Towards a Timely Causality Analysis for Enterprise Security

Liu, Yushan; Zhang, Mu; Li, Ding; Jee, Kangkook; Li, Zhichun; Wu, Zhenyu; Rhee, Junghwan; Mittal, Prateek

doi:10.14722/ndss.2018.23254

Cited by 137 publications

(133 citation statements)

References 17 publications

Supporting

Mentioning

133

Contrasting

Order By: Relevance

“…Provenance graphs are increasingly popular for attack analysis [15], [40], [79], [102] and are attractive for APT detection. In particular, provenance graphs capture causality relationships between events.…”

Section: A Provenance Graphmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

157

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: A Provenance Graphmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

157

111

View full text Add to dashboard Cite

show abstract

“…Among these, BEEP [34], ProTracer [39], and MPI [38] use training and code instrumentation and annotations to divide process executions into smaller units, to address dependency explosion and provide better forensic analysis. PrioTracker [36] performs timely causality analysis by quantifying the notion of event rareness to prioritize the investigation of abnormal causal dependencies. In contrast, HOLMES uses system event traces to perform realtime detection, with integrated forensics capabilities in the detection framework, in the form of high-level attack steps, without requiring instrumentation.…”

Section: G Live Experimentsmentioning

confidence: 99%

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Milajerdi

Gjomemo

Eshete

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

276

161

View full text Add to dashboard Cite

In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.

show abstract

“…• Application of human-defined knowledge [3,7,30,55,87] • Modeling trojan/ransomware behaviors [6,41,46,89] • Modeling botnet behaviors [5,28,37,62,97] • Modeling malicious download behaviors [36,45,46,84] • Modeling malicious browser extension behaviors [40] • Modeling malware behaviors [4,18,44,51,60,86] • Modeling malicious graph communities [39,70,91,97] • Modeling permitted behaviors [17,24,25,29,82,88] • Knowledge discovery on graphs [71,81,94] • Attack causality tracking and inference [42,47,54,85] • Anomaly detection [16,20,23,50,58,59,...…”

Section: Static Threat Model Approachesmentioning

confidence: 99%

“…Existing threat hunting practices fulfill this need with a mash-up solution -importing security and non-security data of all kinds into a SIEM [31,34] and employing SOC analysts for connecting the dots with the human languages/concepts as the universal interface. The procedure is aided by static threat model approaches for wellmodeled tasks, such as call chain traversal [9,54] or knowledge standardization for retrieval and sharing [35,52,68,83,95]. Performing threat hunting through graph computations establishes new programmability requirements beyond existing graph programming platforms [12,65] (discussed in Section 2).…”

Section: Dynamic Threat Model Approachesmentioning

confidence: 99%

Threat Intelligence Computing

Shu

Araujo

Schales

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cyber threat hunting is the process of proactively and iteratively formulating and validating threat hypotheses based on securityrelevant observations and domain knowledge. To facilitate threat hunting tasks, this paper introduces threat intelligence computing as a new methodology that models threat discovery as a graph computation problem. It enables efficient programming for solving threat discovery problems, equipping threat hunters with a suite of potent new tools for agile codifications of threat hypotheses, automated evidence mining, and interactive data inspection capabilities. A concrete realization of a threat intelligence computing platform is presented through the design and implementation of a domain-specific graph language with interactive visualization support and a distributed graph database. The platform was evaluated in a two-week DARPA competition for threat detection on a test bed comprising a wide variety of systems monitored in real time. During this period, sub-billion records were produced, streamed, and analyzed, dozens of threat hunting tasks were dynamically planned and programmed, and attack campaigns with diverse malicious intent were discovered. The platform exhibited strong detection and analytics capabilities coupled with high efficiency, resulting in a leadership position in the competition. Additional evaluations on comprehensive policy reasoning are outlined to demonstrate the versatility of the platform and the expressiveness of the language.

show abstract

Towards a Timely Causality Analysis for Enterprise Security

Cited by 137 publications

References 17 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Threat Intelligence Computing

Contact Info

Product

Resources

About