Obfuscating Provenance-Based Forensic Investigations with Mapping System Meta-Behavior
Authors: 
Anyuan Sang, Yuchen Wang, Li Yang, Junbo Jia, Lu ZhouAuthors Info & Claims
Anyuan Sang, Yuchen Wang, Li Yang, Junbo Jia, Lu ZhouAuthors Info & ClaimsPages 248 - 262
Abstract
The provenance graph technique has gained popularity for attack analysis, such as Advanced Persistent Threat (APT) attacks, by creating entity interaction graphs from host audit logs. While this method has shown promising analysis results and interpretability, its robustness against mimic attacks carried out by potentially skilled attackers has yet to be fully proven. Recent research has showcased adversarial methodologies targeting provenance-based Machine Learning (ML) detectors, leading to evasion attacks through the addition of corresponding nodes and edges to the feature space. However, these approaches face several challenges, including the difficulty in translating feature alterations into practical attack scenarios and limited applicability to other provenance graph-based detection schemes.
In this study, we propose the Provenance-based Attack Investigation Obfuscation Framework(PAIOF), which proposes a novel obfuscation attack for the existing provenance-based forensic investigation system and demonstrates it needs to be extended and upgraded. More specifically, by thoughtfully analyzing key indicators from three classic provenance-based investigation approaches to set obfuscation goals. We establish an end-to-end mapping relationship between system operational behaviors and provenance graphs and create obfuscation programs guided by obfuscation goals to generate real attack instances. Our experiments demonstrate that our obfuscation scheme significantly reduces both the recall and precision of current state-of-the-art schemes in the DARPA Transparent Computing (TC) dataset and in simulated real-world attack scenarios. Furthermore, the meta-behavioral modeling approach of our system ensures its applicability in real-world scenarios, while we also discuss potential defenses against such attacks.
References
[1]
2023. APT Notes. https://github.com/kbandla/APTnotes, Last accessed on 2023-12-25.
[2]
2023. Common Vulnerability Scoring System v3.0: Specification Document. https://www.first.org/cvss/specification-document, Last accessed on 2023-11-21.
[3]
2023. Linux Kernel Audit Subsystem. https://github.com/linux-audit/audit, Last accessed on 2023-11-21.
[4]
2023. MANDIANT: Exposing One of China’s Cyber Espionage Units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf, Last accessed on 2023-11-21.
[5]
2023. Transparent Computing Engagement 3 DataRelease. https://github.com/darpa-i2o/Transparent Computing/blob/master/README-E3.md, Last accessed on 2023-12-25.
[6]
2023. Windows ETW. https://learn.microsoft.com/zh-cn/windowshardware/drivers/devtest/event-tracing-for-windows–etw-, Last accessed on 2023-11-21.
[7]
Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS: A Sequence-Based Learning Approach for Attack Investigation. In Proceedings of the USENIX Security Symposium. 3005–3022.
[8]
Adam Bates, Dave Jing Tian, Kevin RB Butler, and Thomas Moyer. 2015. Trustworthy Whole-System Provenance for the Linux Kernel. In Proceedings of the 24th USENIX Security Symposium (USENIX Security 15). 319–334.
[9]
Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. 2023. Kairos: Practical Intrusion Detection and Investigation Using Whole-System Provenance. arXiv preprint arXiv:2308.05034 (2023).
[10]
Feng Dong, Shaofei Li, Peng Jiang, Ding Li, Haoyu Wang, Liangyi Huang, Xusheng Xiao, Jiedong Chen, Xiapu Luo, Yao Guo, 2023. Are We There Yet? An Industrial Viewpoint on Provenance-Based Endpoint Detection and Response Tools. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS). 2396–2410.
[11]
Feng Dong, Liu Wang, Xu Nie, Fei Shao, Haoyu Wang, Ding Li, Xiapu Luo, and Xusheng Xiao. 2023. DISTDET: A Cost-Effective Distributed Cyber Threat Detection System. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23).
[12]
Pengcheng Fang, Peng Gao, Changlin Liu, Erman Ayday, Kangkook Jee, Ting Wang, Yanfang Fanny Ye, Zhuotao Liu, and Xusheng Xiao. 2022. Back-Propagating System Dependency Impact for Attack Investigation. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2461–2478.
[13]
Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. 2023. Sometimes, You Aren’t What You Do: Mimicry Attacks Against Provenance Graph Host Intrusion Detection Systems. In Proceedings of the 30th Network and Distributed System Security Symposium (NDSS).
[14]
Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[15]
Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1172–1189.
[16]
Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS).
