|
|
面向APT攻击调查的溯源图冗余结构压缩
|
Abstract:
面向系统审计日志的溯源图分析已经是APT攻击调查的主要手段。溯源图节点代表系统实体(包括进程、文件和网络),边代表系统实体之间的依赖关系。攻击调查是在溯源图上追踪攻击源头并构建完整的攻击路径。依赖爆炸导致溯源图规模庞大,将为攻击调查带来巨大的存储开销和时间开销。为解决该问题,本文提出进程重复模式压缩和文件重复模式压缩去减小溯源图规模。其中,进程重复模式代表系统在不同时间调用相同进程执行相同的文件读写任务,而文件重复模式代表多个文件被相同进程处理。这些模式均表示重复的行为,不会带来更多有价值的信息,因此压缩它们不会影响攻击调查。本文在6个真实攻击数据集(约1948万个系统事件)进行实验验证,结果指出溯源图节点和边的压缩率平均分别为56.5%和58.0%。此外,在压缩前和压缩后的溯源图上分别执行攻击调查,结果证明本文的压缩方法不会影响攻击调查结果。
A provenance graph analysis of system audit logs has become a primary method for investigating APT attacks. The nodes in the provenance graph represent system entities (including processes, files, and network activities), while the edges denote dependency relationships between these entities. Attack investigation involves tracing the attack origin and reconstructing the complete attack path on the provenance graph. However, dependency explosion leads to excessively large provenance graphs, imposing significant storage and computational overhead on attack investigations. To address this issue, this paper proposes process repetition pattern compression and file repetition pattern compression to reduce the scale of provenance graphs. Specifically, process repetition patterns refer to cases where the system repeatedly invokes the same process to perform identical file read/write operations at different times. File repetition patterns describe scenarios where multiple files are processed by the same process. Since these patterns represent redundant behaviors and do not provide additional valuable information, compressing them does not affect attack investigations. Experiments were conducted on six real-world attack datasets (comprising approximately 19.48 million system events). The results demonstrate an average compression rate of 56.5% for nodes and 58.0% for edges in the provenance graph. Furthermore, attack investigations (using Nodoze and DepComm) were performed on both the original and compressed provenance graphs, confirming that the proposed compression method does not compromise investigation accuracy.
| [1] | Steve, M. (2020) Cybersecurity Ventures Official Annual Cybercrime Report. https://cybersecurityventures.com/annual-cybercrime-report-2020/ |
| [2] | King, S.T. and Chen, P.M. (2003) Backtracking Intrusions. Proceedings of the 19th ACM Symposium on Operating Systems Principles, The Sagamore, 19-22 October 2003, 223-236. https://doi.org/10.1145/945445.945467 |
| [3] | King, S.T., Mao, Z.M., Lucchetti, D.G., et al. (2005) Enriching Intrusion Alerts through Multi-Host Causality. Proceedings of the Annual Network and Distributed System Security Symposium (NDSS), San Diego, 20 January 2005, 1-12. |
| [4] | Ji, Y., Lee, S., Downing, E., Wang, W., Fazzini, M., Kim, T., et al. (2017) RAIN: Refinable Attack Investigation with On-Demand Inter-Process Information Flow Tracking. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, 30 October-3 November 2017, 377-390. https://doi.org/10.1145/3133956.3134045 |
| [5] | Ji, Y., Lee, S., Fazzini, M., et al. (2018) Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking. 27th USENIX Security Symposium (USENIX Security), Baltimore, 15-17 August 2018, 1705-1722. |
| [6] | Liu, Y., Zhang, M., Li, D., Jee, K., Li, Z., Wu, Z., et al. (2018) Towards a Timely Causality Analysis for Enterprise Security. Proceedings 2018 Network and Distributed System Security Symposium, San Diego, 18-21 February 2018, 1-15. https://doi.org/10.14722/ndss.2018.23254 |
| [7] | Hossain, M.N., Sheikhi, S. and Sekar, R. (2020) Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, 18-21 May 2020, 1139-1155. https://doi.org/10.1109/sp40000.2020.00064 |
| [8] | Fang, P.C., Gao, P., Liu, C.L., et al. (2022) Back-Propagating System Dependency Impact for Attack Investigation. 31st USENIX Security Symposium (USENIX Security), Boston, 10-12 August 2022, 1-18. |
| [9] | Hassan, W.U., Guo, S., Li, D., Chen, Z., Jee, K., Li, Z., et al. (2019) Nodoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. Proceedings 2019 Network and Distributed System Security Symposium, San Diego, 24-27 February 2019, 1-15. https://doi.org/10.14722/ndss.2019.23349 |
| [10] | Alsaheel, A., Nan, X.Y., Ma, S.Q., et al. (2021) ATLAS: A Sequence-Based Learning Approach for Attack Investigation. 30th USENIX Security Symposium (USENIX Security), Vancouver, 11-13 August 2021, 3005-3022. |
| [11] | Xu, Z., Fang, P., Liu, C., Xiao, X., Wen, Y. and Meng, D. (2022) DEPCOMM: Graph Summarization on System Audit Logs for Attack Investigation. 2022 IEEE Symposium on Security and Privacy (SP), San Francisco, 22-26 May 2022, 70-87. https://doi.org/10.1109/sp46214.2022.9833632 |
