Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking

Yang Ji, Sangho Lee, Mattia Fazzini, Joey Allen, Evan Downing, Taesoo Kim, Alessandro Orso, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations


Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90% and decreases the overall analysis time by 60%-90% compared with previous investigation systems.

Original languageEnglish (US)
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Number of pages18
ISBN (Electronic)9781939133045
StatePublished - 2018
Externally publishedYes
Event27th USENIX Security Symposium - Baltimore, United States
Duration: Aug 15 2018Aug 17 2018

Publication series

NameProceedings of the 27th USENIX Security Symposium


Conference27th USENIX Security Symposium
Country/TerritoryUnited States

Bibliographical note

Funding Information:
We thank the anonymous reviewers for their helpful feedback. This research was supported in part by NSF, under awards CNS-0831300, CNS-1017265, CCF-1548856, CNS-1563848, CRI-1629851, CNS-1704701, and CNS-1749711, ONR, under grants N000140911042, N000141512162, N000141612710, and N000141712895, DARPA TC (No. DARPA FA8650-15-C-7556), NRF-2017R1A6A3A03002506, ETRI IITP/KEIT [2014-0-00035], and gifts from Facebook, Mozilla, and Intel.


Dive into the research topics of 'Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking'. Together they form a unique fingerprint.

Cite this