More Web Proxy on the site http://driver.im/

research-article

FAuST: Striking a Bargain between Forensic Auditing’s Security and Throughput

Authors:

Muhammad Adil Inam,

Wajih Ul HassanAuthors Info & Claims

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 813 - 826

https://doi.org/10.1145/3564625.3567990

Published: 05 December 2022 Publication History

Abstract

System logs are invaluable to forensic audits, but grow so large that in practice fine-grained logs are quickly discarded – if captured at all – preventing the real-world use of the provenance-based investigation techniques that have gained popularity in the literature. Encouragingly, forensically-informed methods for reducing the size of system logs are a subject of frequent study. Unfortunately, many of these techniques are designed for offline reduction in a central server, meaning that the up-front cost of log capture, storage, and transmission must still be paid at the endpoints. Moreover, to date these techniques exist as isolated (and, often, closed-source) implementations; there does not exist a comprehensive framework through which the combined benefits of multiple log reduction techniques can be enjoyed.

In this work, we present FAuST, an audit daemon for performing streaming audit log reduction at system endpoints. After registering with a log source (e.g., via Linux Audit’s audisp utility), FAuST incrementally builds an in-memory provenance graph of recent system activity. During graph construction, log reduction techniques that can be applied to local subgraphs are invoked immediately using event callback handlers, while techniques meant for application on the global graph are invoked in periodic epochs. We evaluate FAuST, loaded with eight different log reduction modules from the literature, against the DARPA Transparent Computing datasets. Our experiments demonstrate the efficient performance of FAuST and identify certain subsets of reduction techniques that are synergistic with one another. Thus, FAuST dramatically simplifies the evaluation and deployment of log reduction techniques.

References

[1]

2020. DARPA Transparent Computing. 2020. Transparent Computing Engagement 3 Data Release. (2020).

[2]

Adam Bates, Dave Tian, Kevin R.B. Butler, and Thomas Moyer. 2015. Trustworthy Whole-System Provenance for the Linux Kernel. In Proceedings of 24th USENIX Security Symposium (Washington, D.C.).

Digital Library

[3]

Adam Bates, Dave Tian, Grant Hernandez, Thomas Moyer, Kevin R.B. Butler, and Trent Jaeger. 2017. Taming the Costs of Trustworthy Provenance through Policy Reduction. ACM Trans. on Internet Technology 17, 4 (sep 2017), 34:1–34:21.

Digital Library

[4]

Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron Lieber. 2019. Equifax Says Cyberattack May Have Affected 143 Million in the U.S.https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html.

[5]

Steven P. Callahan, Juliana Freire, Emanuele Santos, Carlos E. Scheidegger, Cláudio T. Silva, and Huy T. Vo. 2006. VisTrails: Visualization Meets Data Management. In Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data (Chicago, IL, USA) (SIGMOD ’06). ACM, New York, NY, USA, 745–747. https://doi.org/10.1145/1142473.1142574

Digital Library

[6]

Carbon Black. 2018. Global Incident Response Threat Report. https://www.carbonblack.com/global-incident-response-threat-report/november-2018/. Last accessed 04-20-2019.

[7]

Ang Chen, Yang Wu, Andreas Haeberlen, Wenchao Zhou, and Boon Thau Loo. 2015. Differential Provenance: Better Network Diagnostics with Reference Events. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks (HotNets’15) (Philadelphia, PA).

Digital Library

[8]

Albert Danial. 2021. cloc: v1.92. https://doi.org/10.5281/zenodo.5760077

[9]

Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. 2017. Deeplog: Anomaly detection and diagnosis from system logs through deep learning. In CCS.

Digital Library

[10]

FireEye, Inc.2019. How Many Alerts is Too Many to Handle?https://www2.fireeye.com/StopTheNoise-IDC-Numbers-Game-Special-Report.html.

[11]

Gartner Peer Insights. 2019. Endpoint Detection and Response Solutions Market. https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions.

[12]

Ashish Gehani and Dawood Tariq. 2012. SPADE: Support for provenance auditing in distributed environments. In ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing. Springer.

[13]

Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime provenance-based detector for advanced persistent threats. In NDSS.

[14]

Wajih Ul Hassan, Lemay Aguse, Nuraini Aguse, Adam Bates, and Thomas Moyer. 2018. Towards scalable cluster auditing through grammatical inference over provenance graphs. In NDSS.

[15]

Wajih Ul Hassan, Nuraini Aguse, Mark Lemay, Thomas Moyer, and Adam Bates. 2018. Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs. In Proceedings of the 25th ISOC Network and Distributed System Security Symposium(NDSS’18). San Diego, CA, USA.

[16]

Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical provenance analysis for endpoint detection and response systems. In IEEE Symposium on Security and Privacy (SP).

