Basic Search / Detailed Display

Author: 謝奇元
Chi-Yuan Hsieh
Thesis Title: 透過遞迴支配機制從複雜系統呼叫圖搜尋入侵者關鍵軌跡
Exploring Intruder Key Trace based on Complicated System Call Graph by Recursive Dominator Mechanism
Advisor: 李漢銘
Hahn-Ming Lee
Committee: 林豐澤
Feng-Tse Lin
Wei-Chung Teng
Shin-Ming Cheng
Ching-Hao Mao
Degree: 碩士
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2021
Graduation Academic Year: 109
Language: 英文
Pages: 53
Keywords (in Chinese): 資訊安全事件還原
Keywords (in other languages): Information Security, Scenario Reconstruction
Reference times: Clicks: 354Downloads: 8
School Collection Retrieve National Library Collection Retrieve Error Report



The existing security equipment detects attack by applying host-based intrusion detection system(HIDS), User and Entity Behavior Analytics(UEBA) and anti-virus software. Unfortunately, huge amounts of logs are generated by the equipment, and correlating all of the logs is a very time-consuming task. In the end, only fragments of information are obtained, such as unusual system login behaviors, suspicious Command-and-control(C&C) servers and malware, which are unable to describe the attack scenarios. As a result, forensics experts need to manually investigate the key intrusion of the attacks. In this study, our purpose is to reduce the costs of manual attack intrusion investigation.

We propose a method that explores the intruder key trace by examining dominators of system-level logs and design a recursive dominator mechanism to identify whether the events are related to the attacks. The main contributions of the study are as follows: (1) Filtering 98.94% of normal behaviors; (2) Recovering the key trace of the attack with a 92.85% recall rate; (3) Constructing the attack chain with information fragments.

1 Introduction 1.1 Motivation 1.2 Challenges and Goals 1.3 Contributions 1.4 The Outline of Thesis 2 Background 2.1 Audit System 2.2 System Call Auditing 2.2.1 Vertex 2.2.2 Edge 2.3 Dominance 2.3.1 Dominator Tree 2.3.2 Immediate Dominator 2.3.3 Dominance Frontiers 2.4 Related Work 3 System Description 3.1 Observation 3.2 System Call-based Dependence Graph Construction 3.2.1 System Call Collection with Auditd Service 3.2.2 Raw Data Join by Timestamp 3.2.3 Raw Data Join by Process ID 3.2.4 Dependence Graph Construction 3.3 Tag-based Suspicious Graph Identification 3.3.1 Backward Tracking to Find Service and Separate from Other Services 3.3.2 Forward Tracking to Collect Event Logs from Incident 3.4 Recursive Dominator Mechanism 3.4.1 Selection of End-point 3.4.2 Building Dominator Tree 3.4.3 Collection Non-travel Dependence 3.4.4 Finding Dominance Frontier 4 Experiments and Results 4.1 Dataset Description 4.1.1 Attack Scenario 4.2 Evaluation Metrics 4.3 The Result of the Experiments 4.3.1 Filter Rate 4.3.2 Exploring Intruder Key Trace 4.3.3 Exploring Malicious Files 4.4 Case Study 5 Conclusions and Further Work 5.1 Conclusions 5.2 Further Work

