Basic Search / Detailed Display

Author: 謝奇元
Chi-Yuan Hsieh
Thesis Title: 透過遞迴支配機制從複雜系統呼叫圖搜尋入侵者關鍵軌跡
Exploring Intruder Key Trace based on Complicated System Call Graph by Recursive Dominator Mechanism
Advisor: 李漢銘
Hahn-Ming Lee
Committee: 林豐澤
Feng-Tse Lin
鄧惟中
Wei-Chung Teng
鄭欣明
Shin-Ming Cheng
毛敬豪
Ching-Hao Mao
Degree: 碩士
Master
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2021
Graduation Academic Year: 109
Language: 英文
Pages: 53
Keywords (in Chinese): 資訊安全事件還原
Keywords (in other languages): Information Security, Scenario Reconstruction
Reference times: Clicks: 354Downloads: 8
Share:
School Collection Retrieve National Library Collection Retrieve Error Report

偵測攻擊者是否滲透企業網路的主流方法是透過資安設備,像是入侵偵測系統、使用者行為分析、防毒軟體等設備來減輕攻擊者所帶來的威脅。不幸的是這些資安設備會產生大量的日誌紀錄,然而需要花費大量時間來關聯所有日誌事件,最終得到很多片段資訊,如:電腦異常登入行為、可疑中繼站、可疑檔案或惡意程式,提供大量資訊卻無法描述攻擊情境,導致資安事件發生後,為了找出關鍵入侵點只能仰賴鑑識人員以人天的方式調查,因此受害電腦或服務將無止盡的停擺。在本篇研究中,我們將解決片段資訊及人工調查關鍵入侵點的昂貴成本問題。

我們提供一個基於作業系統層級的日誌透過搜尋支配點來搜尋入侵軌跡。我們設計一種遞迴支配機制來分析該事件是否與資安事件相關。本研究有以下幾點貢獻:(1)可過濾來自正常行為達到98.94%的正常行為,使攻擊行為更快被發現。(2)還原攻擊關鍵軌跡召回率達到92.85%的成績。(3)將片段資訊組合成攻擊鏈。


The existing security equipment detects attack by applying host-based intrusion detection system(HIDS), User and Entity Behavior Analytics(UEBA) and anti-virus software. Unfortunately, huge amounts of logs are generated by the equipment, and correlating all of the logs is a very time-consuming task. In the end, only fragments of information are obtained, such as unusual system login behaviors, suspicious Command-and-control(C&C) servers and malware, which are unable to describe the attack scenarios. As a result, forensics experts need to manually investigate the key intrusion of the attacks. In this study, our purpose is to reduce the costs of manual attack intrusion investigation.

We propose a method that explores the intruder key trace by examining dominators of system-level logs and design a recursive dominator mechanism to identify whether the events are related to the attacks. The main contributions of the study are as follows: (1) Filtering 98.94% of normal behaviors; (2) Recovering the key trace of the attack with a 92.85% recall rate; (3) Constructing the attack chain with information fragments.

1 Introduction 1.1 Motivation 1.2 Challenges and Goals 1.3 Contributions 1.4 The Outline of Thesis 2 Background 2.1 Audit System 2.2 System Call Auditing 2.2.1 Vertex 2.2.2 Edge 2.3 Dominance 2.3.1 Dominator Tree 2.3.2 Immediate Dominator 2.3.3 Dominance Frontiers 2.4 Related Work 3 System Description 3.1 Observation 3.2 System Call-based Dependence Graph Construction 3.2.1 System Call Collection with Auditd Service 3.2.2 Raw Data Join by Timestamp 3.2.3 Raw Data Join by Process ID 3.2.4 Dependence Graph Construction 3.3 Tag-based Suspicious Graph Identification 3.3.1 Backward Tracking to Find Service and Separate from Other Services 3.3.2 Forward Tracking to Collect Event Logs from Incident 3.4 Recursive Dominator Mechanism 3.4.1 Selection of End-point 3.4.2 Building Dominator Tree 3.4.3 Collection Non-travel Dependence 3.4.4 Finding Dominance Frontier 4 Experiments and Results 4.1 Dataset Description 4.1.1 Attack Scenario 4.2 Evaluation Metrics 4.3 The Result of the Experiments 4.3.1 Filter Rate 4.3.2 Exploring Intruder Key Trace 4.3.3 Exploring Malicious Files 4.4 Case Study 5 Conclusions and Further Work 5.1 Conclusions 5.2 Further Work