[17]
Wajih Ul Hassan, Mohammad Ali Noureddine, Pubali Datta, and Adam Bates. 2020. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-Layer Log Analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[18]
Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott D Stoller, and V.N. Venkatakrishnan. 2017. SLEUTH: Real-Time Attack Scenario Reconstruction from COTS Audit Data. In Proceedings of the USENIX Security Symposium. 487–504.
[19]
Md Nahid Hossain, Sanaz Sheikhi, and R Sekar. 2020. Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1139–1155.
[20]
Md Nahid Hossain, Junao Wang, R Sekar, and Scott D Stoller. 2018. Dependence-Preserving Data Compaction for Scalable Forensic Analysis. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 1723–1740.
[21]
Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan. 2022. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 307–325.
[22]
Peng Jiang, Jifan Xiao, Ding Li, Hongyi Yu, Yu Bai, Yao Guo, and Xiangqun Chen. 2023. Detecting Malicious Websites from the Perspective of System Provenance Analysis. IEEE Transactions on Dependable and Secure Computing (2023).
[23]
Samuel T King and Peter M Chen. 2003. Backtracking Intrusions. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP). 223–236.
[24]
Samuel T King, Zhuoqing Morley Mao, Dominic G Lucchetti, and Peter M Chen. 2005. Enriching Intrusion Alerts Through Multi-Host Causality. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Citeseer.
[25]
Yonghwi Kwon, Dohyeong Kim, William Nick Sumner, Kyungtae Kim, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2016. LDX: Causality Inference by Lightweight Dual Execution. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 503–515.
[26]
Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela F Ciocarlie, 2018. MCI: Modeling-Based Causality Inference in Audit Logging for Attack Investigation. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 2. 4.
[27]
Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High Accuracy Attack Provenance via Binary-based Execution Partition. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 16.
[28]
Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. LogGC: Garbage Collecting Audit Log. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1005–1016.
[29]
Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. 2023. NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation. arXiv preprint arXiv:2311.02331 (2023).
[30]
Zhenyuan Li, Qi Alfred Chen, Runqing Yang, Yan Chen, and Wei Ruan. 2021. Threat Detection and Investigation with System-Level Provenance Graphs: A Survey. Computers & Security 106 (2021), 102282.
[31]
Zhenyuan Li, Runqing Yang, Qi Alfred Chen, and Yan Chen. 2020. Mimic the Whole Attack Chain: A First Look at Evasion Against Provenance Graph Based Detection. In Annual Computer Security Applications Conference (ACSAC).
[32]
Xiang Ling, Lingfei Wu, Jiangyu Zhang, Zhenqing Qu, Wei Deng, Xiang Chen, Yaguan Qian, Chunming Wu, Shouling Ji, Tianyue Luo, 2023. Adversarial Attacks Against Windows PE Malware Detection: A Survey of the State-of-the-Art. Computers & Security 128 (2023), 103134.
[33]
Xinbo Liu, Jiliang Zhang, Yaping Lin, and He Li. 2019. ATMPA: Attacking Machine Learning-Based Malware Visualization Detection Methods via Adversarial Examples. In Proceedings of the International Symposium on Quality of Service (IWQoS). 1–10.
[34]
Yushan Liu, Xiaokui Shu, Yixin Sun, Jiyong Jang, and Prateek Mittal. 2022. RAPID: Real-Time Alert Investigation with Context-Aware Prioritization for Efficient Threat Discovery. In Proceedings of the 38th Annual Computer Security Applications Conference (ACSAC). 827–840.
[35]
Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[36]
Shiqing Ma, Juan Zhai, Fei Wang, Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In Proceedings of the USENIX Security Symposium. 1111–1128.
[37]
Shiqing Ma, Xiangyu Zhang, Dongyan Xu, 2016. Protracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 2. 4.
[38]
Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2019. Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1795–1812.
[39]
Sadegh M Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and V.N. Venkatakrishnan. 2019. Holmes: Real-Time APT Detection through Correlation of Suspicious Information Flows. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1137–1152.
[40]
Kunal Mukherjee, Joshua Wiedemeier, Tianhao Wang, James Wei, Feng Chen, Muhyun Kim, Murat Kantarcioglu, and Kangkook Jee. 2023. Evading Provenance-Based ML Detectors with Adversarial System Actions. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 1199–1216.
[41]
Kien Nguyen, Tharindu Fernando, Clinton Fookes, and Sridha Sridharan. 2023. Physical Adversarial Attacks for Surveillance: A Survey. IEEE Transactions on Neural Networks and Learning Systems (2023).
[42]
Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[43]
Riccardo Paccagnella, Kevin Liao, Dave Tian, and Adam Bates. 2020. Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1551–1574.
