SaTC: CORE: Small: Scalable Cyber Attack Investigation using Declarative Queriesand Interrogative Analysis

SaTC：核心：小型：使用声明性查询和疑问分析进行可扩展的网络攻击调查

• 批准号: 2028748
• 负责人: Xusheng Xiao
• 金额: $ 50万
• 依托单位: Case Western Reserve University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2028748&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Scalable; Cyber

Recent cyber-attacks that exploit multiple vulnerabilities plague even the most protected companies. This has led to the solutions that ubiquitously monitor system activities as a series of system events, and apply causality analysis to reveal the attack steps through reconstructing the events and their dependencies on the attack as dependency graphs. Nevertheless, existing techniques mainly exploit event time to identify dependencies. This will include many less-important dependencies brought by irrelevant system activities. Moreover, these techniques cannot easily incorporate expert knowledge from security analysts due to limited extensibility, and provide little support to engage security analysts to actively explore the dependencies. The project is expected to make a major positive impact on system security by enhancing attack investigation using system audit logs, and provide contextual information to help intrusion detection systems better prioritize alerts. The project actively involves students from minority and underrepresented groups for research and training experiences. The goal of this proposal is to develop a general query framework to express and extract contextual attack information, by constructing small graphs of attack-relevant events from system audit logs. The project is focused on the following research tasks: (1) build a general infrastructure that computes discriminative weights for dependencies based on various properties of system events to identify attack-relevant events and entry points for attacks; (2) develop a declarative graph query language that provides specialized language constructs to express various formats of causality analysis; (3) devise a scalable interrogative analysis framework that can automatically clarify causality analysis by tracking expressive causal structures for both verified and hypothetical scenarios, enabled by new ``Why'' and ``What-if'' semantics. This project will advance the state of the art in revealing attack provenance from complex systems, on engaging security analysts to interactive and explainable security analytical pipelines, and to gain better understanding of the fundamental and practical challenges for building an effective attack investigation system.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

最近利用多个漏洞的网络攻击甚至困扰着最受保护的公司。这就产生了这样的解决方案：将系统活动作为一系列系统事件进行无处不在的监控，并应用因果分析通过将事件及其对攻击的依赖关系重构为依赖图来揭示攻击步骤。然而，现有技术主要利用事件时间来识别依赖关系。这将包括由不相关的系统活动带来的许多不太重要的依赖项。此外，由于可扩展性有限，这些技术不能轻松地结合安全分析师的专业知识，并且几乎不能提供支持来让安全分析师积极探索依赖关系。预计该项目将通过使用系统审计日志加强攻击调查，并提供上下文信息，帮助入侵检测系统更好地确定警报的优先顺序，从而对系统安全产生重大积极影响。该项目积极吸收少数群体和代表性不足群体的学生参与研究和培训经验。该建议的目标是开发一个通用的查询框架，通过从系统审计日志中构建与攻击相关的事件的小图来表达和提取上下文攻击信息。该项目集中于以下研究任务：(1)建立一个通用基础设施，根据系统事件的各种属性计算依赖项的区别权重，以识别与攻击相关的事件和攻击的入口点；(2)开发声明性图形查询语言，提供专门的语言构造来表示各种格式的因果分析；(3)设计一个可扩展的疑问分析框架，通过跟踪已验证和假设场景的表达因果结构，通过新的“为什么”和“假设”语义实现自动澄清因果分析。该项目将在揭示复杂系统的攻击来源、将安全分析师吸引到交互式和可解释的安全分析管道方面推进最先进的技术，并更好地了解构建有效攻击调查系统的根本和实际挑战。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

DEPCOMM: Graph Summarization on System Audit Logs for Attack Investigation

• DOI: 10.1109/sp46214.2022.9833632
• 发表时间: 2022-05
• 期刊: 2022 IEEE Symposium on Security and Privacy (SP)
• 作者: Zhiqiang Xu;Pengcheng Fang;Changlin Liu;Xusheng Xiao;Yu Wen;Dan Meng

Back-Propagating System Dependency Impact for Attack Investigation

攻击调查的反向传播系统依赖性影响

• 发表时间: 2022
• 期刊: USENIX Security Symposium
• 作者: Fang, Pengcheng;Gao, Peng;Liu, Changlin;Ayday, Erman;Jee, Kangkook;Wang, Ting;Ye, Yanfang;Liu, Zhuotao;Xiao, Xusheng
• 通讯作者: Xiao, Xusheng