Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Intro. Overview A�ack Detection Scenario Construction Related Work Summary
SLEUTH: Real-time A�ack Scenario Reconstruction from
COTS Audit Data1
Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete,
Rigel Gjomemo, R. Sekar, Sco� D. Stoller, and V.N. Venkatakrishnan
Stony Brook University and University of Illinois at Chicago
1This work was primarily supported by DARPA (contract FA8650-15-C-7561) and in part by NSF
(CNS-1319137, CNS-1421893, CNS-1514472 and DGE-1069311) and ONR (N00014-15-1-2208 and
N00014-15-1-2378).
1 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Context Prior Research Goals
Challenges of Advanced Persistent Threat (APT) Campaigns
APTs combine social engineering (e.g., spearphishing) with advanced exploits
Get past first-line defenses, e.g., ASLR, DEP, and sandboxes
Enterprises forced to rely on second-line defenses
Intrusion detection systems (IDS), Security incident and event management (SIEM), ...
Key challenges
“Needle in a haystack” — spot the minuscule fraction of real a�acks within vast quantities
of data emi�ed by these systems.
“Connecting the dots” — stitch isolated steps together into a larger campaign.
Result: Many APT campaigns remain undetected for months.
2 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Context Prior Research Goals
Previous Research
A�ack detection: Numerous intrusion detection techniques have been developed.
Real-world use hampered by high false positive rates
Linking a�ack campaign steps: Backtracker [King and Chen] and subsequent works
use dependencies recorded in system logs to stitch together a�acker activities
Forensic tool — does not help analyst to understand ongoing a�acks in real-time.
Result can include many irrelevant events due to explosion of (false)
dependencies.
Fine-grained dependency tracking techniques developed to address this problem, but
have performance and compatibility costs.
3 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Context Prior Research Goals
Goals and Challenges
Real-time reconstruction of APT campaign from audit logs
Provide compact visual summary of the campaign
Key challenges
Data volume: hundreds of millions to billions per day
“Needle in a haystack” — only a small fraction of these are a�acks, perhaps one in a million
Avoid being swamped in false positives
“Connecting the dots” — link successive steps of an APT campaign
Part of the DARPA Transparent Computing program
Our adversarial evaluation relies on Red Team engagements organized by DARPA.
4 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Sleuth Architecture and Contributions
Tagged Dependence Graph
Dependence Graph Construction
Tag and Policy-Based Attack Detection
Tag-Based Root-Cause and Impact Analysis
Scenario GraphAlarms
Audit Stream
Audit StreamFreeBSD
Windows
Linux
Audit Stream
Customizable Policies
Space-e�icient in-memory dependence graph representation
E�ective a�ack detection based on trustworthiness and confidentiality tags
Customizable policy framework for tag assignment and propagation
Highly e�ective and e�icient tag-based backward and impact analysis
Experimental evaluation: fast, accurate and compact visual representation of APT campaigns
5 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Illustrative Example
129.55.33.44:80
firefox
/home/bob/crt1.o
A�acker goal: Insert backdoor into a
vendor’s so�ware
Steps:1. Use a browser vulnerability to drop a
malicious version of crt1.o in /home/bob
2. Modify Bob’s .bashrc to redefine sudo
3. Next time Bob uses sudo, it copies
/home/bob/crt1.o to /lib/crt1.o
4. When Alice builds her so�ware, malicious
crt1.o code is included in her executable.
5. When this so�ware is run, it exfiltrates
sensitive data (password file)
6 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Illustrative Example
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
A�acker goal: Insert backdoor into a
vendor’s so�ware
Steps:1. Use a browser vulnerability to drop a
malicious version of crt1.o in /home/bob
2. Modify Bob’s .bashrc to redefine sudo
3. Next time Bob uses sudo, it copies
/home/bob/crt1.o to /lib/crt1.o
4. When Alice builds her so�ware, malicious
crt1.o code is included in her executable.
