Sadegh M. Milajerdi,Birhanu Eshete,Rigel Gjomemo,V.N. Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1810.05711

2018-10-13

Abstract:Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.

Cryptography and Security

Han Yu,Aiping Li,Rong Jiang

DOI: https://doi.org/10.1109/icct46805.2019.8947201

2019-01-01

Abstract:In this paper, we present a system NeedleHunter to detect Advanced and Persistent Threats (APTs) and reconstruction of attack scenarios. Due to the information asymmetry between attackers and defenders, detecting APT attacks remains to be a challenge. Instead of targeting individual exploits, correlating the various stages of the attack is a substantially more feasible strategy. In our approach, we first construct a version-based provenance graph by analyzing system audit logs. Then, we use the rule-based technique to detection a particular stage of the attack, and connect these attacks to generate an attack path by leveraging the correlation between information flows. Also, we implement the compaction technique to compress the scale of the graph for scalable forensic analysis. An evaluation of our approach indicates that NeedleHunter can capture the key stages of APT campaigns with high precision and reconstruct the details of the attacks.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Peng Gao,Xusheng Xiao,Zhichun Li,Kangkook Jee,Fengyuan Xu,Sanjeev R. Kulkarni,Prateek Mittal

DOI: https://doi.org/10.48550/arXiv.1810.03464

2019-03-19

Abstract:The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each enterprise host, and perform timely attack investigation over the monitoring data for uncovering the attack sequence. However, existing general-purpose query systems lack explicit language constructs for expressing key properties of major attack behaviors, and their semantics-agnostic design often produces inefficient execution plans for queries. To address these limitations, we build AIQL, a novel query system that is designed with novel types of domain-specific optimizations to enable efficient attack investigation. AIQL provides (1) domain-specific data model and storage for storing the massive system monitoring data, (2) a domain-specific query language, Attack Investigation Query Language (AIQL) that integrates critical primitives for expressing major attack behaviors, and (3) an optimized query engine based on the characteristics of the data and the semantics of the query to efficiently schedule the execution. We have deployed AIQL in NEC Labs America comprising 150 hosts. In our demo, we aim to show the complete usage scenario of AIQL by (1) performing an APT attack in a controlled environment, and (2) using AIQL to investigate such attack by querying the collected system monitoring data that contains the attack traces. The audience will have the option to perform the APT attack themselves under our guidance, and interact with the system and investigate the attack via issuing queries and checking the query results through our web UI.

Cryptography and Security,Software Engineering

Jian Liu,Junjie Yan,Zhengwei Jiang,Xuren Wang,Jun Jiang

DOI: https://doi.org/10.1109/globecom48099.2022.10001525

2022-01-01

Abstract:System audit logs are widely adopted in enterprise security by their support for causality analysis that generates provenance graphs to investigate advanced attacks. However, detecting attack activity in the overwhelming amount of logs is like looking for a needle in a haystack, which slows down the speed of attack investigation. In this paper, we propose an automated approach for attack detection and investigation by learning the contextual semantics of the provenance graph. Our framework uncovers the semantics of the attack events through the structural context of audit logs. Further, an attention-based graph convolutional neural network is utilized to capture the structural identity associated with the attack path. It is important to note that when inferring whether a specific system node is malicious or not, our approach optimizes the provenance subgraph generated for that node without destroying its contextual semantics. The discovered attack nodes are correlated chronologically for attack investigation and scenario reconstruction. Our approach is evaluated on a real-world Advanced Persistent Threats (APT) dataset. The results show that our approach has a high F1 score (95.97%) for identifying attack nodes in audit logs and speeds up the process of attack investigation (reducing the analysis workload by 91.24%).

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.

Yuedong Pan,Lijun Cai,Tao Leng,Lixin Zhao,Jiangang Ma,Aimin Yu,Dan Meng

DOI: https://doi.org/10.1007/978-3-031-25538-0_27

2023-01-01

Abstract:In an enterprise environment, intrusion detection systems generate many threat alerts on anomalous events every day, and these alerts may involve certain steps of a long-dormant advanced persistent threat (APT). In this paper, we present AttackMiner, an attack detection framework that combines contextual information from audit logs. Our main observation is that the same attack behavior may occur in various possible contexts, and combining various possible contextual information can provide more effective information for detecting such attacks. We utilize a combination of provenance graph causal analysis and deep learning techniques to build a graph-structure-based model that builds key patterns of attack graphs and benign graphs from audit logs. During detection, the detection system creates provenance graphs using the input audit logs. After being optimized by our customized graph optimization mechanism, it identifies whether an attack has occurred. Our evaluations on the DARPA TC dataset show that AttackMiner can successfully detect attack behaviors with high accuracy and efficiency. Through this effort, we provide security investigators with a new approach of identifying attack activity from audit logs.

