ProPatrol: Attack Investigation via Extracted High-Level Tasks

Abstract

Kernel audit logs are a valuable source of information in the forensic investigation of a cyber attack. However, the coarse gran- ularity of dependency information available in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which compartmentalizes the application logs by extract- ing high-level tasks from application contexts. For doing so, ProPatrol learns a model for an application’s high-level tasks based on analyzing the sequence of system calls it generates. The benefit of this approach is that it considers an application as a black-box and does not rely on binary code instrumentations or source code modifications. Our experiments with enterprise-level attacks show that ProPatrol adds only less than 2% runtime overhead, minimalizes the manual investigation effort required for forensic analysis, and can quickly pinpoint the root cause of attacks.

Publication
Proceedings of the 14th International Conference on Information Systems Security (ICISS)