SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
This addresses the need for scalable, real-time attack analysis in cybersecurity, though it appears incremental as it builds on existing audit-log methods.
The paper tackles the problem of real-time reconstruction of attack scenarios on enterprise hosts by developing a platform-neutral, dependency graph abstraction and efficient tag-based techniques for detection and reconstruction, successfully detecting and reconstructing red team attacks across Windows, FreeBSD, and Linux in a DARPA evaluation.
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.