Abstract
Forensic analysis, nowadays, is a crucial part of attack investigation in end-user and enterprise systems. Log collection and analysis enable investigators to rebuild the attack chain, find the attack source and possibly rollback the damage made to the system.
However, building the full attack chain is often time-consuming and error-prone. The reason is that existing audit systems cannot provide high-level semantics for low-level system events. To address this issue, we propose SemFlow, to accurately identify semantics for system events. Specifically, we generate signatures to link low-level system events to a particular high-level application behavior during an offline training phase. Then, during the labeling phase, our realtime data collector matches the generated signatures against audit logs and labels individual system-level events with high-level semantics.
Our evaluations show that in at set of 16 selected popular applications, our system can effectively identify semantics of certain system-level data while maintaining less than 4% of overhead on the CPU and memory.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hardening Windows 10 with zero-day exploit mitigations (2017). https://bit.ly/2KdiTiv. Accessed 10 June 2017
Taintgrind. https://github.com/wmkhoo/taintgrind (2017). Accessed 10 Dec 2017
Windows-10-Mitigation-Improvement (2018). https://ubm.io/2IIVwtn Accessed 10 Apr 2018
APT1 (2019). https://bit.ly/2D7RNHI. Accessed 4 May 2019
Living off the Land: Attackers Leverage Legitimate Tools for Malicious Ends (2020). https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/living-land-legitimate-tools-malicious. Accessed 10 Oct 2020
Living off the Land: Turning Your Infrastructure Against You (2020). https://docs.broadcom.com/doc/living-off-the-land-turning-your-infrastructure-against-you-en. Accessed 10 Oct 2020
Attariyan, M., Flinn, J.: Automating configuration troubleshooting with dynamic information flow analysis. In: OSDI, vol. 10, pp. 1–14 (2010)
Gao, P., et al.: SAQL: a stream-based query system for real-time abnormal system behavior detection. In: USENIX Security (2018)
Gao, P., Xiao, X., Li, Z., Xu, F., Kulkarni, S.R., Mittal, P.: AIQL: enabling efficient attack investigation from system monitoring data. In: USENIX ATC (2018)
Harang, R., Kott, A.: Burstiness of intrusion detection process: Empirical evidence and a modeling approach. IEEE Trans. Inf. Forensics Secur. 12(10), 2348–2359 (2017)
Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: Proceedings of the IEEE Symposium on Security and Privacy (2020)
Hassan, W.U., et al.: Nodoze: combatting threat alert fatigue with automated provenance triage. In: NDSS (2019)
Hassan, W.U., Noureddine, M.A., Datta, P., Bates, A.: Omegalog: high-fidelity attack investigation via transparent multi-layer log analysis. In: Proceedings of NDSS (2020)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Hossain, M.N., et al.: \(\{\)SLEUTH\(\}\): Real-time attack scenario reconstruction from \(\{\)COTS\(\}\) audit data. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 487–504 (2017)
Hu, W., Liao, Y., Vemuri, V.R.: Robust anomaly detection using support vector machines. In: Proceedings of the International Conference on Machine Learning, pp. 282–289. Citeseer (2003)
Jee, K., Portokalidis, G., Kemerlis, V.P., Ghosh, S., August, D.I., Keromytis, A.D.: A general approach for efficiently accelerating software-based dynamic data flow tracking on commodity hardware. In: NDSS (2012)
Kim, C.H., Rhee, J., Lee, K.H., Zhang, X., Xu, D.: Perfguard: binary-centric application performance monitoring in production environments. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 595–606 (2016)
Kim, C.H., Rhee, J., Zhang, H., Arora, N., Jiang, G., Zhang, X., Xu, D.: Introperf: transparent context-sensitive multi-layer performance inference using system stack traces. ACM SIGMETRICS Perform. Eval. Rev. 42(1), 235–247 (2014)
King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. (TOCS) 23(1), 51–76 (2005)
Kwon, Y., et al.: LDX: causality inference by lightweight dual execution. In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 503–515 (2016)
Kwon, Y., et al.: MCI: modeling-based causality inference in audit logging for attack investigation. In: NDSS (2018)
Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)
Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005–1016 (2013)
Lee, W., Stolfo, S.: Data mining approaches for intrusion detection (1998)
Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)
Ma, S., Lee, K.H., Kim, C.H., Rhee, J., Zhang, X., Xu, D.: Accurate, low cost and instrumentation-free security audit logging for windows. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 401–410 (2015)
Ma, S., Zhai, J., Wang, F., Lee, K.H., Zhang, X., Xu, D.: \(\{\)MPI\(\}\): multiple perspective attack investigation with semantic aware execution partitioning. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1111–1128 (2017)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)
Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1
Tandon, G., Chan, P.K.: On the learning of system call attributes for host-based anomaly detection. Int. J. Artif. Intell. Tools 15(06), 875–892 (2006)
Tang, Y., et al.: Nodemerge: template based efficient data reduction for big-data causality analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1324–1337 (2018)
Tiwari, M., Li, X., Wassel, H.M., Chong, F.T., Sherwood, T.: Execution leases: a hardware-supported mechanism for enforcing strong non-interference. In: Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture, pp. 493–504 (2009)
Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., Sherwood, T.: Complete information flow tracking from the gates up. In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 109–120 (2009)
Wang, F., Kwon, Y., Ma, S., Zhang, X., Xu, D.: Lprov: practical library-aware provenance tracing. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 605–617 (2018)
Wu, J., Peng, D., Li, Z., Zhao, L., Ling, H.: Network intrusion detection based on a general regression neural network optimized by an improved artificial immune algorithm. PloS One 10(3), e0120976 (2015)
Xiong, C., et al.: Conan: a practical real-time apt detection system with high accuracy and efficiency. IEEE Trans. Dependable Secure Comput. (2020)
Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504–516 (2016)
Yang, R., et al.: Ratscope: recording and reconstructing missing rat semantic behaviors for forensic analysis on windows. IEEE Trans. Dependable Secure Comput. (2020)
Yang, R., Ma, S., Xu, H., Zhang, X., Chen, Y.: UIscope: accurate, instrumentation-free, and visible attack investigation for GUI applications. In: Network and Distributed Systems Symposium (2020)
Zhao, X., Rodrigues, K., Luo, Y., Yuan, D., Stumm, M.: Non-intrusive performance profiling for entire software stacks based on the flow reconstruction principle. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 603–618 (2016)
Zhao, X., et al.: lprof: A non-intrusive request flow profiler for distributed systems. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), pp. 629–644 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kavousi, M., Yang, R., Ma, S., Chen, Y. (2021). SemFlow: Accurate Semantic Identification from Low-Level System Data. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 398. Springer, Cham. https://doi.org/10.1007/978-3-030-90019-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-90019-9_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90018-2
Online ISBN: 978-3-030-90019-9
eBook Packages: Computer ScienceComputer Science (R0)