[1] S. Singh, P. K. Sharma, S. Y. Moon, D. Moon, and J. H. Park, “A comprehensive study on apt attacks and countermeasures for future networks and communica- tions: challenges and solutions,” The Journal of Supercomputing, Sep 2016.
[2] B. D. Bryant and H. Saiedian, “A novel kill-chain framework for remote security log analysis with siem software,” Computers and Security, vol. 67, pp. 198 – 210, 2017.
[3] M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakrishnan, “Sleuth: Real-time attack scenario recon- struction from cots audit data,” in 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pp. 487–504, USENIX Association, 2017.
[4] J.Chow,B.Pfaff,T.Garfinkel,K.Christopher,andM.Rosenblum,“Understand- ing data lifetime via whole system simulation,” 06 2004.
[5] S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen, “Enriching intrusion alerts through multi-host causality,” in in Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS, 2005.
[6] A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara, “The taser intrusion recovery system,” in Proceedings of the Twentieth ACM Symposium on Operating Systems
Principles, SOSP ’05, (New York, NY, USA), pp. 163–176, ACM, 2005.
[7] D. J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler, “Hi-fi: Collecting high- fidelity whole-system provenance,” in Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, (New York, NY, USA), pp. 259– 268, ACM, 2012.
[8] S. Ma, K. H. Lee, C. H. Kim, J. Rhee, X. Zhang, and D. Xu, “Accurate, low cost and instrumentation-free security audit logging for windows,” in Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA, December 7-11, 2015, pp. 401–410, 2015.
[9] A. Bates, D. J. Tian, G. Hernandez, T. Moyer, K. R. B. Butler, and T. Jaeger, “Taming the costs of trustworthy provenance through policy reduction,” ACM Trans. Internet Technol., vol. 17, pp. 34:1–34:21, Sept. 2017.
[10] S.T.KingandP.M.Chen,“Backtrackingintrusions,”inProceedingsoftheNine- teenth ACM Symposium on Operating Systems Principles, SOSP ’03, (New York, NY, USA), pp. 223–236, ACM, 2003.
[11] K. H. Lee, X. Zhang, and D. Xu, “High accuracy attack provenance via binary- based execution partition.,” in NDSS, The Internet Society, 2013.
[12] A. Bates, D. J. Tian, K. R. Butler, and T. Moyer, “Trustworthy whole-system provenance for the linux kernel,” in 24th USENIX Security Symposium (USENIX Security 15), (Washington, D.C.), pp. 319–334, USENIX Association, 2015.
[13] S. Ma, X. Zhang, and D. Xu, “Protracer: Towards practical provenance tracing by alternating between logging and tainting,” in 23rd Annual Network and Dis- tributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, 2016.
[14] Y. Kwon, F. Wang, W. Wang, K. H. Lee, W.-C. Lee, S. Ma, X. Zhang, D. Xu, S. Jha, G. Ciocarlie, A. Gehani, and V. Yegneswaran, “Mci : Modeling-based causality inference in audit logging for attack investigation,” 01 2018.
[15] Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, “Rain: Refinable attack investigation with on-demand inter-process information flow tracking,” in Proceedings of the 2017 ACM SIGSAC Conference on Com- puter and Communications Security, CCS ’17, (New York, NY, USA), pp. 377– 390, ACM, 2017.
[16] Y. Liu, M. Zhang, D. Li, K. Jee, Z. Li, Z. Wu, J. Rhee, and P. Mittal, “Towards a timely causality analysis for enterprise security,” 01 2018.
[17] L. Liu, O. D. Vel, Q. L. Han, J. Zhang, and Y. Xiang, “Detecting and prevent- ing cyber insider threats: A survey,” IEEE Communications Surveys Tutorials, vol. 20, pp. 1397–1417, Secondquarter 2018.
[18] A. Dabir, A. M. Abdou, and A. Matrawy, “A survey on forensic event recon- struction systems,” International Journal of Information and Computer Security, vol. 9, no. 4, pp. 337–360, 2017.
[19] “System auditing.” chap-system_auditing.
[20] “audit-userspace.” userspace.
[21] K. H. Lee, X. Zhang, and D. Xu, “Loggc: garbage collecting audit log,” in Pro- ceedings of the 2013 ACM SIGSAC conference on Computer and communications security, CCS ’13, (New York, NY, USA), pp. 1005–1016, ACM, 2013.
[22] K. Cooper and L. Torczon, “Engineering a compiler 2nd edition by cooper and torczon,” 2011.
[23] A. V. Aho, M. S. Lam, and R. S. J. D. Ullman, “Compilers: Principles, tech- niques, and tools (2nd edition),” 2010.
[24] “Dominator (graph theory).” Dominator_(graph_theory).
[25] H. K. Christensen, “Algorithms for finding dominators in directed graphs,” 2016.
[26] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, “Introduction to algo- rithms third edition,” 2009.
[27] A. Shameli-Sendi, M. Dagenais, and L. Wang, “Realtime intrusion risk assess- ment model based on attack and service dependency graphs,” Computer Commu- nications, vol. 116, pp. 253 – 272, 2018.
[28] F. Cuppens and R. Ortalo, “Lambda: A language to model a database for detec- tion of attacks,” in Recent Advances in Intrusion Detection (H. Debar, L. Me ́, and S. F. Wu, eds.), (Berlin, Heidelberg), pp. 197–216, Springer Berlin Heidelberg, 2000.
[29] P.Ning,Y.Cui,andD.S.Reeves,“Constructingattackscenariosthroughcorrela- tion of intrusion alerts,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, (New York, NY, USA), pp. 245–254, ACM, 2002.
[30] K. Julisch, “Clustering intrusion detection alarms to support root cause analysis,” ACM Trans. Inf. Syst. Secur., vol. 6, pp. 443–471, Nov. 2003.
[31] M. Barzegar and M. Shajari, “Attack scenario reconstruction using intrusion se- mantics,” Expert Systems with Applications, vol. 108, pp. 119 – 133, 2018.
[32] D. Ramsbrock, R. Berthier, and M. Cukier, “Profiling attacker behavior follow- ing ssh compromises,” in 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’07), pp. 119–124, June 2007.