[1] S. Singh, P. K. Sharma, S. Y. Moon, D. Moon, and J. H. Park, “A comprehensive study on apt attacks and countermeasures for future networks and communica- tions: challenges and solutions,” The Journal of Supercomputing, Sep 2016.
[2] B. D. Bryant and H. Saiedian, “A novel kill-chain framework for remote security log analysis with siem software,” Computers and Security, vol. 67, pp. 198 – 210, 2017.
[3] M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakrishnan, “Sleuth: Real-time attack scenario recon- struction from cots audit data,” in 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pp. 487–504, USENIX Association, 2017.
[4] J.Chow,B.Pfaff,T.Garfinkel,K.Christopher,andM.Rosenblum,“Understand- ing data lifetime via whole system simulation,” 06 2004.
[5] S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen, “Enriching intrusion alerts through multi-host causality,” in in Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS, 2005.
[6] A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara, “The taser intrusion recovery system,” in Proceedings of the Twentieth ACM Symposium on Operating Systems
Principles, SOSP ’05, (New York, NY, USA), pp. 163–176, ACM, 2005.
[7] D. J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler, “Hi-fi: Collecting high- fidelity whole-system provenance,” in Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, (New York, NY, USA), pp. 259– 268, ACM, 2012.
[8] S. Ma, K. H. Lee, C. H. Kim, J. Rhee, X. Zhang, and D. Xu, “Accurate, low cost and instrumentation-free security audit logging for windows,” in Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA, December 7-11, 2015, pp. 401–410, 2015.
[9] A. Bates, D. J. Tian, G. Hernandez, T. Moyer, K. R. B. Butler, and T. Jaeger, “Taming the costs of trustworthy provenance through policy reduction,” ACM Trans. Internet Technol., vol. 17, pp. 34:1–34:21, Sept. 2017.
[10] S.T.KingandP.M.Chen,“Backtrackingintrusions,”inProceedingsoftheNine- teenth ACM Symposium on Operating Systems Principles, SOSP ’03, (New York, NY, USA), pp. 223–236, ACM, 2003.
[11] K. H. Lee, X. Zhang, and D. Xu, “High accuracy attack provenance via binary- based execution partition.,” in NDSS, The Internet Society, 2013.
[12] A. Bates, D. J. Tian, K. R. Butler, and T. Moyer, “Trustworthy whole-system provenance for the linux kernel,” in 24th USENIX Security Symposium (USENIX Security 15), (Washington, D.C.), pp. 319–334, USENIX Association, 2015.
[13] S. Ma, X. Zhang, and D. Xu, “Protracer: Towards practical provenance tracing by alternating between logging and tainting,” in 23rd Annual Network and Dis- tributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, 2016.
[14] Y. Kwon, F. Wang, W. Wang, K. H. Lee, W.-C. Lee, S. Ma, X. Zhang, D. Xu, S. Jha, G. Ciocarlie, A. Gehani, and V. Yegneswaran, “Mci : Modeling-based causality inference in audit logging for attack investigation,” 01 2018.
[15] Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, “Rain: Refinable attack investigation with on-demand inter-process information flow tracking,” in Proceedings of the 2017 ACM SIGSAC Conference on Com- puter and Communications Security, CCS ’17, (New York, NY, USA), pp. 377– 390, ACM, 2017.
[16] Y. Liu, M. Zhang, D. Li, K. Jee, Z. Li, Z. Wu, J. Rhee, and P. Mittal, “Towards a timely causality analysis for enterprise security,” 01 2018.
[17] L. Liu, O. D. Vel, Q. L. Han, J. Zhang, and Y. Xiang, “Detecting and prevent- ing cyber insider threats: A survey,” IEEE Communications Surveys Tutorials, vol. 20, pp. 1397–1417, Secondquarter 2018.
[18] A. Dabir, A. M. Abdou, and A. Matrawy, “A survey on forensic event recon- struction systems,” International Journal of Information and Computer Security, vol. 9, no. 4, pp. 337–360, 2017.
[19] “System auditing.” https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/ chap-system_auditing.
[20] “audit-userspace.” https://github.com/linux-audit/audit- userspace.
[21] K. H. Lee, X. Zhang, and D. Xu, “Loggc: garbage collecting audit log,” in Pro- ceedings of the 2013 ACM SIGSAC conference on Computer and communications security, CCS ’13, (New York, NY, USA), pp. 1005–1016, ACM, 2013.
[22] K. Cooper and L. Torczon, “Engineering a compiler 2nd edition by cooper and torczon,” 2011.
[23] A. V. Aho, M. S. Lam, and R. S. J. D. Ullman, “Compilers: Principles, tech- niques, and tools (2nd edition),” 2010.
[24] “Dominator (graph theory).” https://en.wikipedia.org/wiki/ Dominator_(graph_theory).
[25] H. K. Christensen, “Algorithms for finding dominators in directed graphs,” 2016.
[26] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, “Introduction to algo- rithms third edition,” 2009.
[27] A. Shameli-Sendi, M. Dagenais, and L. Wang, “Realtime intrusion risk assess- ment model based on attack and service dependency graphs,” Computer Commu- nications, vol. 116, pp. 253 – 272, 2018.
[28] F. Cuppens and R. Ortalo, “Lambda: A language to model a database for detec- tion of attacks,” in Recent Advances in Intrusion Detection (H. Debar, L. Me ́, and S. F. Wu, eds.), (Berlin, Heidelberg), pp. 197–216, Springer Berlin Heidelberg, 2000.
[29] P.Ning,Y.Cui,andD.S.Reeves,“Constructingattackscenariosthroughcorrela- tion of intrusion alerts,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, (New York, NY, USA), pp. 245–254, ACM, 2002.
[30] K. Julisch, “Clustering intrusion detection alarms to support root cause analysis,” ACM Trans. Inf. Syst. Secur., vol. 6, pp. 443–471, Nov. 2003.
[31] M. Barzegar and M. Shajari, “Attack scenario reconstruction using intrusion se- mantics,” Expert Systems with Applications, vol. 108, pp. 119 – 133, 2018.
[32] D. Ramsbrock, R. Berthier, and M. Cukier, “Profiling attacker behavior follow- ing ssh compromises,” in 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’07), pp. 119–124, June 2007.

QR CODE