SLEUTH: Real-time A˛ack Scenario Reconstruction from · Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Sco˛ D. Stoller, and V.N. Venkatakrishnan

Intro. Overview A�ack Detection Scenario Construction Related Work Summary

SLEUTH: Real-time A�ack Scenario Reconstruction from

COTS Audit Data1

Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete,

Rigel Gjomemo, R. Sekar, Sco� D. Stoller, and V.N. Venkatakrishnan

Stony Brook University and University of Illinois at Chicago

1This work was primarily supported by DARPA (contract FA8650-15-C-7561) and in part by NSF

(CNS-1319137, CNS-1421893, CNS-1514472 and DGE-1069311) and ONR (N00014-15-1-2208 and

N00014-15-1-2378).

1 / 50

Intro. Overview A�ack Detection Scenario Construction Related Work Summary Context Prior Research Goals

Challenges of Advanced Persistent Threat (APT) Campaigns

APTs combine social engineering (e.g., spearphishing) with advanced exploits

Get past first-line defenses, e.g., ASLR, DEP, and sandboxes

Enterprises forced to rely on second-line defenses

Intrusion detection systems (IDS), Security incident and event management (SIEM), ...

Key challenges

“Needle in a haystack” — spot the minuscule fraction of real a�acks within vast quantities

of data emi�ed by these systems.

“Connecting the dots” — stitch isolated steps together into a larger campaign.

Result: Many APT campaigns remain undetected for months.

2 / 50


Previous Research

A�ack detection: Numerous intrusion detection techniques have been developed.

Real-world use hampered by high false positive rates

Linking a�ack campaign steps: Backtracker [King and Chen] and subsequent works

use dependencies recorded in system logs to stitch together a�acker activities

Forensic tool — does not help analyst to understand ongoing a�acks in real-time.

Result can include many irrelevant events due to explosion of (false)

dependencies.

Fine-grained dependency tracking techniques developed to address this problem, but

have performance and compatibility costs.

3 / 50


Goals and Challenges

Real-time reconstruction of APT campaign from audit logs

Provide compact visual summary of the campaign

Key challenges

Data volume: hundreds of millions to billions per day

“Needle in a haystack” — only a small fraction of these are a�acks, perhaps one in a million

Avoid being swamped in false positives

“Connecting the dots” — link successive steps of an APT campaign

Part of the DARPA Transparent Computing program

Our adversarial evaluation relies on Red Team engagements organized by DARPA.

4 / 50

Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement

Sleuth Architecture and Contributions

Tagged Dependence Graph

Dependence Graph Construction

Tag and Policy-Based Attack Detection

Tag-Based Root-Cause and Impact Analysis

Scenario GraphAlarms

Audit Stream

Audit StreamFreeBSD

Windows

Linux

Audit Stream

Customizable Policies

Space-e�icient in-memory dependence graph representation

E�ective a�ack detection based on trustworthiness and confidentiality tags

Customizable policy framework for tag assignment and propagation

Highly e�ective and e�icient tag-based backward and impact analysis

Experimental evaluation: fast, accurate and compact visual representation of APT campaigns

5 / 50


Illustrative Example

129.55.33.44:80

firefox

/home/bob/crt1.o

A�acker goal: Insert backdoor into a

vendor’s so�ware

Steps:1. Use a browser vulnerability to drop a

malicious version of crt1.o in /home/bob

2. Modify Bob’s .bashrc to redefine sudo

3. Next time Bob uses sudo, it copies

/home/bob/crt1.o to /lib/crt1.o

4. When Alice builds her so�ware, malicious

crt1.o code is included in her executable.

5. When this so�ware is run, it exfiltrates

sensitive data (password file)

6 / 50



129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc












7 / 50



129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

apt-get












8 / 50



129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc

/home/alice/test.o

/home/alice/test.c

/home/alice/test












9 / 50



129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc

/home/alice/test

/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

129.55.33.70:80

/etc/passwd











sensitive data (password file)10 / 50


Adversarial Engagement Overview

Campaign

Length

(hours)

# of

events

Drop

&

load

Gather

intel.

Insert

backdoor

Escalate

privilege

Data

exfil.