[44]
Thomas Pasquier, Xueyuan Han, Mark Goldstein, Thomas Moyer, David Eyers, Margo Seltzer, and Jean Bacon. 2017. Practical Whole-System Provenance Capture. In Proceedings of the 2017 Symposium on Cloud Computing (SoCC). 405–418.
[45]
Ishai Rosenberg, Asaf Shabtai, Yuval Elovici, and Lior Rokach. 2020. Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers. In Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC). 611–626.
[46]
Yutao Tang, Ding Li, Zhichun Li, Mu Zhang, Kangkook Jee, Xusheng Xiao, Zhenyu Wu, Junghwan Rhee, Fengyuan Xu, and Qun Li. 2018. Nodemerge: Template Based Efficient Data Reduction for Big-Data Causality Analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1324–1337.
[47]
David Wagner and Paolo Soto. 2002. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). 255–264.
[48]
Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A Gunter, 2020. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS).
[49]
Yulai Xie, Yafeng Wu, Dan Feng, and Darrell Long. 2019. P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real-Time Memory Databases. IEEE Transactions on Dependable and Secure Computing 18, 6 (2019), 2658–2674.
[50]
Zhiqiang Xu, Pengcheng Fang, Changlin Liu, Xusheng Xiao, Yu Wen, and Dan Meng. 2022. DepComm: Graph Summarization on System Audit Logs for Attack Investigation. In Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 540–557.
[51]
Zhang Xu, Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao, Fengyuan Xu, Haining Wang, and Guofei Jiang. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS). 504–516.
[52]
Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. 2023. PROGRAPHER: An Anomaly Detection System Based on Provenance Graph Embedding. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23). 4355–4372.
[53]
Runqing Yang, Shiqing Ma, Haitao Xu, Xiangyu Zhang, and Yan Chen. 2020. UIScope: Accurate, Instrumentation-Free, and Visible Attack Investigation for GUI Applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[54]
Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, and Jian Mao. 2021. WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[55]
Jun Zeng, Chuqi Zhang, and Zhenkai Liang. 2022. PalanTír: Optimizing Attack Provenance with Hardware-Enhanced System Observability. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS). 3135–3149.
[56]
Jun Zengy, Xiang Wang, Jiahao Liu, Yinfang Chen, Zhenkai Liang, Tat-Seng Chua, and Zheng Leong Chua. 2022. Shadewatcher: Recommendation-Guided Cyber Threat Analysis Using System Audit Records. In Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 489–506.
[57]
Fangtian Zhong, Xiuzhen Cheng, Dongxiao Yu, Bei Gong, Shuaiwen Song, and Jiguo Yu. 2023. MalFox: Camouflaged Adversarial Malware Example Generation Based on Conv-GANs Against Black-Box Detectors. IEEE Trans. Comput. (2023).
[58]
Tiantian Zhu, Jinkai Yu, Chunlin Xiong, Wenrui Cheng, Qixuan Yuan, Jie Ying, Tieming Chen, Jiabo Zhang, Mingqi Lv, Yan Chen, 2023. APTSHIELD: A Stable, Efficient and Real-Time APT Detection System for Linux Hosts. IEEE Transactions on Dependable and Secure Computing (2023).
Index Terms
- Obfuscating Provenance-Based Forensic Investigations with Mapping System Meta-Behavior
Recommendations
TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications SecurityAPT (Advanced Persistent Threat) with the characteristics of persistence, stealth, and diversity is one of the greatest threats against cyber-infrastructure. As a countermeasure, existing studies leverage provenance graphs to capture the complex ...
A multi-source log semantic analysis-based attack investigation approach
AbstractAs Advanced Persistent Threats (APT) become increasingly complex and destructive, security analysts often use log data for performing attack investigation. Existing approaches based on single-source logs fail to capture the causal dependencies ...
A novel method for improving the robustness of deep learning-based malware detectors against adversarial attacks
AbstractMalware is constantly evolving with rising concern for cyberspace. Deep learning-based malware detectors are being used as a potential solution. However, these detectors are vulnerable to adversarial attacks. The adversarial attacks manipulate ...
Graphical abstractDisplay Omitted
Highlights- An approach to combining adversarial attacks is proposed to analyse the robustness of malware detectors against attacks.
- Ten adversarial attacks are created to generate binary-encoded malicious samples, including the proposed combined ...
Comments
Information & Contributors
Information
Published In
September 2024
719 pages
ISBN:9798400709593
DOI:10.1145/3678890
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- National Key R&D Program of China
- National Natural Science Foundation of China
Conference
RAID '24
RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses
September 30 - October 2, 2024
Padua, Italy
Acceptance Rates
RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 201Total Downloads
- Downloads (Last 12 months)201
- Downloads (Last 6 weeks)73
Reflects downloads up to 23 Feb 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in