Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Zhenyuan Li,Qi Alfred Chen,Runqing Yang,Yan Chen,Wei Ruan

DOI: https://doi.org/10.1016/j.cose.2021.102282

2021-07-01

Abstract:<p>With the development of information technology, the border of the cyberspace gets much broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defense.</p><p>The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and present a typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules: <em>data collection module, data management module</em>, and <em>threat detection modules</em>. Each module contains several components and involves different research problems. We systematically taxonomize and compare the existing algorithms and designs involved in them. Based on these comparisons, we identify the strategy of technology selection for real-world deployment. We also provide insights and challenges about the existing work to guide future research in this area.</p>

computer science, information systems

Xueyuan Han,Thomas Pasquier,Margo Seltzer

DOI: https://doi.org/10.48550/arXiv.1806.00934

2018-06-04

Cryptography and Security

Abstract:Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection, because it offers a holistic, attack-vector-agnostic view of system execution. As such, provenance graph analysis fundamentally strengthens detection robustness. We discuss the opportunities and challenges associated with provenance-based intrusion detection and provide insights based on our experience building such systems.

Su Wang,Zhiliang Wang,Tao Zhou,Xia Yin,Dongqi Han,Han Zhang,Hongbin Sun,Xingang Shi,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.2111.04333

2021-11-08

Abstract:Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

Cryptography and Security,Machine Learning

Zhenyuan Li,Yehua Dennis Wei,X. Y. Shen,Lingzhi Wang,Yan Chen,Haitao Xu,Shouling Ji,Fan Zhang

DOI: https://doi.org/10.48550/arxiv.2403.12541

2024-01-01

Abstract:The evolution and advancement of cyberattacks pose challenges to existing security products. Recent concentrated research on provenance graph-based detection has proved its effectiveness in attack detection and investigation. However, implementing these approaches in practice encounters challenges such as high overhead, slow responsiveness, and low interpretability and extensibility. Towards practical attack detection and investigation with provenance graphs, we propose TAGS, a tag-propagation-based streaming provenance graph alignment system. Utilizing the tag-based intermediate result caching mechanism alongside carefully crafted propagation rules, we eliminate the need to store and duplicate raw data processing. This approach effectively mitigates in-memory storage requirements and minimizes data processing overhead, facilitating rapid on-stream graph alignment while significantly conserving CPU and memory resources. As a result, TAGS can detect and investigate various cyber-attacks in real-time. Moreover, TAGS allows analysts to customize attack query graphs flexibly to identify extended attacks in data streams. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of audit logs with 12 relevant query graphs of varying sizes, covering multiple attack techniques and scenarios. The results demonstrate that TAGS is sufficiently efficient to process 176K events per second while sufficiently accurately identifying all 29 alignments in massive data. Moreover, it can effectively handle the dependency explosion problem with steady, low-level memory consumption (less than 300MB), producing only 3 false positives. Overall, the performance of TAGS significantly outperforms the state-of-the-art methods.

Shaofei Li,Feng Dong,Xusheng Xiao,Haoyu Wang,Fei Shao,Jiedong Chen,Yao Guo,Xiangqun Chen,Ding Li

DOI: https://doi.org/10.14722/ndss.2024.23204

2023-11-04

Abstract:Advanced Persistent Threats (APT) attacks have plagued modern enterprises, causing significant financial losses. To counter these attacks, researchers propose techniques that capture the complex and stealthy scenarios of APT attacks by using provenance graphs to model system entities and their dependencies. Particularly, to accelerate attack detection and reduce financial losses, online provenance-based detection systems that detect and investigate APT attacks under the constraints of timeliness and limited resources are in dire need. Unfortunately, existing online systems usually sacrifice detection granularity to reduce computational complexity and produce provenance graphs with more than 100,000 nodes, posing challenges for security admins to interpret the detection results. In this paper, we design and implement NodLink, the first online detection system that maintains high detection accuracy without sacrificing detection granularity. Our insight is that the APT attack detection process in online provenance-based detection systems can be modeled as a Steiner Tree Problem (STP), which has efficient online approximation algorithms that recover concise attack-related provenance graphs with a theoretically bounded error. To utilize STP approximation algorithm frameworks for APT attack detection, we propose a novel design of in-memory cache, an efficient attack screening method, and a new STP approximation algorithm that is more efficient than the conventional one in APT attack detection while maintaining the same complexity. We evaluate NodLink in a production environment. The open-world experiment shows that NodLink outperforms two state-of-the-art (SOTA) online provenance analysis systems by achieving magnitudes higher detection and investigation accuracy while having the same or higher throughput.