Clean-

up

Win-1 06:22 100K X X X X

Win-2 19:43 401K X X X X X

Lin-1 07:59 2.68M X X X X X

Lin-2 79:06 38.5M X X X X X X

Lin-3 79:05 19.3M X X X X X X

Bsd-1 08:17 701K X X

Bsd-2 78:56 5.86M X X X X

Bsd-3 79:04 5.68M X X X

11 / 50

Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives

A�ack Detection Using Provenance Tags

12 / 50


Provenance Tags

Trustworthiness (t-tag)

Benign authentic: Data from strongly authenticated

sources believed to be benign.

Benign: Believed to be benign, but sources not

well-authenticated.

Unknown: No good basis to trust this source.

Code Vs Data Trustworthiness

Processes have two t-tags: code t-tag and data t-tag

Separation (a) aids detection and (b) speeds analysis

by focusing on fewer root causes

Confidentiality (c-tag)

Secret: Highly sensitive, e.g.,

/etc/shadow

Sensitive: Disclosure has

security impact, but less than

disclosed secrets.

Private: Loss may not pose a

direct security threat.

Public: Widely available, e.g., on

public web sites

13 / 50


Provenance Tags





well-authenticated.








/etc/shadow



disclosed secrets.




public web sites

14 / 50


Provenance Tags





well-authenticated.








/etc/shadow



disclosed secrets.




public web sites

15 / 50



Approach: Focus on motive and means

Motive: Does an act advance a�acker’s high-level objectives?

Deploy and run a�acker code

Replace/modify important files, e.g., /etc/passwd, ssh keys, ...

Steal and exfiltrate sensitive data

Means: Can the a�acker control the action?

Is the process performing the action trustworthy?

Benefits

Application-independent

No need for training

Resists a�acker manipulation (assuming provenance isn’t compromised)

16 / 50



Approach: Focus on motive and means

Motive: Does an act advance a�acker’s high-level objectives?

Deploy and run a�acker code

Replace/modify important files, e.g., /etc/passwd, ssh keys, ...

Steal and exfiltrate sensitive data

Means: Can the a�acker control the action?

Is the process performing the action trustworthy?

Benefits

Application-independent

No need for training

Resists a�acker manipulation (assuming provenance isn’t compromised)

17 / 50


A�ack Detection Policies

Untrusted exec (UE): Subject w/ high code

trustworthiness execs lower t-tag object.

Suspicious modification (SM): Subject with

lower code tag modifies higher t-tag file.

Data leak (DL): Untrusted subject writes

confidential data to network.

Untrusted execution preparation (UP):

Memory/file objects with low data

trustworthiness made executable.

18 / 50












129.55.33.44:80

firefox

19 / 50












129.55.33.44:80

firefox

/home/bob/crt1.o

SM: /home/bob/.bashrc

20 / 50












129.55.33.44:80

firefox

/home/bob/crt1.o


cp

bash

sudo sudo

SM: /lib/crt1.o

apt-get

21 / 50












129.55.33.44:80

firefox

/home/bob/crt1.o


cp

bash

sudo sudo

SM: /lib/crt1.o

ld

apt-get

bash

cc

/home/alice/test.o

/home/alice/test.c

UP: /home/alice/test

22 / 50












129.55.33.44:80

firefox

/home/bob/crt1.o


cp

bash

sudo sudo

SM: /lib/crt1.o

ld

apt-get

bash

cc

UE: /home/alice/test

/home/alice/test.o

/home/alice/test.c

UP: /home/alice/test

EXEC

DL: 129.55.33.70:80

/etc/passwd

23 / 50


Flexible Policy Framework

Tag assignment and propagation can be customized using policies.

Policies invoked at trigger points:

object creation, removal, read, write, load, execute, chmod, and chown

Can refer to subject, object and event a�ributes

Tag initialization example:

init(o): match(o.name, "^(file|IP:(10\.0|127))")→ o.�ag = BENIGN_AUTH

init(o) : match(o.name,"^IP:")→ o.�ag = UNKNOWN

Tag propagation:

Default is to propagate tags from input to output

Custom policies created to capture exceptions, e.g., upgrade tag a�er a hash/signature

verification.

