving this need. Existing approaches have largely focused on pruning causal dependencies totally irrelevant to the attack, but fail to differentiate and prioritize abnormal events from numerous relevant, yet benign and complicated system operations, resulting in long investigation time and slow responses. To address this problem, we propose PRIOTRACKER, a backward and forward causality tracker that automatically prioritizes the investigation of abnormal causal dependencies in the tracking process. Specifically, to assess the priority of a system event, we consider its rareness and topological features in the causality graph. To distinguish unusual operations from normal system events, we quantify the rareness of each event by developing a reference model which records common routine activities in corporate computer systems. We implement PRIOTRACKER, in 20K lines of Java code, and a reference model builder in 10K lines of Java code. We evaluate our tool by deploying both systems in a real enterprise IT environment, where we collect 1TB of 2.5 billion OS events from 150 machines in one week. Experimental results show that PRIOTRACKER can capture attack traces that are missed by existing trackers and reduce the analysis time by up to two orders of magnitude.
AB - The increasingly sophisticated Advanced Persistent Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop causal relationships between files and processes to diagnose attack provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since attack causality analysis is a time-critical mission, it is essential to design causality tracking systems that extract useful attack information in a timely manner. However, prior work is limited in serving this need. Existing approaches have largely focused on pruning causal dependencies totally irrelevant to the attack, but fail to differentiate and prioritize abnormal events from numerous relevant, yet benign and complicated system operations, resulting in long investigation time and slow responses. To address this problem, we propose PRIOTRACKER, a backward and forward causality tracker that automatically prioritizes the investigation of abnormal causal dependencies in the tracking process. Specifically, to assess the priority of a system event, we consider its rareness and topological features in the causality graph. To distinguish unusual operations from normal system events, we quantify the rareness of each event by developing a reference model which records common routine activities in corporate computer systems. We implement PRIOTRACKER, in 20K lines of Java code, and a reference model builder in 10K lines of Java code. We evaluate our tool by deploying both systems in a real enterprise IT environment, where we collect 1TB of 2.5 billion OS events from 150 machines in one week. Experimental results show that PRIOTRACKER can capture attack traces that are missed by existing trackers and reduce the analysis time by up to two orders of magnitude.
UR - http://www.scopus.com/inward/record.url?scp=85180401295&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85180401295&partnerID=8YFLogxK
U2 - 10.14722/ndss.2018.23254
DO - 10.14722/ndss.2018.23254
M3 - Conference contribution
AN - SCOPUS:85180401295
T3 - 25th Annual Network and Distributed System Security Symposium, NDSS 2018
BT - 25th Annual Network and Distributed System Security Symposium, NDSS 2018
PB - The Internet Society
T2 - 25th Annual Network and Distributed System Security Symposium, NDSS 2018
Y2 - 18 February 2018 through 21 February 2018
ER -