MCI : Modeling-based Causality Inference in Audit Logging for Attack Investigation

Kwon, Yonghwi; Wang, Fei; Wang, Weihang; Lee, Kyu Hyoung; Lee, Wen‐Chuan; Ma, Shiqing; Zhang, Xiangyu; Xu, Dongyan; Jha, Somesh; Ciocarlie, Gabriela F.; Gehani, Ashish; Yegneswaran, Vinod

doi:10.14722/ndss.2018.23306

Cited by 91 publications

(62 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior solutions to the dependency explosion problem [46], [51], [50], [44] propose to partition the execution of a long running process into autonomous "units" in order to provide more precise causal dependency between input and output events. However, these systems require end-user involvement and system changes through source code instrumentation, training runs of application with typical workloads, and modifying the kernel.…”

Section: B Existing Tools Limitationsmentioning

confidence: 99%

“…As mentioned previously, existing execution partitioning techniques [46], [51], [50], [44] for precise dependencies are not feasible in an enterprise. In the case of true alerts, NODOZE solves this problem by leveraging the observation that the attack's dependencies will be readily apparent because the true path will have much higher anomaly score.…”

Section: Nodoze Overview and Approachmentioning

confidence: 99%

See 1 more Smart Citation

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan

Guo

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

177

120

View full text Add to dashboard Cite

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a "threat alert fatigue" or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms.

show abstract

Section: B Existing Tools Limitationsmentioning

confidence: 99%

Section: Nodoze Overview and Approachmentioning

confidence: 99%

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan

Guo

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

177

120

View full text Add to dashboard Cite

show abstract

“…Winnower [55] provides a storage efficient provenance auditing framework for large clusters. MCI [68] proposes a reliable and efficient approach to restore fine-grained information flow among system events using dual execution (LDX). While these techniques address different problems, we believe that they can be integrated into PROVDETECTOR to improve its accuracy.…”

Section: Provenance-based Solutionsmentioning

confidence: 99%

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

123

View full text Add to dashboard Cite

To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average F1 score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

show abstract

“…• Application of human-defined knowledge [3,7,30,55,87] • Modeling trojan/ransomware behaviors [6,41,46,89] • Modeling botnet behaviors [5,28,37,62,97] • Modeling malicious download behaviors [36,45,46,84] • Modeling malicious browser extension behaviors [40] • Modeling malware behaviors [4,18,44,51,60,86] • Modeling malicious graph communities [39,70,91,97] • Modeling permitted behaviors [17,24,25,29,82,88] • Knowledge discovery on graphs [71,81,94] • Attack causality tracking and inference [42,47,54,85] • Anomaly detection [16,20,23,50,58,59,...…”

Section: Static Threat Model Approachesmentioning

confidence: 99%

Threat Intelligence Computing

Shu

Araujo

Schales

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cyber threat hunting is the process of proactively and iteratively formulating and validating threat hypotheses based on securityrelevant observations and domain knowledge. To facilitate threat hunting tasks, this paper introduces threat intelligence computing as a new methodology that models threat discovery as a graph computation problem. It enables efficient programming for solving threat discovery problems, equipping threat hunters with a suite of potent new tools for agile codifications of threat hypotheses, automated evidence mining, and interactive data inspection capabilities. A concrete realization of a threat intelligence computing platform is presented through the design and implementation of a domain-specific graph language with interactive visualization support and a distributed graph database. The platform was evaluated in a two-week DARPA competition for threat detection on a test bed comprising a wide variety of systems monitored in real time. During this period, sub-billion records were produced, streamed, and analyzed, dozens of threat hunting tasks were dynamically planned and programmed, and attack campaigns with diverse malicious intent were discovered. The platform exhibited strong detection and analytics capabilities coupled with high efficiency, resulting in a leadership position in the competition. Additional evaluations on comprehensive policy reasoning are outlined to demonstrate the versatility of the platform and the expressiveness of the language.

show abstract

MCI : Modeling-based Causality Inference in Audit Logging for Attack Investigation

Cited by 91 publications

References 27 publications

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Threat Intelligence Computing

Contact Info

Product

Resources

About