24 / 50


A�ack Detection Summary

Data # of Untrusted Suspicious Execution Data

Set Events Execution Modification Preparation Leak

Win-1 0.1M 3 3 0 11

Win-2 0.4M 2 108 0 18

Lin-2 39M 5 1 8 159

Lin-3 19M 5 2 0 5300

Key Point

Almost zero false positives and negatives (except for data leak)

Typically filters out 99.99% to 99.9999% of events

25 / 50


E�ectiveness of Split Trustworthiness Tags

Dataset

Untrusted

Exec

Suspicious

Modification

Untrusted

Exec Prep

Data

Leak

Single Split Single Split Single Split s Single Split

Win-1 21 3 1.2 K 3 0 0 6.1 K 11

Win-2 44 2 3.7 K 108 0 0 20.2 K 18

Lin-1 60 2 53 5 1 1 19 6

Lin-2 1.5 K 5 19.5 K 1 280 8 122 K 159

Lin-3 695 5 26.1 K 2 270 0 62.1 K 5.3 K

Average Reduction 45.39x 517x 6.24x 112x

Key Point

Without separating code and data tags, we will have 5x to 500x more alarms

26 / 50


False Positives in Benign Environment

Untrusted execution (download+execute) plays a critical role in detection

What happens in an environment with legitimate so�ware downloads?

Experiment: Linux servers with automated security updates and manual upgrades

Approach: Use custom policy to upgrade downloaded files before apt-get invokes dpkg

Note: apt-get verifies signatures, so this is safe.

Dataset

# of

Events

Duration

hh:mm:ss

Packages

Updated

Binary

Files

Wri�en

Server 1 2.17M 00:13:06 110 1.8K

Server 2 4.67M 105:08:22 4 4.2K

Server 3 20.9M 104:36:43 4 4.3K

Server 4 5.09M 119:13:29 4 4.3K

No (false) alarms reported.27 / 50

Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance

Tag-Based Backward and Forward Analysis

28 / 50


Backward Analysis

Goal: Identify entry point of an a�ack.

Entry point is a source, i.e., vertex with in-degree zero.

Starting points: Suspect vertices marked by a�ack detectors.

Problem: Find source vertices from which a suspect vertex is reachable.

Complications:

Multiple sources: Suspect vertex is reachable from multiple sources.

Multiple suspect nodes: Typically, many detectors go o� during a�acks, and

numerous vertices end up looking suspicious.

29 / 50


Backward Analysis

Goal: Identify entry point of an a�ack.

Entry point is a source, i.e., vertex with in-degree zero.

Starting points: Suspect vertices marked by a�ack detectors.

Problem: Find source vertices from which a suspect vertex is reachable.

Complications:

Multiple sources: Suspect vertex is reachable from multiple sources.

Multiple suspect nodes: Typically, many detectors go o� during a�acks, and

numerous vertices end up looking suspicious.

30 / 50


Backward Analysis: Key Ideas

Prefer shorter paths over longer ones

Favor paths that avoid redundant edges

Prefer edges corresponding to flow of

untrusted code

and, to a lesser extent, untrusted data

Preference encoded using a custom

edge-weight function to Dijkstra’s

shortest path algorithm

129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

31 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

32 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

33 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

34 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

35 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

36 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

37 / 50






untrusted code





129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

38 / 50


Forward Analysis

Goal: Identify a�ack impact, in terms of all objects/subjects a�ected by the a�ack.

Generate a subgraph of provenance graph that only includes objects and subjects

a�ected by the a�ack.

Starting point: Sources identified by backward analysis

Challenge: Straight-forward dependence analysis may yield a graph with hundreds of

thousands (if not millions) of edges.