5. When this so�ware is run, it exfiltrates
sensitive data (password file)
7 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Illustrative Example
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
apt-get
A�acker goal: Insert backdoor into a
vendor’s so�ware
Steps:1. Use a browser vulnerability to drop a
malicious version of crt1.o in /home/bob
2. Modify Bob’s .bashrc to redefine sudo
3. Next time Bob uses sudo, it copies
/home/bob/crt1.o to /lib/crt1.o
4. When Alice builds her so�ware, malicious
crt1.o code is included in her executable.
5. When this so�ware is run, it exfiltrates
sensitive data (password file)
8 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Illustrative Example
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
/home/alice/test.o
/home/alice/test.c
/home/alice/test
A�acker goal: Insert backdoor into a
vendor’s so�ware
Steps:1. Use a browser vulnerability to drop a
malicious version of crt1.o in /home/bob
2. Modify Bob’s .bashrc to redefine sudo
3. Next time Bob uses sudo, it copies
/home/bob/crt1.o to /lib/crt1.o
4. When Alice builds her so�ware, malicious
crt1.o code is included in her executable.
5. When this so�ware is run, it exfiltrates
sensitive data (password file)
9 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Illustrative Example
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
/home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
129.55.33.70:80
/etc/passwd
A�acker goal: Insert backdoor into a
vendor’s so�ware
Steps:1. Use a browser vulnerability to drop a
malicious version of crt1.o in /home/bob
2. Modify Bob’s .bashrc to redefine sudo
3. Next time Bob uses sudo, it copies
/home/bob/crt1.o to /lib/crt1.o
4. When Alice builds her so�ware, malicious
crt1.o code is included in her executable.
5. When this so�ware is run, it exfiltrates
sensitive data (password file)10 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary System Architecture Motivating Example Adversarial Engagement
Adversarial Engagement Overview
Campaign
Length
(hours)
# of
events
Drop
&
load
Gather
intel.
Insert
backdoor
Escalate
privilege
Data
exfil.
Clean-
up
Win-1 06:22 100K X X X X
Win-2 19:43 401K X X X X X
Lin-1 07:59 2.68M X X X X X
Lin-2 79:06 38.5M X X X X X X
Lin-3 79:05 19.3M X X X X X X
Bsd-1 08:17 701K X X
Bsd-2 78:56 5.86M X X X X
Bsd-3 79:04 5.68M X X X
11 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Using Provenance Tags
12 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
Provenance Tags
Trustworthiness (t-tag)
Benign authentic: Data from strongly authenticated
sources believed to be benign.
Benign: Believed to be benign, but sources not
well-authenticated.
Unknown: No good basis to trust this source.
Code Vs Data Trustworthiness
Processes have two t-tags: code t-tag and data t-tag
Separation (a) aids detection and (b) speeds analysis
by focusing on fewer root causes
Confidentiality (c-tag)
Secret: Highly sensitive, e.g.,
/etc/shadow
Sensitive: Disclosure has
security impact, but less than
disclosed secrets.
Private: Loss may not pose a
direct security threat.
Public: Widely available, e.g., on
public web sites
13 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
Provenance Tags
Trustworthiness (t-tag)
Benign authentic: Data from strongly authenticated
sources believed to be benign.
Benign: Believed to be benign, but sources not
well-authenticated.
Unknown: No good basis to trust this source.
Code Vs Data Trustworthiness
Processes have two t-tags: code t-tag and data t-tag
Separation (a) aids detection and (b) speeds analysis
by focusing on fewer root causes
Confidentiality (c-tag)
Secret: Highly sensitive, e.g.,
/etc/shadow
Sensitive: Disclosure has
security impact, but less than
disclosed secrets.
Private: Loss may not pose a
direct security threat.
Public: Widely available, e.g., on
public web sites
14 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
Provenance Tags
Trustworthiness (t-tag)
Benign authentic: Data from strongly authenticated
sources believed to be benign.
Benign: Believed to be benign, but sources not
well-authenticated.
Unknown: No good basis to trust this source.