Yuan Yang,Zhongmin Cai,Chunyan Wang,Junjie Zhang

DOI: https://doi.org/10.1109/tifs.2018.2833048

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:There is an increasing need of assessing and mitigating the effects of successful attacks. Uncovering malicious and contaminated objects in an attacked computing system is referred to as identification of attack ramifications. Previous methods identify the attack ramifications by directly tracking information flows (or dependences) from the intrusion root (i.e., the entry point of an attack). They face challenges such as undetermined intrusion root and dependence explosion. In this paper, we present a novel, light-weight method capable of identifying attack ramifications without the knowledge of intrusion root and less subject to dependency explosion. The method utilizes a probabilistic reasoning approach to fuse evidence derived from a subset of objects whose security states are known. It first splits the lifetime of an object into consecutive time slices (object-slices) to profile how the security state of this object changes over time. Then, a temporal dependence network (TDN) is constructed from system call traces to correlate object-slices according to information flows between them. Based on that, a Bayesian network (BN) model is built to characterize the uncertainties of infection propagations in the TDN. Finally, the method adopts loopy belief propagation on the BN model to infer the security state of an object. We evaluate the proposed method using a large data set of 389 attacks launched by the real-world malware samples including sophisticated ones such as Stuxnet. Extensive experiments demonstrate that our method is able to identify attack ramifications with a 97.47% precision at 97.21% recall without the knowledge of intrusion root.

Tiantian Zhu,Jinkai Yu,Tieming Chen,Jiayu Wang,Jie Ying,Ye Tian,Mingqi Lv,Yan Chen,Yuan Fan,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2112.09008

2021-12-17

Abstract:Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

Cryptography and Security

Xinyu Yang,Haoyuan Liu,Ziyu Wang,Peng Gao

DOI: https://doi.org/10.48550/arXiv.2211.05403

2022-11-10

Cryptography and Security

Abstract:System auditing has emerged as a key approach for monitoring system call events and investigating sophisticated attacks. Based on the collected audit logs, research has proposed to search for attack patterns or track the causal dependencies of system events to reveal the attack sequence. However, existing approaches either cannot reveal long-range attack sequences or suffer from the dependency explosion problem due to a lack of focus on attack-relevant parts, and thus are insufficient for investigating complex attacks. To bridge the gap, we propose Zebra, a system that synergistically integrates attack pattern search and causal dependency tracking for efficient attack investigation. With Zebra, security analysts can alternate between search and tracking to reveal the entire attack sequence in a progressive, user-guided manner, while mitigating the dependency explosion problem by prioritizing the attack-relevant parts. To enable this, Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data. Evaluations on a broad set of attack cases demonstrate the effectiveness of Zebra in facilitating a timely attack investigation.

Ahmet Salih Buyukkayhan,Alina Oprea,Zhou Li,William K. Robertson

DOI: https://doi.org/10.1007/978-3-319-66332-6_4

2017-01-01

Abstract:Organizations are facing an increasing number of criminal threats ranging from opportunistic malware to more advanced targeted attacks. While various security technologies are available to protect organizations' perimeters, still many breaches lead to undesired consequences such as loss of proprietary information, financial burden, and reputation defacing. Recently, endpoint monitoring agents that inspect system-level activities on user machines started to gain traction and be deployed in the industry as an additional defense layer. Their application, though, in most cases is only for forensic investigation to determine the root cause of an incident.In this paper, we demonstrate how endpoint monitoring can be proactively used for detecting and prioritizing suspicious software modules overlooked by other defenses. Compared to other environments in which host-based detection proved successful, our setting of a large enterprise introduces unique challenges, including the heterogeneous environment (users installing software of their choice), limited ground truth (small number of malicious software available for training), and coarse-grained data collection (strict requirements are imposed on agents' performance overhead). Through applications of clustering and outlier detection algorithms, we develop techniques to identify modules with known malicious behavior, as well as modules impersonating popular benign applications. We leverage a large number of static, behavioral and contextual features in our algorithms, and new feature weighting methods that are resilient against missing attributes. The large majority of our findings are confirmed as malicious by anti-virus tools and manual investigation by experienced security analysts.

Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Dawei Wang,Zhengzhang Chen,Zhichun Li,Junghwan John Rhee,Jiaping Gui,Adam Bates

DOI: https://doi.org/10.1145/3427228.3427255

2020-01-01

Abstract:Recent advances in the causal analysis can accelerate incident response time, but only after a causal graph of the attack has been constructed. Unfortunately, existing causal graph generation techniques are mainly offline and may take hours or days to respond to investigator queries, creating greater opportunity for attackers to hide their attack footprint, gain persistency, and propagate to other machines. To address that limitation, we present SWIFT, a threat investigation system that provides high-throughput causality tracking and real-time causal graph generation capabilities. We design an in-memory graph database that enables space-efficient graph storage and online causality tracking with minimal disk operations. We propose a hierarchical storage system that keeps forensically-relevant part of the causal graph in main memory while evicting rest to disk. To identify the causal graph that is likely to be relevant during the investigation, we design an asynchronous cache eviction policy that calculates the most suspicious part of the causal graph and caches only that part in the main memory. We evaluated SWIFT on a real-world enterprise to demonstrate how our system scales to process typical event loads and how it responds to forensic queries when security alerts occur. Results show that SWIFT is scalable, modular, and answers forensic queries in real-time even when analyzing audit logs containing tens of millions of events.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).

Zhang Xu,Zhenyu Wu,Zhichun Li,Kangkook Jee,Junghwan Rhee,Xusheng Xiao,Fengyuan Xu,Haining Wang,Guofei Jiang

DOI: https://doi.org/10.1145/2976749.2978378

2016-01-01

Abstract:Intrusive multi-step attacks, such as Advanced Persistent Threat (APT) attacks, have plagued enterprises with significant financial losses and are the top reason for enterprises to increase their security budgets. Since these attacks are sophisticated and stealthy, they can remain undetected for years if individual steps are buried in background "noise." Thus, enterprises are seeking solutions to "connect the suspicious dots" across multiple activities. This requires ubiquitous system auditing for long periods of time, which in turn causes overwhelmingly large amount of system audit events. Given a limited system budget, how to efficiently handle ever-increasing system audit logs is a great challenge. This paper proposes a new approach that exploits the dependency among system events to reduce the number of log entries while still supporting high-quality forensic analysis. In particular, we first propose an aggregation algorithm that preserves the dependency of events during data reduction to ensure the high quality of forensic analysis. Then we propose an aggressive reduction algorithm and exploit domain knowledge for further data reduction. To validate the efficacy of our proposed approach, we conduct a comprehensive evaluation on real-world auditing systems using log traces of more than one month. Our evaluation results demonstrate that our approach can significantly reduce the size of system logs and improve the efficiency of forensic analysis without losing accuracy.

Yushan Liu,Mu Zhang,Ding Li,Kangkook Jee,Zhichun Li,Zhenyu Wu,Junghwan Rhee,Prateek Mittal

DOI: https://doi.org/10.14722/ndss.2018.23254

2018-01-01

Abstract:The increasingly sophisticated Advanced Persistent Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop causal relationships between files and processes to diagnose attack provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since attack causality analysis is a time-critical mission, it is essential to design causality tracking systems that extract useful attack information in a timely manner. However, prior work is limited in serving this need. Existing approaches have largely focused on pruning causal dependencies totally irrelevant to the attack, but fail to differentiate and prioritize abnormal events from numerous relevant, yet benign and complicated system operations, resulting in long investigation time and slow responses. To address this problem, we propose PRIOTRACKER, a backward and forward causality tracker that automatically prioritizes the investigation of abnormal causal dependencies in the tracking process. Specifically, to assess the priority of a system event, we consider its rareness and topological features in the causality graph. To distinguish unusual operations from normal system events, we quantify the rareness of each event by developing a reference model which records common routine activities in corporate computer systems. We implement PRIOTRACKER, in 20K lines of Java code, and a reference model builder in 10K lines of Java code. We evaluate our tool by deploying both systems in a real enterprise IT environment, where we collect 1TB of 2.5 billion OS events from 150 machines in one week. Experimental results show that PRIOTRACKER can capture attack traces that are missed by existing trackers and reduce the analysis time by up to two orders of magnitude.

