Rain: Refinable attack investigation with on-demand inter-process information flow tracking

Yang Ji; Sangho Lee; Evan Downing; Weiren Wang; Mattia Fazzini; Taesoo Kim; Alessandro Orso; Wenke Lee

doi:10.1145/3133956.3134045

Rain: Refinable attack investigation with on-demand inter-process information flow tracking

Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, Wenke Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

82 Scopus citations

Abstract

As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose Rain, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instructionlevel dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, Rain conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that Rain effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of Rain is similar to existing systemcall level provenance systems and its analysis overhead is much smaller than full-system DIFT.

Original language	English (US)
Title of host publication	CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	377-390
Number of pages	14
ISBN (Electronic)	9781450349468
DOIs	https://doi.org/10.1145/3133956.3134045
State	Published - Oct 30 2017
Externally published	Yes
Event	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States Duration: Oct 30 2017 → Nov 3 2017

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Country/Territory	United States
City	Dallas
Period	10/30/17 → 11/3/17

Bibliographical note

Publisher Copyright:
© 2017 author(s).

Keywords

Attack Provenance
Forensic Analysis
Information Flow Analysis
Record And Replay

Access

10.1145/3133956.3134045

OpenUrl availability

Full text

Cite this

Ji, Y., Lee, S., Downing, E., Wang, W., Fazzini, M., Kim, T., Orso, A., & Lee, W. (2017). Rain: Refinable attack investigation with on-demand inter-process information flow tracking. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 377-390). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3133956.3134045

Rain: Refinable attack investigation with on-demand inter-process information flow tracking. / Ji, Yang; Lee, Sangho; Downing, Evan et al.
CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017. p. 377-390 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ji, Y, Lee, S, Downing, E, Wang, W, Fazzini, M, Kim, T, Orso, A & Lee, W 2017, Rain: Refinable attack investigation with on-demand inter-process information flow tracking. in CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 377-390, 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3133956.3134045

Ji Y, Lee S, Downing E, Wang W, Fazzini M, Kim T et al. Rain: Refinable attack investigation with on-demand inter-process information flow tracking. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2017. p. 377-390. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3133956.3134045

Ji, Yang ; Lee, Sangho ; Downing, Evan et al. / Rain : Refinable attack investigation with on-demand inter-process information flow tracking. CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017. pp. 377-390 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{dc6c862677754aa49307f8cf687fca86,

title = "Rain: Refinable attack investigation with on-demand inter-process information flow tracking",

abstract = "As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose Rain, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instructionlevel dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, Rain conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that Rain effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of Rain is similar to existing systemcall level provenance systems and its analysis overhead is much smaller than full-system DIFT.",

keywords = "Attack Provenance, Forensic Analysis, Information Flow Analysis, Record And Replay",

author = "Yang Ji and Sangho Lee and Evan Downing and Weiren Wang and Mattia Fazzini and Taesoo Kim and Alessandro Orso and Wenke Lee",

note = "Publisher Copyright: {\textcopyright} 2017 author(s).; 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

year = "2017",

month = oct,

day = "30",

doi = "10.1145/3133956.3134045",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "377--390",

booktitle = "CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Rain

T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017

AU - Ji, Yang

AU - Lee, Sangho

AU - Downing, Evan

AU - Wang, Weiren

AU - Fazzini, Mattia

AU - Kim, Taesoo

AU - Orso, Alessandro

AU - Lee, Wenke

PY - 2017/10/30

Y1 - 2017/10/30

N2 - As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose Rain, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instructionlevel dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, Rain conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that Rain effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of Rain is similar to existing systemcall level provenance systems and its analysis overhead is much smaller than full-system DIFT.

AB - As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose Rain, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instructionlevel dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, Rain conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that Rain effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of Rain is similar to existing systemcall level provenance systems and its analysis overhead is much smaller than full-system DIFT.

KW - Attack Provenance

KW - Forensic Analysis

KW - Information Flow Analysis

KW - Record And Replay

UR - http://www.scopus.com/inward/record.url?scp=85041450339&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85041450339&partnerID=8YFLogxK

U2 - 10.1145/3133956.3134045

DO - 10.1145/3133956.3134045

M3 - Conference contribution

AN - SCOPUS:85041450339

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 377

EP - 390

BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 30 October 2017 through 3 November 2017

ER -

Rain: Refinable attack investigation with on-demand inter-process information flow tracking

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access

OpenUrl availability

Other files and links

Fingerprint

Cite this