Code Vs Data Trustworthiness
Processes have two t-tags: code t-tag and data t-tag
Separation (a) aids detection and (b) speeds analysis
by focusing on fewer root causes
Confidentiality (c-tag)
Secret: Highly sensitive, e.g.,
/etc/shadow
Sensitive: Disclosure has
security impact, but less than
disclosed secrets.
Private: Loss may not pose a
direct security threat.
Public: Widely available, e.g., on
public web sites
15 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Using Provenance Tags
Approach: Focus on motive and means
Motive: Does an act advance a�acker’s high-level objectives?
Deploy and run a�acker code
Replace/modify important files, e.g., /etc/passwd, ssh keys, ...
Steal and exfiltrate sensitive data
Means: Can the a�acker control the action?
Is the process performing the action trustworthy?
Benefits
Application-independent
No need for training
Resists a�acker manipulation (assuming provenance isn’t compromised)
16 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Using Provenance Tags
Approach: Focus on motive and means
Motive: Does an act advance a�acker’s high-level objectives?
Deploy and run a�acker code
Replace/modify important files, e.g., /etc/passwd, ssh keys, ...
Steal and exfiltrate sensitive data
Means: Can the a�acker control the action?
Is the process performing the action trustworthy?
Benefits
Application-independent
No need for training
Resists a�acker manipulation (assuming provenance isn’t compromised)
17 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
18 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
129.55.33.44:80
firefox
19 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
129.55.33.44:80
firefox
/home/bob/crt1.o
SM: /home/bob/.bashrc
20 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
129.55.33.44:80
firefox
/home/bob/crt1.o
SM: /home/bob/.bashrc
cp
bash
sudo sudo
SM: /lib/crt1.o
apt-get
21 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
129.55.33.44:80
firefox
/home/bob/crt1.o
SM: /home/bob/.bashrc
cp
bash
sudo sudo
SM: /lib/crt1.o
ld
apt-get
bash
cc
/home/alice/test.o
/home/alice/test.c
UP: /home/alice/test
22 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Policies
Untrusted exec (UE): Subject w/ high code
trustworthiness execs lower t-tag object.
Suspicious modification (SM): Subject with
lower code tag modifies higher t-tag file.
Data leak (DL): Untrusted subject writes
confidential data to network.
Untrusted execution preparation (UP):
Memory/file objects with low data
trustworthiness made executable.
129.55.33.44:80
firefox
/home/bob/crt1.o
SM: /home/bob/.bashrc
cp
bash
sudo sudo
SM: /lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
UP: /home/alice/test
EXEC
DL: 129.55.33.70:80
/etc/passwd
23 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
Flexible Policy Framework
Tag assignment and propagation can be customized using policies.
Policies invoked at trigger points:
object creation, removal, read, write, load, execute, chmod, and chown
Can refer to subject, object and event a�ributes
Tag initialization example:
init(o): match(o.name, "^(file|IP:(10\.0|127))")→ o.�ag = BENIGN_AUTH
init(o) : match(o.name,"^IP:")→ o.�ag = UNKNOWN
Tag propagation:
Default is to propagate tags from input to output
Custom policies created to capture exceptions, e.g., upgrade tag a�er a hash/signature
verification.
24 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
A�ack Detection Summary
Data # of Untrusted Suspicious Execution Data
Set Events Execution Modification Preparation Leak
Win-1 0.1M 3 3 0 11
Win-2 0.4M 2 108 0 18
Lin-2 39M 5 1 8 159
Lin-3 19M 5 2 0 5300
Key Point
Almost zero false positives and negatives (except for data leak)
Typically filters out 99.99% to 99.9999% of events
25 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
E�ectiveness of Split Trustworthiness Tags
Dataset
Untrusted
Exec
Suspicious
Modification
Untrusted
Exec Prep
Data
Leak
Single Split Single Split Single Split s Single Split
Win-1 21 3 1.2 K 3 0 0 6.1 K 11
Win-2 44 2 3.7 K 108 0 0 20.2 K 18
Lin-1 60 2 53 5 1 1 19 6
Lin-2 1.5 K 5 19.5 K 1 280 8 122 K 159
Lin-3 695 5 26.1 K 2 270 0 62.1 K 5.3 K
Average Reduction 45.39x 517x 6.24x 112x
Key Point
Without separating code and data tags, we will have 5x to 500x more alarms
26 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Tags Rationale Policies Policy Framework Detection Performance False Positives
False Positives in Benign Environment
Untrusted execution (download+execute) plays a critical role in detection
What happens in an environment with legitimate so�ware downloads?
