272 research outputs found
Xanthus: Push-button Orchestration of Host Provenance Data Collection
Host-based anomaly detectors generate alarms by inspecting audit logs for
suspicious behavior. Unfortunately, evaluating these anomaly detectors is hard.
There are few high-quality, publicly-available audit logs, and there are no
pre-existing frameworks that enable push-button creation of realistic system
traces. To make trace generation easier, we created Xanthus, an automated tool
that orchestrates virtual machines to generate realistic audit logs. Using
Xanthus' simple management interface, administrators select a base VM image,
configure a particular tracing framework to use within that VM, and define
post-launch scripts that collect and save trace data. Once data collection is
finished, Xanthus creates a self-describing archive, which contains the VM, its
configuration parameters, and the collected trace data. We demonstrate that
Xanthus hides many of the tedious (yet subtle) orchestration tasks that humans
often get wrong; Xanthus avoids mistakes that lead to non-replicable
experiments.Comment: 6 pages, 1 figure, 7 listings, 1 table, worksho
POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting
Cyber threat intelligence (CTI) is being used to search for indicators of
attacks that might have compromised an enterprise network for a long time
without being discovered. To have a more effective analysis, CTI open standards
have incorporated descriptive relationships showing how the indicators or
observables are related to each other. However, these relationships are either
completely overlooked in information gathering or not used for threat hunting.
In this paper, we propose a system, called POIROT, which uses these
correlations to uncover the steps of a successful attack campaign. We use
kernel audits as a reliable source that covers all causal relations and
information flows among system entities and model threat hunting as an inexact
graph pattern matching problem. Our technical approach is based on a novel
similarity metric which assesses an alignment between a query graph constructed
out of CTI correlations and a provenance graph constructed out of kernel audit
log records. We evaluate POIROT on publicly released real-world incident
reports as well as reports of an adversarial engagement designed by DARPA,
including ten distinct attack campaigns against different OS platforms such as
Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable
of searching inside graphs containing millions of nodes and pinpoint the
attacks in a few minutes, and the results serve to illustrate that CTI
correlations could be used as robust and reliable artifacts for threat hunting.Comment: The final version of this paper is going to appear in the ACM SIGSAC
Conference on Computer and Communications Security (CCS'19), November 11-15,
2019, London, United Kingdo
EVALUATING ARTIFICIAL INTELLIGENCE METHODS FOR USE IN KILL CHAIN FUNCTIONS
Current naval operations require sailors to make time-critical and high-stakes decisions based on uncertain situational knowledge in dynamic operational environments. Recent tragic events have resulted in unnecessary casualties, and they represent the decision complexity involved in naval operations and specifically highlight challenges within the OODA loop (Observe, Orient, Decide, and Assess). Kill chain decisions involving the use of weapon systems are a particularly stressing category within the OODA loop—with unexpected threats that are difficult to identify with certainty, shortened decision reaction times, and lethal consequences. An effective kill chain requires the proper setup and employment of shipboard sensors; the identification and classification of unknown contacts; the analysis of contact intentions based on kinematics and intelligence; an awareness of the environment; and decision analysis and resource selection. This project explored the use of automation and artificial intelligence (AI) to improve naval kill chain decisions. The team studied naval kill chain functions and developed specific evaluation criteria for each function for determining the efficacy of specific AI methods. The team identified and studied AI methods and applied the evaluation criteria to map specific AI methods to specific kill chain functions.Civilian, Department of the NavyCivilian, Department of the NavyCivilian, Department of the NavyCaptain, United States Marine CorpsCivilian, Department of the NavyCivilian, Department of the NavyApproved for public release. Distribution is unlimited
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance
Provenance graphs are structured audit logs that describe the history of a
system's execution. Recent studies have explored a variety of techniques to
analyze provenance graphs for automated host intrusion detection, focusing
particularly on advanced persistent threats. Sifting through their design
documents, we identify four common dimensions that drive the development of
provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect
modern attacks that infiltrate across application boundaries?), attack
agnosticity (can PIDSes detect novel attacks without a priori knowledge of
attack characteristics?), timeliness (can PIDSes efficiently monitor host
systems as they run?), and attack reconstruction (can PIDSes distill attack
activity from large provenance graphs so that sysadmins can easily understand
and quickly respond to system intrusion?). We present KAIROS, the first PIDS
that simultaneously satisfies the desiderata in all four dimensions, whereas
existing approaches sacrifice at least one and struggle to achieve comparable
detection performance.
Kairos leverages a novel graph neural network-based encoder-decoder
architecture that learns the temporal evolution of a provenance graph's
structural changes to quantify the degree of anomalousness for each system
event. Then, based on this fine-grained information, Kairos reconstructs attack
footprints, generating compact summary graphs that accurately describe
malicious activity over a stream of system audit logs. Using state-of-the-art
benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on
Security and Privacy (S&P'24
OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection
Modern attacks against enterprises often have multiple targets inside the
enterprise network. Due to the large size of these networks and increasingly
stealthy attacks, attacker activities spanning multiple hosts are extremely
difficult to correlate during a threat-hunting effort. In this paper, we
present a method for an efficient cross-host attack correlation across multiple
hosts. Unlike previous works, our approach does not require lateral movement
detection techniques or host-level modifications. Instead, our approach relies
on an observation that attackers have a few strategic mission objectives on
every host that they infiltrate, and there exist only a handful of techniques
for achieving those objectives. The central idea behind our approach involves
comparing (OS agnostic) activities on different hosts and correlating the hosts
that display the use of similar tactics, techniques, and procedures. We
implement our approach in a tool called Ostinato and successfully evaluate it
in threat hunting scenarios involving DARPA-led red team engagements spanning
500 hosts and in another multi-host attack scenario. Ostinato successfully
detected 21 additional compromised hosts, which the underlying host-based
detection system overlooked in activities spanning multiple days of the attack
campaign. Additionally, Ostinato successfully reduced alarms generated from the
underlying detection system by more than 90%, thus helping to mitigate the
threat alert fatigue problemComment: 21 pages, 5 figure
A Roadmap for Greater Public Use of Privacy-Sensitive Government Data: Workshop Report
Government agencies collect and manage a wide range of ever-growing datasets.
While such data has the potential to support research and evidence-based policy
making, there are concerns that the dissemination of such data could infringe
upon the privacy of the individuals (or organizations) from whom such data was
collected. To appraise the current state of data sharing, as well as learn
about opportunities for stimulating such sharing at a faster pace, a virtual
workshop was held on May 21st and 26th, 2021, sponsored by the National Science
Foundation and National Institute of Standards and Technologies, where a
multinational collection of researchers and practitioners were brought together
to discuss their experiences and learn about recently developed technologies
for managing privacy while sharing data. The workshop specifically focused on
challenges and successes in government data sharing at various levels. The
first day focused on successful examples of new technology applied to sharing
of public data, including formal privacy techniques, synthetic data, and
cryptographic approaches. Day two emphasized brainstorming sessions on some of
the challenges and directions to address them.Comment: 23 page
- …