39 / 50


Forward Analysis: Key Ideas

Use cost metric to prune o� distant nodes,

i.e., nodes at a distance ≥ dth

Cost metric favors

edges with untrusted codetrustworthiness (cost=0);

and, to a lesser extent, edges with

untrusted data trustworthiness (cost=1)

Define simplifications on output

Prune nodes lacking “interesting”

descendants

Merge “similar” entities

Remove repetitions

129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

129.55.33.70:80

/etc/passwd

40 / 50





Cost metric favors






descendants


Remove repetitions

129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo sudo

/lib/crt1.o

ld

apt-get

bash

cc


/home/alice/test.o

/home/alice/test.c

/home/alice/test

EXEC

129.55.33.70:80

/etc/passwd

41 / 50





Cost metric favors






descendants


Remove repetitions

129.55.33.44:80

firefox

/home/bob/crt1.o

/home/bob/.bashrc

cp

bash

sudo

/lib/crt1.o

ld


/home/alice/test

EXEC

129.55.33.70:80

/etc/passwd

42 / 50


Campaign Reconstruction Summary

Campaign

Entry

Points

Programs

Executed

Key Files

Involved

Exit

Points

Correctly

Identified

False

Positives

Missed

Entities

Win-1 2 8 7 3 20 0 0

Win-2 2 8 4 4 18 0 0

Lin-1 2 10 6 2 20 0 0

Lin-2 2 20 11 4 37 0 0

Lin-3 1 6 6 5 18 0 0

Bsd-1 4 13 9 2 13 15 1

Bsd-2 2 10 7 3 22 0 0

Bsd-3 4 14 7 1 26 0 0

Total 19 89 57 24 174 15 1

43 / 50


Generated Graph for Scenario Win-1

mozillanightly

cmd.exe

firefox.exe

mnsend.exe

129.55.12.167:7770

mozillanightly

whoami.exe

C:\\Users\\User1\\Downloads\\firefox\\burnout.bat

photosnap.exe hostname.exe

C:\\Users\\User1\\Downloads\\firefox\\mnsend.exe

129.55.12.167:4430

C:\\Users\\User1\\Downloads\\photosnap.exe

C:\\Users\\User1\\Downloads\\pic.png

C:\\Users\\User1\\Downloads\\firefox\\mozillanightly

129.55.12.167:443

netstat.exe

C:\\Users\\User1\\Downloads\\firefox\\4662.log

C:\\Users\\User1\\Downloads\\mozillanightly

3. fork

5. send

6. send

7. receive8. write

9. fork

10. execute

11. write12. chmod

4. execute15. receive 14. send

13. read

17. receive

16. send

18. fork

19. rm

20. rm

23. execute

22. fork 24. send

27. send

29. fork

30. write 35. read

31. fork

32. write

33. fork

34. write

36. write

47. receive51. send

38. execute37. fork

40. send 39. read

50. rm

46. rm

25. write26. read

28. fork49. rm

48. rm

129.55.12.167:8000

1. receive

2. write

cmd.exe

129.55.12.167:4430

129.55.12.167:443

21. write

44 / 50


Generated Graph for Scenario Bsd-3

/var/dropbear_latest/dropbearFREEBSD.tar

sshd

bash

sudoscp

whoami

date

ps

hostname

ls

3. fork

5. fork

7. fork

4. fork

6. fork

2. fork8. fork

9. fork10.write

bsdtar13. read

/var/dropbear_latest/dropbear/dropbearkey

15.write

/var/dropbear_latest/dropbear/dropbearscript

14.write

/var/dropbear_latest/dropbear/dropbear

16.write

vi18. read17. fork

sh

20. read19. fork

sudodropbearkey 22. fork

23.execute

sudo

25. fork

dropbear

26. fork

27. execute

/usr/local/etc/dropbear/dropbear_rsa_host_key

24. write

28. read

128.55.12.167

1. receive

29.receive

bash

ls

31. fork

30. fork

cat

37. fork

uname

33. fork

bash

39. fork

/usr/home/user/procstat

34. write38. write 32. writescp 40. fork

/usr/home/user/archiver

41. write

ps

35. fork

36. write

archiver43.execute 44. read

42. fork

128.55.12.167:2525

45. send

sudo

11. fork

12. fork

21. fork

45 / 50


Generated Graph for Scenario Lin-2

dropbear

128.55.12.167:39490

/etc/dropbear/dropbear_dss_host_key

sudo

/etc/dropbear/dropbear_rsa_host_key

