Zebra: Deeply Integrating System-Level Provenance Search and Tracking for Efficient Attack Investigation

11/10/2022
by   Xinyu Yang, et al.
3

System auditing has emerged as a key approach for monitoring system call events and investigating sophisticated attacks. Based on the collected audit logs, research has proposed to search for attack patterns or track the causal dependencies of system events to reveal the attack sequence. However, existing approaches either cannot reveal long-range attack sequences or suffer from the dependency explosion problem due to a lack of focus on attack-relevant parts, and thus are insufficient for investigating complex attacks. To bridge the gap, we propose Zebra, a system that synergistically integrates attack pattern search and causal dependency tracking for efficient attack investigation. With Zebra, security analysts can alternate between search and tracking to reveal the entire attack sequence in a progressive, user-guided manner, while mitigating the dependency explosion problem by prioritizing the attack-relevant parts. To enable this, Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data. Evaluations on a broad set of attack cases demonstrate the effectiveness of Zebra in facilitating a timely attack investigation.

READ FULL TEXT

page 3

page 4

research
06/06/2018

AIQL: Enabling Efficient Attack Investigation from System Monitoring Data

The need for countering Advanced Persistent Threat (APT) attacks has led...
research
10/12/2018

ProPatrol: Attack Investigation via Extracted High-Level Tasks

Kernel audit logs are an invaluable source of information in the forensi...
research
10/26/2020

Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence

Log-based cyber threat hunting has emerged as an important solution to c...
research
10/04/2018

A Query Tool for Efficiently Investigating Risky Software Behaviors

Advanced Persistent Threat (APT) attacks are sophisticated and stealthy,...
research
09/17/2020

New Models for Understanding and Reasoning about Speculative Execution Attacks

Spectre and Meltdown attacks and their variants exploit hardware perform...
research
01/06/2018

SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data

We present an approach and system for real-time reconstruction of attack...

Please sign up or login with your details

Forgot password? Click here to reset