101 research outputs found
Xanthus: Push-button Orchestration of Host Provenance Data Collection
Host-based anomaly detectors generate alarms by inspecting audit logs for
suspicious behavior. Unfortunately, evaluating these anomaly detectors is hard.
There are few high-quality, publicly-available audit logs, and there are no
pre-existing frameworks that enable push-button creation of realistic system
traces. To make trace generation easier, we created Xanthus, an automated tool
that orchestrates virtual machines to generate realistic audit logs. Using
Xanthus' simple management interface, administrators select a base VM image,
configure a particular tracing framework to use within that VM, and define
post-launch scripts that collect and save trace data. Once data collection is
finished, Xanthus creates a self-describing archive, which contains the VM, its
configuration parameters, and the collected trace data. We demonstrate that
Xanthus hides many of the tedious (yet subtle) orchestration tasks that humans
often get wrong; Xanthus avoids mistakes that lead to non-replicable
experiments.Comment: 6 pages, 1 figure, 7 listings, 1 table, worksho
Ellipsis: Towards Efficient System Auditing for Real-Time Systems
System auditing is a powerful tool that provides insight into the nature of
suspicious events in computing systems, allowing machine operators to detect
and subsequently investigate security incidents. While auditing has proven
invaluable to the security of traditional computers, existing audit frameworks
are rarely designed with consideration for Real-Time Systems (RTS). The
transparency provided by system auditing would be of tremendous benefit in a
variety of security-critical RTS domains, (e.g., autonomous vehicles); however,
if audit mechanisms are not carefully integrated into RTS, auditing can be
rendered ineffectual and violate the real-world temporal requirements of the
RTS.
In this paper, we demonstrate how to adapt commodity audit frameworks to RTS.
Using Linux Audit as a case study, we first demonstrate that the volume of
audit events generated by commodity frameworks is unsustainable within the
temporal and resource constraints of real-time (RT) applications. To address
this, we present Ellipsis, a set of kernel-based reduction techniques that
leverage the periodic repetitive nature of RT applications to aggressively
reduce the costs of system-level auditing. Ellipsis generates succinct
descriptions of RT applications' expected activity while retaining a detailed
record of unexpected activities, enabling analysis of suspicious activity while
meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an
open-source autopilot application suite) demonstrates up to 93% reduction in
audit log generation.Comment: Extended version of a paper accepted at ESORICS 202
- …