| [12] | Yang, F., Xu, J.C., Xiong, C.L., et al. (2023) ProGrapher: An Anomaly Detection System Based on Provenance Graph Embedding, 32nd USENIX Security Symposium (USENIX Security), Anaheim, 9-11 August 2023, 4355-4372. |
| [13] | Goyal, A., Wang, G. and Bates, A. (2024) R-CAID: Embedding Root Cause Analysis within Provenance-Based Intrusion Detection. 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, 20-22 May 2024, 3515-3532. https://doi.org/10.1109/sp54263.2024.00253 |
| [14] | Ur Rehman, M., Ahmadi, H. and Ul Hassan, W. (2024) FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning. 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, 20-22 May 2024, 3552-3570. https://doi.org/10.1109/sp54263.2024.00139 |
| [15] | Goel, A., Po, K., Farhadi, K., Li, Z. and de Lara, E. (2005) The Taser Intrusion Recovery System. ACM SIGOPS Operating Systems Review, 39, 163-176. https://doi.org/10.1145/1095809.1095826 |
| [16] | Lee, K.H., Zhang, X.Y. and Xu, D.Y. (2013) High Accuracy Attack Provenance via Binary-Based Execution Partition. Proceedings of the Annual Network and Distributed System Security Symposium (NDSS), San Diego, 24-27 February 2013, 1-16. |
| [17] | Lee, K.H., Zhang, X. and Xu, D. (2013) LogGC: Garbage Collecting Audit Log. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, 4-8 November 2013, 1005-1016. https://doi.org/10.1145/2508859.2516731 |
| [18] | Xu, Z., Wu, Z., Li, Z., Jee, K., Rhee, J., Xiao, X., et al. (2016) High Fidelity Data Reduction for Big Data Security Dependency Analyses. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, 24-28 October 2016, 504-516. https://doi.org/10.1145/2976749.2978378 |
| [19] | Hossain, M.N., Wang, J.A., Sekar, R., et al. (2018) Dependence-Preserving Data Compaction for Scalable Forensic Analysis. 27th USENIX Security Symposium (USENIX Security), Baltimore, 15-17 August 2018, 1723-1740. |
| [20] | Tang, Y., Li, D., Li, Z., Zhang, M., Jee, K., Xiao, X., et al. (2018) NodeMerge: Template Based Efficient Data Reduction for Big-Data Causality Analysis. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, 15-19 October 2018, 1324-1337. https://doi.org/10.1145/3243734.3243763 |
| [21] | Fei, P., Li, Z., Wang, Z.Y., et al. (2021) SEAL: Storage-Efficient Causality Analysis on Enterprise Logs with Query-Friendly Compression. 30th USENIX Security Symposium (USENIX Security), Vancouver, 11-13 August 2021, 2987-3004. |
| [22] | Luccio, F., Pagli, L., Enriquez, A.M., et al. (2007) Bottom-Up Subtree Isomorphism for Unordered Labeled Trees. International Journal of Pure and Applied Mathematics, 38, 325-343. |
| [23] | Sitaraman, S. and Venkatesan, S. (2005) Forensic Analysis of File System Intrusions Using Improved Backtracking. 3rd IEEE International Workshop on Information Assurance (IWIA’05), College Park, 23-24 March 2005, 154-163. https://doi.org/10.1109/iwia.2005.9 |
| [24] | Ma, S.Q., Zhai, J., Wang, F., et al. (2017) MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. 26th USENIX Security Symposium (USENIX Security), Vancouver, 16-18 August 2017, 1111-1128. |
| [25] | Yang, R., Ma, S., Xu, H., Zhang, X. and Chen, Y. (2020) UISCOPE: Accurate, Instrumentation-Free, and Visible Attack Investigation for GUI Applications. Proceedings 2020 Network and Distributed System Security Symposium, San Diego, 23-26 February 2020, 1-18. https://doi.org/10.14722/ndss.2020.24329 |
| [26] | Hassan, W.U., Noureddine, M.A., Datta, P. and Bates, A. (2020) Omegalog: High-Fidelity Attack Investigation via Transparent Multi-Layer Log Analysis. Proceedings 2020 Network and Distributed System Security Symposium, San Diego, 23-26 February 2020, 1-16. https://doi.org/10.14722/ndss.2020.24270 |
| [27] | Yu, L., Ma, S., Zhang, Z., Tao, G., Zhang, X., Xu, D., et al. (2021) ALchemist: Fusing Application and Audit Logs for Precise Attack Provenance without Instrumentation. Proceedings 2021 Network and Distributed System Security Symposium, 21-25 February 2021, 1-18. https://doi.org/10.14722/ndss.2021.24445 |
| [28] | Grubb, S. (2020) Redhat Linux Audit. https://people.redhat.com/sgrubb/audit/ |
| [29] | Sysdig (2017). https://sysdig.com/ |
| [30] | Event Tracing for Windows (ETW) (2020). https://docs.microsoft.com/en-us/windows/win32/etw/ |
| [31] | Chen, P., Desmet, L. and Huygens, C. (2014) A Study on Advanced Persistent Threats. In: Decker, B. and Zúquete, A., Eds., Communications and Multimedia Security, Springer, 63-72. https://doi.org/10.1007/978-3-662-44885-4_5 |
| [32] | Shellshock (2014) CVE-2014-6271: Bash: Specially-Crafted Environment Variables Can Be Used to Inject Shell Commands. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 |
| [33] | Vpnfilter (2018) VPNFilter: New Router Malware with Destructive Capabilities. https://symc.ly/2IPGGVE |
