Towards a Timely Causality Analysis for Enterprise Security

Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, Prateek Mittal

Research output: Chapter in Book/Report/Conference proceedingConference contribution

118 Scopus citations

Abstract

The increasingly sophisticated Advanced Persistent Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop causal relationships between files and processes to diagnose attack provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since attack causality analysis is a time-critical mission, it is essential to design causality tracking systems that extract useful attack information in a timely manner. However, prior work is limited in serving this need. Existing approaches have largely focused on pruning causal dependencies totally irrelevant to the attack, but fail to differentiate and prioritize abnormal events from numerous relevant, yet benign and complicated system operations, resulting in long investigation time and slow responses. To address this problem, we propose PRIOTRACKER, a backward and forward causality tracker that automatically prioritizes the investigation of abnormal causal dependencies in the tracking process. Specifically, to assess the priority of a system event, we consider its rareness and topological features in the causality graph. To distinguish unusual operations from normal system events, we quantify the rareness of each event by developing a reference model which records common routine activities in corporate computer systems. We implement PRIOTRACKER, in 20K lines of Java code, and a reference model builder in 10K lines of Java code. We evaluate our tool by deploying both systems in a real enterprise IT environment, where we collect 1TB of 2.5 billion OS events from 150 machines in one week. Experimental results show that PRIOTRACKER can capture attack traces that are missed by existing trackers and reduce the analysis time by up to two orders of magnitude.

Original languageEnglish (US)
Title of host publication25th Annual Network and Distributed System Security Symposium, NDSS 2018
PublisherThe Internet Society
ISBN (Electronic)1891562495, 9781891562495
DOIs
StatePublished - 2018
Event25th Annual Network and Distributed System Security Symposium, NDSS 2018 - San Diego, United States
Duration: Feb 18 2018Feb 21 2018

Publication series

Name25th Annual Network and Distributed System Security Symposium, NDSS 2018

Conference

Conference25th Annual Network and Distributed System Security Symposium, NDSS 2018
Country/TerritoryUnited States
CitySan Diego
Period2/18/182/21/18

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Towards a Timely Causality Analysis for Enterprise Security'. Together they form a unique fingerprint.

Cite this