Cryptography and Security

Zhenyuan Li,Yangyang Wei,Xiangmin Shen,Lingzhi Wang,Yan Chen,Haitao Xu,Shouling Ji,Fan Zhang,Liang Hou,Wenmao Liu,Xuhong Zhang,Jianwei Ying

2024-07-10

Abstract:Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph <a class="link-external link-http" href="http://alignment.By" rel="external noopener nofollow">this http URL</a> leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.

Cryptography and Security

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Nan Wang,Xuezhi Wen,Dalin Zhang,Xibin Zhao,Jiahui Ma,Mengxia Luo,Sen Nie,Shi Wu,Jiqiang Liu

2023-04-06

Abstract:APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.

Cryptography and Security,Artificial Intelligence,Machine Learning

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.

Bibek Bhattarai,H. Howie Huang

2023-10-02

Abstract:Modern cyber attackers use advanced zero-day exploits, highly targeted spear phishing, and other social engineering techniques to gain access and also use evasion techniques to maintain a prolonged presence within the victim network while working gradually towards the objective. To minimize the damage, it is necessary to detect these Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities. It leverages the data provenance graph built using system event logs to get complete visibility into the execution state of an enterprise host and the causal relationship between system entities. It proposes a novel provenance graph kernel to obtain the canonical representation of the system behavior, which is compared against its historical behaviors and that of other hosts to detect the deviation from the normality. These representations are used in several machine learning models to evaluate their ability to capture the underlying behavior of an endpoint host. We have empirically demonstrated that the provenance graph kernel produces a much more compact representation compared to existing methods while improving prediction ability.

Cryptography and Security,Information Theory

Men Shiming,Wang Jian,Ye Mai

DOI: https://doi.org/10.1051/itmconf/20246000016

2024-01-01

ITM Web of Conferences

Abstract:The Provenance Graph, constructed based on audit logs, encapsulates a wealth of causal relationships. When existing threat detection software issues an Event of Alert (EOA), security analysts conduct threat alert investigations based on the provenance graph. However, a provenance graph comprising tens of thousands of nodes and edges can lead to substantial time overhead. Moreover, coarse-grained audit logs can cause a dependency explosion in the provenance graph, thereby generating false causal relationships and interfering with the accuracy of the results. Hardware-assisted Processor Tracing (PT) can address the problem of false causal relationships caused by dependency explosion, by extracting the execution trace of a process and restoring instruction-level data flow. Leveraging PT features, we propose an efficient scheme, termed as GETSUS, which can reduce the size of the provenance graph while fully preserving the event sequences leading to the EOA. Empirical evidence shows that GETSUS can shrink a large provenance graph (approximately 200,000 edges) to a small one (around 50 edges). Compared to other schemes, the partial provenance graph output by GETSUS can fully retain the semantics related to the EOA, while improving the reduction efficiency by about tenfold.

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Qi Wang,Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Junghwan Rhee,Zhengzhang Chen,Wei Cheng,Carl A. Gunter,Haifeng Chen

DOI: https://doi.org/10.14722/ndss.2020.24167

2020-01-01

Abstract:To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average Fl score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Mingqi Lv,HongZhe Gao,Xuebo Qiu,Tieming Chen,Tiantian Zhu,Jinyin Chen,Shouling Ji

DOI: https://doi.org/10.1145/3658644.3690221

2024-09-11

Abstract:APT (Advanced Persistent Threat) with the characteristics of persistence, stealth, and diversity is one of the greatest threats against cyber-infrastructure. As a countermeasure, existing studies leverage provenance graphs to capture the complex relations between system entities in a host for effective APT detection. In addition to detecting single attack events as most existing work does, understanding the tactics / techniques (e.g., Kill-Chain, ATT&CK) applied to organize and accomplish the APT attack campaign is more important for security operations. Existing studies try to manually design a set of rules to map low-level system events to high-level APT tactics / techniques. However, the rule based methods are coarse-grained and lack generalization ability, thus they can only recognize APT tactics and cannot identify fine-grained APT techniques and mutant APT attacks. In this paper, we propose TREC, the first attempt to recognize APT tactics / techniques from provenance graphs by exploiting deep learning techniques. To address the "needle in a haystack" problem, TREC segments small and compact subgraphs covering individual APT technique instances from a large provenance graph based on a malicious node detection model and a subgraph sampling algorithm. To address the "training sample scarcity" problem, TREC trains the APT tactic / technique recognition model in a few-shot learning manner by adopting a Siamese neural network. We evaluate TREC based on a customized dataset collected and made public by our team. The experiment results show that TREC significantly outperforms state-of-the-art systems in APT tactic recognition and TREC can also effectively identify APT techniques.

