Investigating Security Incidents with System Auditing and Analysis
COM1 Level 2
SR10, COM1-02-10
Abstract:
Security incidents in large enterprises have been on the rise globally. We have been witnessing cyber attacks with increasing sophistication and customization. In defense against advanced attacks, endpoint security solutions --- e.g., Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) --- are widely deployed in today's production environments. These security solutions monitor system-level activities (e.g., system calls) on end hosts as audit logs, providing deep visibility into security incidents. Specifically, given a symptom of an attack, security analysts can investigate audit logs to understand how an attacker gains access to the victim's systems and what damages are inflicted.
However, the usability of system auditing is limited in practical scenarios due to three inherent challenges. First, as computing systems to date become complex and ever-expanding, enterprise IT infrastructures typically generate a large volume of audit data that can easily overwhelm security analysts. Second, audit log analysis heavily depends on human expertise, making it difficult to scale to enterprise-wide security solutions. At last, system auditing monitors system-call-level activities without fine-grained (e.g., instruction-level) information, which usually leads to the dependency explosion problem in attack investigations.
In this thesis, we propose building and reasoning about rich contexts from audit logs to address the challenges above. First, we present Watson, a system that automatically abstracts high-level system behaviors from low-level audit logs. By providing a quantitative representation of behavior semantics, it clusters semantically similar behaviors and presents only the representatives for inspections. Next, we present a recommendation-guided cyber threat analysis system, called ShadeWatcher, which predicts potentially malicious system entity interactions. It enables threat detection based on historical contexts in audit logs, which mitigates the burden on security analysts. Finally, we present PalanTir, a practical attack investigation system that integrates instruction-level provenance into system auditing to reduce the search space in attack scenario reconstructions. Together, Watson, ShadeWatcher, and PalanTir provide an end-to-end framework that facilitates attack investigations on system auditing and analysis.