Experiment: Linux servers with automated security updates and manual upgrades
Approach: Use custom policy to upgrade downloaded files before apt-get invokes dpkg
Note: apt-get verifies signatures, so this is safe.
Dataset
# of
Events
Duration
hh:mm:ss
Packages
Updated
Binary
Files
Wri�en
Server 1 2.17M 00:13:06 110 1.8K
Server 2 4.67M 105:08:22 4 4.2K
Server 3 20.9M 104:36:43 4 4.3K
Server 4 5.09M 119:13:29 4 4.3K
No (false) alarms reported.27 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Tag-Based Backward and Forward Analysis
28 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis
Goal: Identify entry point of an a�ack.
Entry point is a source, i.e., vertex with in-degree zero.
Starting points: Suspect vertices marked by a�ack detectors.
Problem: Find source vertices from which a suspect vertex is reachable.
Complications:
Multiple sources: Suspect vertex is reachable from multiple sources.
Multiple suspect nodes: Typically, many detectors go o� during a�acks, and
numerous vertices end up looking suspicious.
29 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis
Goal: Identify entry point of an a�ack.
Entry point is a source, i.e., vertex with in-degree zero.
Starting points: Suspect vertices marked by a�ack detectors.
Problem: Find source vertices from which a suspect vertex is reachable.
Complications:
Multiple sources: Suspect vertex is reachable from multiple sources.
Multiple suspect nodes: Typically, many detectors go o� during a�acks, and
numerous vertices end up looking suspicious.
30 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
31 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
32 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
33 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
34 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
35 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
36 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
37 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Backward Analysis: Key Ideas
Prefer shorter paths over longer ones
Favor paths that avoid redundant edges
Prefer edges corresponding to flow of
untrusted code
and, to a lesser extent, untrusted data
Preference encoded using a custom
edge-weight function to Dijkstra’s
shortest path algorithm
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
38 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Forward Analysis
Goal: Identify a�ack impact, in terms of all objects/subjects a�ected by the a�ack.
Generate a subgraph of provenance graph that only includes objects and subjects
a�ected by the a�ack.
Starting point: Sources identified by backward analysis
Challenge: Straight-forward dependence analysis may yield a graph with hundreds of
thousands (if not millions) of edges.
39 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Forward Analysis: Key Ideas
Use cost metric to prune o� distant nodes,
i.e., nodes at a distance ≥ dth
Cost metric favors
edges with untrusted codetrustworthiness (cost=0);
and, to a lesser extent, edges with
untrusted data trustworthiness (cost=1)
Define simplifications on output
Prune nodes lacking “interesting”
descendants
Merge “similar” entities
Remove repetitions
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
129.55.33.70:80
/etc/passwd
40 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Forward Analysis: Key Ideas
Use cost metric to prune o� distant nodes,
i.e., nodes at a distance ≥ dth
Cost metric favors
edges with untrusted codetrustworthiness (cost=0);
and, to a lesser extent, edges with
untrusted data trustworthiness (cost=1)
Define simplifications on output
Prune nodes lacking “interesting”
descendants
Merge “similar” entities
Remove repetitions
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo sudo
/lib/crt1.o
ld
apt-get
bash
cc
UE: /home/alice/test
/home/alice/test.o
/home/alice/test.c
/home/alice/test
EXEC
129.55.33.70:80
/etc/passwd
41 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Forward Analysis: Key Ideas
Use cost metric to prune o� distant nodes,
i.e., nodes at a distance ≥ dth
Cost metric favors
