ProPatrol: Attack Investigation via Extracted High-Level Tasks
This addresses the challenge of efficient cyber-attack investigation for security professionals, representing an incremental improvement by leveraging existing application architectures without requiring source code.
The authors tackled the problem of coarse granularity in kernel audit logs leading to huge attack graphs with false dependencies by proposing ProPatrol, a system that infers high-level tasks from audit logs to reduce forensic investigation effort and pinpoint root causes, achieving less than 2% runtime overhead.
Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.