Enabling Efficient Attack Investigation via Human-in-the-Loop Security Analysis
This work addresses the problem of timely attack investigation for security analysts, offering a practical tool to handle large-scale data, though it is incremental in improving existing methods.
The paper tackles the challenge of investigating complex multi-step attacks from massive system provenance data by introducing Provexa, a defense system with a domain-specific language (ProvQL) and optimized engine, enabling human analysts to efficiently uncover attack sequences, as demonstrated in extensive evaluations.
System auditing is a vital technique for collecting system call events as system provenance and investigating complex multi-step attacks such as Advanced Persistent Threats. However, existing attack investigation methods struggle to uncover long attack sequences due to the massive volume of system provenance data and their inability to focus on attack-relevant parts. In this paper, we present Provexa, a defense system that enables human analysts to effectively analyze large-scale system provenance to reveal multi-step attack sequences. Provexa introduces an expressive domain-specific language, ProvQL, that offers essential primitives for various types of attack analyses (e.g., attack pattern search, attack dependency tracking) with user-defined constraints, enabling analysts to focus on attack-relevant parts and iteratively sift through the large provenance data. Moreover, Provexa provides an optimized execution engine for efficient language execution. Our extensive evaluations on a wide range of attack scenarios demonstrate the practical effectiveness of Provexa in facilitating timely attack investigation.