edges with untrusted codetrustworthiness (cost=0);
and, to a lesser extent, edges with
untrusted data trustworthiness (cost=1)
Define simplifications on output
Prune nodes lacking “interesting”
descendants
Merge “similar” entities
Remove repetitions
129.55.33.44:80
firefox
/home/bob/crt1.o
/home/bob/.bashrc
cp
bash
sudo
/lib/crt1.o
ld
UE: /home/alice/test
/home/alice/test
EXEC
129.55.33.70:80
/etc/passwd
42 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Campaign Reconstruction Summary
Campaign
Entry
Points
Programs
Executed
Key Files
Involved
Exit
Points
Correctly
Identified
False
Positives
Missed
Entities
Win-1 2 8 7 3 20 0 0
Win-2 2 8 4 4 18 0 0
Lin-1 2 10 6 2 20 0 0
Lin-2 2 20 11 4 37 0 0
Lin-3 1 6 6 5 18 0 0
Bsd-1 4 13 9 2 13 15 1
Bsd-2 2 10 7 3 22 0 0
Bsd-3 4 14 7 1 26 0 0
Total 19 89 57 24 174 15 1
43 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Generated Graph for Scenario Win-1
mozillanightly
cmd.exe
firefox.exe
mnsend.exe
129.55.12.167:7770
mozillanightly
whoami.exe
C:\\Users\\User1\\Downloads\\firefox\\burnout.bat
photosnap.exe hostname.exe
C:\\Users\\User1\\Downloads\\firefox\\mnsend.exe
129.55.12.167:4430
C:\\Users\\User1\\Downloads\\photosnap.exe
C:\\Users\\User1\\Downloads\\pic.png
C:\\Users\\User1\\Downloads\\firefox\\mozillanightly
129.55.12.167:443
netstat.exe
C:\\Users\\User1\\Downloads\\firefox\\4662.log
C:\\Users\\User1\\Downloads\\mozillanightly
3. fork
5. send
6. send
7. receive8. write
9. fork
10. execute
11. write12. chmod
4. execute15. receive 14. send
13. read
17. receive
16. send
18. fork
19. rm
20. rm
23. execute
22. fork 24. send
27. send
29. fork
30. write 35. read
31. fork
32. write
33. fork
34. write
36. write
47. receive51. send
38. execute37. fork
40. send 39. read
50. rm
46. rm
25. write26. read
28. fork49. rm
48. rm
129.55.12.167:8000
1. receive
2. write
cmd.exe
129.55.12.167:4430
129.55.12.167:443
21. write
44 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Generated Graph for Scenario Bsd-3
/var/dropbear_latest/dropbearFREEBSD.tar
sshd
bash
sudoscp
whoami
date
ps
hostname
ls
3. fork
5. fork
7. fork
4. fork
6. fork
2. fork8. fork
9. fork10.write
bsdtar13. read
/var/dropbear_latest/dropbear/dropbearkey
15.write
/var/dropbear_latest/dropbear/dropbearscript
14.write
/var/dropbear_latest/dropbear/dropbear
16.write
vi18. read17. fork
sh
20. read19. fork
sudodropbearkey 22. fork
23.execute
sudo
25. fork
dropbear
26. fork
27. execute
/usr/local/etc/dropbear/dropbear_rsa_host_key
24. write
28. read
128.55.12.167
1. receive
29.receive
bash
ls
31. fork
30. fork
cat
37. fork
uname
33. fork
bash
39. fork
/usr/home/user/procstat
34. write38. write 32. writescp 40. fork
/usr/home/user/archiver
41. write
ps
35. fork
36. write
archiver43.execute 44. read
42. fork
128.55.12.167:2525
45. send
sudo
11. fork
12. fork
21. fork
45 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Generated Graph for Scenario Lin-2
dropbear
128.55.12.167:39490
/etc/dropbear/dropbear_dss_host_key
sudo
/etc/dropbear/dropbear_rsa_host_key
/var/dropbear_latest/dropbearLINUX/dropbear
/var/dropbear_latest/dropbearLINUX/dropbearkey
128.55.12.167:38510
dropbearkey dropbear
128.55.12.167:38509
/etc/dropbear/dropbear_ecdsa_host_key
128.55.12.167:39335
128.55.12.167:40246
9. fork
13. write
11. write
10. execute
12. write
15. execute
14.fork
18. read17. read
16. read
33. send36. send34. send
37. send
19. fork
35. send
tar
5. write
7. write
6. chmod
8. chmod
3. fork
/var/dropbear_latest/dropbearLINUX.tar
4. read
scp1. fork
2. write
shred
38. fork
41. write
39. write40. write
rm
42. fork
45. rm
43. rm44. rm
/etc/nsswitch 27. read
/etc/shells
26. read
/etc/shadow
25. read
/proc/vmstat
24. read
/etc/localtime28. read
/proc/timer_list
23. read
/proc/sys/kernel/ngroups_max/run/utmp
21. read
/var/log/lastlog
30. write
/run/utmp
32. write/var/log/wtmp
29. write
/dev/ptmx
31. write
/proc/loadavg20. read
/proc/interrupts
22. read
46 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Forward Analysis Selectivity
Campaign
Initial
# of
Events
Final
# of
Events
Reduction Factor
Single
t-tag
Split
t-tag
Sleuth
Simplif.
