Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application’s high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application’s architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root-cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.
CITATION STYLE
M. Milajerdi, S., Eshete, B., Gjomemo, R., & Venkatakrishnan, V. N. (2018). ProPatrol: Attack Investigation via Extracted High-Level Tasks. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 11281 LNCS, pp. 107–126). Springer Verlag. https://doi.org/10.1007/978-3-030-05171-6_6
Mendeley helps you to discover research relevant for your work.