Cryptography and Security,Machine Learning

Wei Qiao,Yebo Feng,Teng Li,Zijian Zhang,Zhengzi Xu,Zhuo Ma,Yulong Shen,JianFeng Ma,Yang Liu

2024-10-23

Abstract:Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected within the victim system for extended periods, aiming to exfiltrate sensitive data or disrupt operations. Existing detection approaches often struggle to effectively identify these complex threats, construct the attack chain for defense facilitation, or resist adversarial attacks. To overcome these challenges, we propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. Slot excels in uncovering multi-level hidden relationships, such as causal, contextual, and indirect connections, among system behaviors through provenance graph mining. By pioneering the integration of graph reinforcement learning, Slot dynamically adapts to new user activities and evolving attack strategies, enhancing its resilience against adversarial attacks. Additionally, Slot automatically constructs the attack chain according to detected attacks with clustering algorithms, providing precise identification of attack paths and facilitating the development of defense strategies. Evaluations with real-world datasets demonstrate Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods. Additionally, case studies conducted to assess Slot's effectiveness in supporting APT defense further establish it as a practical and reliable tool for cybersecurity protection.

Cryptography and Security

Xinyu Yang,Haoyuan Liu,Ziyu Wang,Peng Gao

DOI: https://doi.org/10.48550/arXiv.2211.05403

2022-11-10

Cryptography and Security

Abstract:System auditing has emerged as a key approach for monitoring system call events and investigating sophisticated attacks. Based on the collected audit logs, research has proposed to search for attack patterns or track the causal dependencies of system events to reveal the attack sequence. However, existing approaches either cannot reveal long-range attack sequences or suffer from the dependency explosion problem due to a lack of focus on attack-relevant parts, and thus are insufficient for investigating complex attacks. To bridge the gap, we propose Zebra, a system that synergistically integrates attack pattern search and causal dependency tracking for efficient attack investigation. With Zebra, security analysts can alternate between search and tracking to reveal the entire attack sequence in a progressive, user-guided manner, while mitigating the dependency explosion problem by prioritizing the attack-relevant parts. To enable this, Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data. Evaluations on a broad set of attack cases demonstrate the effectiveness of Zebra in facilitating a timely attack investigation.

Adam Bates,Kevin Butler,Alin Dobra,Brad Reaves,Patrick Cable,Thomas Moyer,Nabil Schear

DOI: https://doi.org/10.48550/arXiv.1609.00266

2016-09-01

Abstract:Data provenance is a valuable tool for detecting and preventing cyber attack, providing insight into the nature of suspicious events. For example, an administrator can use provenance to identify the perpetrator of a data leak, track an attacker's actions following an intrusion, or even control the flow of outbound data within an organization. Unfortunately, providing relevant data provenance for complex, heterogenous software deployments is challenging, requiring both the tedious instrumentation of many application components as well as a unified architecture for aggregating information between components. In this work, we present a composition of techniques for bringing affordable and holistic provenance capabilities to complex application workflows, with particular consideration for the exemplar domain of web services. We present DAP, a transparent architecture for capturing detailed data provenance for web service components. Our approach leverages a key insight that minimal knowledge of open protocols can be leveraged to extract precise and efficient provenance information by interposing on application components' communications, granting DAP compatibility with existing web services without requiring instrumentation or developer cooperation. We show how our system can be used in real time to monitor system intrusions or detect data exfiltration attacks while imposing less than 5.1 ms end-to-end overhead on web requests. Through the introduction of a garbage collection optimization, DAP is able to monitor system activity without suffering from excessive storage overhead. DAP thus serves not only as a provenance-aware web framework, but as a case study in the non-invasive deployment of provenance capabilities for complex applications workflows.

Cryptography and Security