Skip to main content
SpringerLink
Log in

ProPatrol: Attack Investigation via Extracted High-Level Tasks

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11281))

Included in the following conference series:

Abstract

Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application’s high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application’s architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root-cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.

The second author performed this work as a postdoctoral associate at the University of Illinois at Chicago.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Multiprocess firefox. https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox

  2. Systemtap. https://sourceware.org/systemtap/

  3. Bates, A., Tian, D.J., Butler, K.R., Moyer, T.: Trustworthy whole-system provenance for the Linux kernel. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 319–334 (2015)

    Google Scholar 

  4. Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX 2008 Annual Technical Conference on Annual Technical Conference, pp. 1–14 (2008)

    Google Scholar 

  5. Corporation, M.: Apt1: exposing one of china’s cyber espionage units. Technical report (2013)

    Google Scholar 

  6. Gehani, A., Tariq, D.: SPADE: support for provenance auditing in distributed environments. In: Narasimhan, P., Triantafillou, P. (eds.) Middleware 2012. LNCS, vol. 7662, pp. 101–120. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35170-9_6

    Chapter  Google Scholar 

  7. Goel, A., Po, K., Farhadi, K., Li, Z., De Lara, E.: The taser intrusion recovery system. In: ACM SIGOPS Operating Systems Review, vol. 39, pp. 163–176. ACM (2005)

    Google Scholar 

  8. Hassan, W.U., Lemay, M., Aguse, N., Bates, A., Moyer, T.: Towards scalable cluster auditing through grammatical inference over provenance graphs. In: Network and Distributed Systems Security Symposium (2018)

    Google Scholar 

  9. Hossain, M.N., et al.: SLEUTH: real-time attack scenario reconstruction from COTS audit data. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 487–504. USENIX Association, Vancouver (2017)

    Google Scholar 

  10. Hossain, M.N., Wang, J., Sekar, R., Stoller, S.D.: Dependence-preserving data compaction for scalable forensic analysis. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 1723–1740. USENIX Association, Baltimore (2018)

    Google Scholar 

  11. Ji, Y., et al.: Rain: refinable attack investigation with on-demand inter-process information flow tracking. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 377–390. ACM (2017)

    Google Scholar 

  12. Johns, M., Winter, J.: Protecting the intranet against “JavaScript Malware” and related attacks. In: M. Hämmerli, B., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 40–59. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_3

    Chapter  Google Scholar 

  13. Keizer, G.: Enterprises to get locked-down Windows 10 in six months. https://www.computerworld.com/article/3232749/microsoft-windows/enterprises-to-get-locked-down-windows-10-in-six-months.html. Accessed 08 Oct 2018

  14. Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: practical dynamic data flow tracking for commodity systems. ACM SIGPLAN Not. 47, 121–132 (2012)

    Article  Google Scholar 

  15. King, S.T., Chen, P.M.: Backtracking intrusions. ACM SIGOPS Oper. Syst. Rev. 37, 223–236 (2003)

    Article  Google Scholar 

  16. King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching intrusion alerts through multi-host causality. In: NDSS (2005)

    Google Scholar 

  17. Kwon, Y., et al.: MCI: modeling-based causality inference in audit logging for attack investigation. In: Proceedings of the 25th Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  18. Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)

    Google Scholar 

  19. Lee, K.H., Zhang, X., Xu, D.: Loggc: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005–1016. ACM (2013)

    Google Scholar 

  20. Ma, S., Zhai, J., Wang, F., Lee, K.H., Zhang, X., Xu, D.: MPI: multiple perspective attack investigation with semantics aware execution partitioning. In: USENIX Security (2017)

    Google Scholar 

  21. Ma, S., Zhang, X., Xu, D.: Protracer: towards practical provenance tracing by alternating between logging and tainting (2016)

    Google Scholar 

  22. Mathew, S.J.: Social engineering leads apt attack vectors. http://www.darkreading.com/vulnerabilities-and-threats/social-engineering-leads-apt-attack-vectors/d/d-id/1100142?

  23. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: HOLMES: real-time APT detection through correlation of suspicious information flows. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE (2019)

    Google Scholar 

  24. Ming, J., Wu, D., Wang, J., Xiao, G., Liu, P.: Straight taint: decoupled offline symbolic taint analysis. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, pp. 308–319. ACM (2016)

    Google Scholar 

  25. Muniswamy-Reddy, K.K., Holland, D.A., Braun, U., Seltzer, M.I.: Provenance-aware storage systems. In: USENIX Annual Technical Conference, General Track, pp. 43–56 (2006)

    Google Scholar 

  26. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)

    Google Scholar 

  27. Pohly, D.J., McLaughlin, S., McDaniel, P., Butler, K.: Hi-fi: collecting high-fidelity whole-system provenance. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 259–268. ACM (2012)

    Google Scholar 

  28. Sar, C., Cao, P.: Lineage file system. http://crypto.stanford.edu/cao/lineage.html (2005)

  29. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. ACM Sigplan Not. 39, 85–96 (2004)

    Article  Google Scholar 

  30. Team, T.C.: Chromium Project Process Model. https://www.chromium.org/developers/design-documents/process-models. Accessed 05 Oct 2018

  31. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: USENIX Security, pp. 121–136 (2006)

    Google Scholar 

  32. Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504–516. ACM (2016)

    Google Scholar 

  33. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116–127. ACM (2007)

    Google Scholar 

Download references

Acknowledgements

This work was primarily supported by DARPA (under AFOSR contract FA8650-15-C-7561) and in part by SPAWAR (N6600118C4035), and NSF (CNS-1514472, and DGE-1069311). The views, opinions, and/or findings expressed are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense, National Science Foundation or the U.S. Government.

Author information

Authors and Affiliations

  1. University of Illinois at Chicago, Chicago, IL, 60607, USA

    Sadegh M. Milajerdi, Rigel Gjomemo & Venkat N. Venkatakrishnan

  2. University of Michigan-Dearborn, Dearborn, MI, 48128, USA

    Birhanu Eshete

Authors
  1. Sadegh M. Milajerdi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Birhanu Eshete
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rigel Gjomemo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Venkat N. Venkatakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sadegh M. Milajerdi .

Editor information

Editors and Affiliations

  1. Indian Institute of Science, Bangalore, India

    Vinod Ganapathy

  2. Pennsylvania State University, University Park, PA, USA

    Trent Jaeger

  3. Indian Institute of Technology Bombay, Mumbai, India

    R.K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

M. Milajerdi, S., Eshete, B., Gjomemo, R., Venkatakrishnan, V.N. (2018). ProPatrol: Attack Investigation via Extracted High-Level Tasks. In: Ganapathy, V., Jaeger, T., Shyamasundar, R. (eds) Information Systems Security. ICISS 2018. Lecture Notes in Computer Science(), vol 11281. Springer, Cham. https://doi.org/10.1007/978-3-030-05171-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05171-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05170-9

  • Online ISBN: 978-3-030-05171-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation