Xanthus: Push-button Orchestration of Host Provenance Data Collection
This addresses a problem for security administrators and researchers by providing a push-button solution for generating audit logs, though it is incremental as it builds on existing virtualization and tracing technologies.
The paper tackles the difficulty of evaluating host-based anomaly detectors due to a lack of high-quality public audit logs and frameworks for generating realistic system traces, by introducing Xanthus, an automated tool that orchestrates virtual machines to create realistic audit logs and self-describing archives, which avoids human errors and ensures replicable experiments.
Host-based anomaly detectors generate alarms by inspecting audit logs for suspicious behavior. Unfortunately, evaluating these anomaly detectors is hard. There are few high-quality, publicly-available audit logs, and there are no pre-existing frameworks that enable push-button creation of realistic system traces. To make trace generation easier, we created Xanthus, an automated tool that orchestrates virtual machines to generate realistic audit logs. Using Xanthus' simple management interface, administrators select a base VM image, configure a particular tracing framework to use within that VM, and define post-launch scripts that collect and save trace data. Once data collection is finished, Xanthus creates a self-describing archive, which contains the VM, its configuration parameters, and the collected trace data. We demonstrate that Xanthus hides many of the tedious (yet subtle) orchestration tasks that humans often get wrong; Xanthus avoids mistakes that lead to non-replicable experiments.