Total
Win-1 100 K 51 4.4x 1394x 1.4x 1951x
Win-2 401 K 28 3.6x 552x 26x 14352x
Lin-2 38.5 M 130 7.3x 2971x 100x 297100x
Lin-3 19.3 M 45 7.6x 1208x 356x 430048x
Bsd-2 5.86 M 39 1.9x 689x 218x 150202x
Bsd-3 5.68 M 45 6.7x 740x 170x 125800x
Average Reduction 4.68x 1305x 41.8x 54517x
47 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary Backward Analysis Forward Analysis Reconstruction Results Performance
Memory Use and Runtime Performance
Campaign Events Memory Bytes/ Duration Runtime
Usage event (hh:mm:ss) Time Speed-up
Win-1 100K 3 MB 30 06:22:42 1.19 s 19.3 K
Win-2 400K 10 MB 25 19:43:46 2.13 s 33.3 K
Win-Mean 28 26.3 K
Lin-1 2.7M 26 MB 10 07:59:26 8.71 s 3.3 K
Lin-2 38.5M 329 MB 9 79:06:39 114.14s 2.5 K
Lin-3 19.3M 175 MB 9 79:05:13 74.14 s 3.9 K
Lin-Mean 9 3.2 K
48 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary
Related Work
Intrusion detection: Numerous anomaly & misuse detection techniques developed since 80s.
Sleuth advances: novel use of provenance and policies to obtain application-independent,training-free detection with very low false positive rate.
Alert correlation: Link alarms using statistical [Qin03], graph-based clustering [Wang08, Pei16], a�ack
specifications [Ning03], and so on
In contrast, Sleuth uses provenance tags and policies to obtain accurate, analyst-friendly
scenario descriptions
“Backtracking Intrusions:” Backtracker, Taser, Forensix, ...
Target forensic analysis, assisted by external detectors.
Sleuth targets fully automated, real-time scenario construction with built-in detectors
Tackling dependence explosion: Orthogonal to (and can benefit) Sleuth.
Fine-grained taint-tracking
Forensics-targeted: BEEP, ProTracer, ...
Information flow control: [Biba, Bell-LaPadula, PIP, SPIF, ...]
Goal is to block illegal flow, while minimizing failures.
In contrast, Sleuth needs to distinguish a�acks from benign policy violations.
49 / 50
Intro. Overview A�ack Detection Scenario Construction Related Work Summary
Summary
Presented techniques that a security analyst can use to understand an ongoing
a�ack campaign, and respond in real-time.
Automatically generated visual representation that
compactly summarizes an ongoing campaign
Experiments show high accuracy and performance for Sleuth
E�ectiveness evaluated using realistic adversarial engagements.
Key point: Given millions of events in an unknown environment,
Sleuth consistently managed to be spot-on, zooming in on the
0.01% or less of the events actually involved in a�acks.
50 / 50