/var/dropbear_latest/dropbearLINUX/dropbear

/var/dropbear_latest/dropbearLINUX/dropbearkey

128.55.12.167:38510

dropbearkey dropbear

128.55.12.167:38509

/etc/dropbear/dropbear_ecdsa_host_key

128.55.12.167:39335

128.55.12.167:40246

9. fork

13. write

11. write

10. execute

12. write

15. execute

14.fork

18. read17. read

16. read

33. send36. send34. send

37. send

19. fork

35. send

tar

5. write

7. write

6. chmod

8. chmod

3. fork

/var/dropbear_latest/dropbearLINUX.tar

4. read

scp1. fork

2. write

shred

38. fork

41. write

39. write40. write

rm

42. fork

45. rm

43. rm44. rm

/etc/nsswitch 27. read

/etc/shells

26. read

/etc/shadow

25. read

/proc/vmstat

24. read

/etc/localtime28. read

/proc/timer_list

23. read

/proc/sys/kernel/ngroups_max/run/utmp

21. read

/var/log/lastlog

30. write

/run/utmp

32. write/var/log/wtmp

29. write

/dev/ptmx

31. write

/proc/loadavg20. read

/proc/interrupts

22. read

46 / 50


Forward Analysis Selectivity

Campaign

Initial

# of

Events

Final

# of

Events

Reduction Factor

Single

t-tag

Split

t-tag

Sleuth

Simplif.

Total

Win-1 100 K 51 4.4x 1394x 1.4x 1951x

Win-2 401 K 28 3.6x 552x 26x 14352x

Lin-2 38.5 M 130 7.3x 2971x 100x 297100x

Lin-3 19.3 M 45 7.6x 1208x 356x 430048x

Bsd-2 5.86 M 39 1.9x 689x 218x 150202x

Bsd-3 5.68 M 45 6.7x 740x 170x 125800x

Average Reduction 4.68x 1305x 41.8x 54517x

47 / 50


Memory Use and Runtime Performance

Campaign Events Memory Bytes/ Duration Runtime

Usage event (hh:mm:ss) Time Speed-up

Win-1 100K 3 MB 30 06:22:42 1.19 s 19.3 K

Win-2 400K 10 MB 25 19:43:46 2.13 s 33.3 K

Win-Mean 28 26.3 K

Lin-1 2.7M 26 MB 10 07:59:26 8.71 s 3.3 K

Lin-2 38.5M 329 MB 9 79:06:39 114.14s 2.5 K

Lin-3 19.3M 175 MB 9 79:05:13 74.14 s 3.9 K

Lin-Mean 9 3.2 K

48 / 50


Related Work

Intrusion detection: Numerous anomaly & misuse detection techniques developed since 80s.

Sleuth advances: novel use of provenance and policies to obtain application-independent,training-free detection with very low false positive rate.

Alert correlation: Link alarms using statistical [Qin03], graph-based clustering [Wang08, Pei16], a�ack

specifications [Ning03], and so on

In contrast, Sleuth uses provenance tags and policies to obtain accurate, analyst-friendly

scenario descriptions

“Backtracking Intrusions:” Backtracker, Taser, Forensix, ...

Target forensic analysis, assisted by external detectors.

Sleuth targets fully automated, real-time scenario construction with built-in detectors

Tackling dependence explosion: Orthogonal to (and can benefit) Sleuth.

Fine-grained taint-tracking

Forensics-targeted: BEEP, ProTracer, ...

Information flow control: [Biba, Bell-LaPadula, PIP, SPIF, ...]

Goal is to block illegal flow, while minimizing failures.

In contrast, Sleuth needs to distinguish a�acks from benign policy violations.

49 / 50


Summary

Presented techniques that a security analyst can use to understand an ongoing

a�ack campaign, and respond in real-time.

Automatically generated visual representation that

compactly summarizes an ongoing campaign

Experiments show high accuracy and performance for Sleuth

E�ectiveness evaluated using realistic adversarial engagements.

Key point: Given millions of events in an unknown environment,

Sleuth consistently managed to be spot-on, zooming in on the

0.01% or less of the events actually involved in a�acks.

50 / 50

Documents

SLEUTH: Real-time A˛ack Scenario Reconstruction from · Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Sco˛ D. Stoller, and V.N. Venkatakrishnan