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga,Fabio Massacci,Carlos E. Budde

2024-10-19

Abstract:The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.

Cryptography and Security,Logic in Computer Science

Radu Marian Portase,Adrian Colesa,Gheorghe Sebestyen

DOI: https://doi.org/10.3390/s24175601

IF: 3.9

2024-09-01

Sensors

Abstract:Cybercriminals have become an imperative threat because they target the most valuable resource on earth, data. Organizations prepare against cyber attacks by creating Cyber Security Incident Response Teams (CSIRTs) that use various technologies to monitor and detect threats and to help perform forensics on machines and networks. Testing the limits of defense technologies and the skill of a CSIRT can be performed through adversary emulation performed by so-called "red teams". The red team's work is primarily manual and requires high skill. We propose SpecRep, a system to ease the testing of the detection capabilities of defenses in complex, heterogeneous infrastructures. SpecRep uses previously known attack specifications to construct attack scenarios based on attacker objectives instead of the traditional attack graphs or a list of actions. We create a metalanguage to describe objectives to be achieved in an attack together with a compiler that can build multiple attack scenarios that achieve the objectives. We use text processing tools aided by large language models to extract information from freely available white papers and convert them to plausible attack specifications that can then be emulated by SpecRep. We show how our system can emulate attacks against a smart home, a large enterprise, and an industrial control system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Lei Wu,Siwei Wu,Yajin Zhou,Runhuai Li,Zhi Wang,Xiapu Luo,Cong Wang,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2005.08278

2020-10-23

Abstract:As one of the representative blockchain platforms, Ethereum has attracted lots of attacks. Due to the existed financial loss, there is a pressing need to perform timely investigation and detect more attack instances. Though multiple systems have been proposed, they suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage. In this paper, we present the design of a scalable attack detection framework on Ethereum. It overcomes the scalability issue by saving the Ethereum state into a database and providing an efficient way to locate suspicious transactions. The saved state is fine-grained to support the replay of arbitrary transactions. The state is well-designed to avoid saving unnecessary state to optimize the storage consumption. We implement a prototype named EthScope and solve three technical challenges, i.e., incomplete Ethereum state, scalability, and extensibility. The performance evaluation shows that our system can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around 2,300x when replaying transactions. It also has lower storage consumption compared with existing systems. The result with three different types of information as inputs shows that our system can help an analyst understand attack behaviors and further detect more attacks. To engage the community, we will release our system and the dataset of detected attacks.

Cryptography and Security

Wenrui Cheng,Tiantian Zhu,Tieming Chen,Qixuan Yuan,Jie Ying,Hongmei Li,Chunlin Xiong,Mingda Li,Mingqi Lv,Yan Chen

2024-10-15

Abstract:Cyber Threat Intelligence (CTI) reports are factual records compiled by security analysts through their observations of threat events or their own practical experience with attacks. In order to utilize CTI reports for attack detection, existing methods have attempted to map the content of reports onto system-level attack provenance graphs to clearly depict attack procedures. However, existing studies on constructing graphs from CTI reports suffer from problems such as weak natural language processing (NLP) capabilities, discrete and fragmented graphs, and insufficient attack semantic representation. Therefore, we propose a system called CRUcialG for the automated reconstruction of attack scenario graphs (ASGs) by CTI reports. First, we use NLP models to extract systematic attack knowledge from CTI reports to form preliminary ASGs. Then, we propose a four-phase attack rationality verification framework from the tactical phase with attack procedure to evaluate the reasonability of ASGs. Finally, we implement the relation repair and phase supplement of ASGs by adopting a serialized graph generation model. We collect a total of 10,607 CTI reports and generate 5,761 complete ASGs. Experimental results on CTI reports from 30 security vendors and DARPA show that the similarity of ASG reconstruction by CRUcialG can reach 84.54%. Compared with SOTA (EXTRACTOR and AttackG), the recall of CRUcialG (extraction of real attack events) can reach 88.13% and 94.46% respectively, which is 40% higher than SOTA on average. The F1-score of attack phase verification is able to reach 90.04%.

Cryptography and Security