-
POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting
Authors:
Sadegh M. Milajerdi,
Birhanu Eshete,
Rigel Gjomemo,
V. N. Venkatakrishnan
Abstract:
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlook…
▽ More
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlooked in information gathering or not used for threat hunting. In this paper, we propose a system, called POIROT, which uses these correlations to uncover the steps of a successful attack campaign. We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model threat hunting as an inexact graph pattern matching problem. Our technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI correlations and a provenance graph constructed out of kernel audit log records. We evaluate POIROT on publicly released real-world incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against different OS platforms such as Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable of searching inside graphs containing millions of nodes and pinpoint the attacks in a few minutes, and the results serve to illustrate that CTI correlations could be used as robust and reliable artifacts for threat hunting.
△ Less
Submitted 30 September, 2019;
originally announced October 2019.
-
ProPatrol: Attack Investigation via Extracted High-Level Tasks
Authors:
Sadegh M. Milajerdi,
Birhanu Eshete,
Rigel Gjomemo,
V. N. Venkatakrishnan
Abstract:
Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in familie…
▽ More
Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.
△ Less
Submitted 12 October, 2018;
originally announced October 2018.
-
HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows
Authors:
Sadegh M. Milajerdi,
Rigel Gjomemo,
Birhanu Eshete,
R. Sekar,
V. N. Venkatakrishnan
Abstract:
In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. On…
▽ More
In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves develo** a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.
△ Less
Submitted 17 January, 2019; v1 submitted 3 October, 2018;
originally announced October 2018.
-
SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
Authors:
Md Nahid Hossain,
Sadegh M Milajerdi,
Junao Wang,
Birhanu Eshete,
Rigel Gjomemo,
R Sekar,
Scott Stoller,
VN Venkatakrishnan
Abstract:
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact anal…
▽ More
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.
△ Less
Submitted 6 January, 2018;
originally announced January 2018.
-
A Composite-Metric Based Path Selection Technique for the Tor Anonymity Network
Authors:
Sadegh Momeni Milajerdi,
Mehdi Kharrazi
Abstract:
The Tor anonymous network has become quite popular with regular users on the Internet. In the Tor network, an anonymous path is created by selecting three relays through which the connection is redirected. Nevertheless, as the number of Tor users has increased substantially in recent years, the algorithm with which the relays are selected affects the performance provided by the Tor network. More i…
▽ More
The Tor anonymous network has become quite popular with regular users on the Internet. In the Tor network, an anonymous path is created by selecting three relays through which the connection is redirected. Nevertheless, as the number of Tor users has increased substantially in recent years, the algorithm with which the relays are selected affects the performance provided by the Tor network. More importantly as the performance suffers, users will leave the network, resulting in a lower anonymity set and in turn lower security provided by Tor network.
In this paper, we proposed an algorithm for improving performance and security of the Tor network, by employing a combination of different metrics in the process of the path selection between the source and destination node. These metrics are bandwidth and uptime of relays as node conditions and delays between the relays as a path condition. Through a number of experiments we show that we could double the performance observed by end users when using the proposed technique as opposed to the current Tor path selection algorithm. More importantly, the proposed technique only requires a software upgrade on the client side, and other Tor nodes do not need to be modified.
△ Less
Submitted 8 July, 2017;
originally announced July 2017.