Back-Propagating System Dependency Impact for Attack Investigation.
Pengcheng Fang,Peng Gao,Changlin Liu,Erman Ayday,Kangkook Jee,Ting Wang,Yanfang (Fanny) Ye,Zhuotao Liu,Xusheng Xiao
DOI: https://doi.org/10.5281/zenodo.5559214
2022-01-01
Abstract:Causality analysis on system auditing data has emerged as an important solution for attack investigation. Given a POI (Point-Of-Interest) event (e.g., an alert fired on a suspicious file creation), causality analysis constructs a dependency graph, in which nodes represent system entities (e.g., processes and files) and edges represent dependencies among entities, to reveal the attack sequence. However, causality analysis often produces a huge graph ( > 100,000 edges) that is hard for security analysts to inspect. From the dependency graphs of various attacks, we observe that (1) dependencies that are highly related to the POI event often exhibit a different set of properties (e.g., data flow and time) from the less-relevant dependencies; (2) the POI event is often related to a few attack entries (e.g., downloading a file). Based on these insights, we propose DEPIMPACT, a framework that identifies the critical component of a dependency graph (i.e., a subgraph) by (1) assigning discriminative dependency weights to edges to distinguish critical edges that represent the attack sequence from less-important dependencies, (2) propagating dependency impacts backward from the POI event to entry points, and (3) performing forward causality analysis from the top-ranked entry nodes based on their dependency impacts to filter out edges that are not found in the forward causality analysis. Our evaluations on the 150 million real system auditing events of real attacks and the DARPA TC dataset show that DEPIMPACT can significantly reduce the large dependency graphs (similar to 1,000,000 edges) to a small graph (similar to 234 edges), which is 4611x smaller. The comparison with the other state-of-the-art causality analysis techniques shows that DEPIMPACT is 106x more effective in reducing the dependency graphs while preserving the attack sequences.