[17]

Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting threat alert fatigue with automated provenance triage. In NDSS.

[18]

Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V.N. Venkatakrishnan. 2017. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 487–504. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/hossain

Digital Library

[19]

Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. 2017. {SLEUTH}: Real-time attack scenario reconstruction from {COTS} audit data. In USENIX Security Symposium.

[20]

Md Nahid Hossain, Sanaz Sheikhi, and R Sekar. 2020. Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In IEEE Symposium on Security and Privacy (SP).

[21]

Md Nahid Hossain, Junao Wang, R. Sekar, and Scott D. Stoller. 2018. Dependence-preserving Data Compaction for Scalable Forensic Analysis. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC’18). USENIX Association, Berkeley, CA, USA, 1723–1740. http://dl.acm.org/citation.cfm?id=3277203.3277331

Digital Library

[22]

Md Nahid Hossain, Junao Wang, Ofir Weisse, R Sekar, Daniel Genkin, Boyuan He, Scott D Stoller, Gan Fang, Frank Piessens, Evan Downing, 2018. Dependence-preserving data compaction for scalable forensic analysis. In USENIX Security Symposium.

[23]

Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee. 2017. Rain: Refinable attack investigation with on-demand inter-process information flow tracking. In CCS.

Digital Library

[24]

Vishal Karande, Erick Bauman, Zhiqiang Lin, and Latifur Khan. 2017. SGX-Log: Securing System Logs With SGX. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security(ASIA CCS ’17).

Digital Library

[25]

Samuel T. King and Peter M. Chen. 2003. Backtracking Intrusions. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (Bolton Landing, NY, USA) (SOSP ’03). ACM, New York, NY, USA, 223–236. https://doi.org/10.1145/945445.945467

Digital Library

[26]

Brendan I. Koerner. 2016. Inside the Cyberattack That Shocked the US Government. https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/.

[27]

George Kurtz. 2010. Operation Aurora Hit Google, Others. Available at http://securityinnovator.com/index.php?articleID=42948&sectionID=25.

[28]

Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela F Ciocarlie, 2018. MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In NDSS.

[29]

Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High Accuracy Attack Provenance via Binary-based Execution Partition. In NDSS.

[30]

Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. LogGC: Garbage Collecting Audit Log. In Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security (Berlin, Germany) (CCS ’13). ACM, New York, NY, USA, 1005–1016. https://doi.org/10.1145/2508859.2516731

Digital Library

[31]

Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. LogGC: garbage collecting audit log. In CCS.

[32]

Jure Leskovec. 2009. Stanford network analysis package. Online, http://snap. stanford. edu(2009).

[33]

Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In NDSS.

[34]

Shiqing Ma, Juan Zhai, Yonghwi Kwon, Kyu Hyung Lee, Xiangyu Zhang, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Dongyan Xu, and Somesh Jha. 2018. Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 241–254. https://www.usenix.org/conference/atc18/presentation/ma-shiqing

[35]

Shiqing Ma, Juan Zhai, Fei Wang, Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. {MPI}: Multiple perspective attack investigation with semantic aware execution partitioning. In USENIX Security Symposium.

[36]

Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. 2016. ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. In Proceedings of NDSS ’16 (San Diego, CA).

[37]

Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. 2016. ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. In NDSS.

[38]

Keith McCammon. 2018. Evaluating Endpoint Products. https://redcanary.com/blog/evaluating-endpoint-products-in-a-crowded-confusing-market/.

[39]

Noor Michael, Jaron Mink, Jason Liu, Sneha Gaur, Wajih Ul Hassan, and Adam Bates. 2020. On the Forensic Validity of Approximated Audit Logs. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC ’20). Association for Computing Machinery, New York, NY, USA, 189–202. https://doi.org/10.1145/3427228.3427272

Digital Library

[40]

Noor Michael, Jaron Mink, Jason Liu, Sneha Gaur, Wajih Ul Hassan, and Adam Bates. 2020. On the Forensic Validity of Approximated Audit Logs. In ACSAC.

[41]

Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and VN Venkatakrishnan. 2019. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In CCS.

Digital Library

[42]

Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and Venkat N Venkatakrishnan. 2018. Propatrol: Attack investigation via extracted high-level tasks. In International Conference on Information Systems Security. Springer.

[43]

MITRE Corporation. 2019. APT29. https://attack.mitre.org/groups/G0016/.

[44]

MITRE Corporation. 2019. APT3. https://attack.mitre.org/groups/G0022/.

[45]

MITRE Corporation. 2019. MITRE ATT&CK. https://attack.mitre.org.

[46]

Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo Seltzer. 2006. Provenance-aware Storage Systems. In Proceedings of the Annual Conference on USENIX ’06 Annual Technical Conference (Boston, MA) (Proceedings of the 2006 Conference on USENIX Annual Technical Conference).

Digital Library

[47]

Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher W. Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution. In 27th ISOC Network and Distributed System Security Symposium(NDSS’20).

[48]

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, and Margo Seltzer. 2018. Runtime analysis of whole-system provenance. In CCS.

[49]

Nicole Perlroth and David E. Sanger. 2018. Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says. https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html.

[50]

D.J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler. 2012. Hi-Fi: Collecting High-Fidelity Whole-System Provenance. In Proceedings of the 2012 Annual Computer Security Applications Conference(ACSAC ’12). Orlando, FL, USA.

[51]

Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack. 2019. Target Missed Warnings in Epic Hack of Credit Card Data. https://bloom.bg/2KjElxM.

[52]

Dan Sullivan. 2016. Splunk Enterprise Security: Product overview. https://www.techtarget.com/searchsecurity/feature/Splunk-Enterprise-Security-Product-overview.

[53]

Symantec EDR 4.6 Docs. 2022. About purging reports. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/about-reports-v117056913-d38e36074/about-purging-reports-v118097546-d38e36892.html.

[54]

Symantec EDR 4.6 Docs. 2022. How Symantec EDR purges data from the Symantec EDR database. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/Settings/how-purges-data-from-the-database-v106460598-d38e46998.html.

[55]

Yutao Tang, Ding Li, Zhichun Li, Mu Zhang, Kangkook Jee, Xusheng Xiao, Zhenyu Wu, Junghwan Rhee, Fengyuan Xu, and Qun Li. 2018. NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(Toronto, Canada) (CCS ’18). ACM, New York, NY, USA, 1324–1337. https://doi.org/10.1145/3243734.3243763

Digital Library

[56]

Yutao Tang, Ding Li, Zhichun Li, Mu Zhang, Kangkook Jee, Xusheng Xiao, Zhenyu Wu, Junghwan Rhee, Fengyuan Xu, and Qun Li. 2018. Nodemerge: template based efficient data reduction for big-data causality analysis. In CCS.

[57]

Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl Gunter. 2018. Fear and logging in the internet of things. In NDSS.

[58]

Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, C Gunter, 2020. You are what you do: Hunting stealthy malware via data provenance analysis. In NDSS.

[59]

Zhang Xu, Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao, Fengyuan Xu, Haining Wang, and Guofei Jiang. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS ’16). ACM, New York, NY, USA, 504–516. https://doi.org/10.1145/2976749.2978378

Digital Library

[60]

Zhang Xu, Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao, Fengyuan Xu, Haining Wang, and Guofei Jiang. 2016. High fidelity data reduction for big data security dependency analyses. In CCS.

[61]

Carter Yagemann, Mohammad Noureddine, Wajih Ul Hassan, Simon Chung, Adam Bates, and Wenke Lee. 2021. Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks. In CCS.

[62]

Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr. 2011. Secure Network Provenance. In ACM Symposium on Operating Systems Principles (SOSP).

Cited By

Goyal AWang GBates A(2024)R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00253(3515-3532)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00253
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3
Chang BZhou FWang ZWen YZhang B(2023)A Distributed Storage System for System Logs Based on Hybrid Compression Scheme2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00127(724-735)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00127

Index Terms

FAuST: Striking a Bargain between Forensic Auditing’s Security and Throughput
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Toward generating reducible replay logs
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

Logging and replay is important to reproducing software failures and recovering from failures. Replaying a long execution is time consuming, especially when replay is further integrated with runtime techniques that require expensive instrumentation, ...
Toward generating reducible replay logs
PLDI '11

Logging and replay is important to reproducing software failures and recovering from failures. Replaying a long execution is time consuming, especially when replay is further integrated with runtime techniques that require expensive instrumentation, ...
LogReducer: Identify and Reduce Log Hotspots in Kernel on the Fly
ICSE '23: Proceedings of the 45th International Conference on Software Engineering

Modern systems generate a massive amount of logs to detect and diagnose system faults, which incurs expensive storage costs and runtime overhead. After investigating real-world production logs, we observe that most of the logging overhead is due to a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

December 2022

1021 pages

ISBN:9781450397599

DOI:10.1145/3564625

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Functional / v1.1

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC

ACSAC: Annual Computer Security Applications Conference

December 5 - 9, 2022

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
341
Total Downloads

Downloads (Last 12 months)101
Downloads (Last 6 weeks)12

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Goyal AWang GBates A(2024)R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00253(3515-3532)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00253
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3
Chang BZhou FWang ZWen YZhang B(2023)A Distributed Storage System for System Logs Based on Hybrid Compression Scheme2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00127(724-735)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00127

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents