Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking

Yang Ji; Sangho Lee; Mattia Fazzini; Joey Allen; Evan Downing; Taesoo Kim; Alessandro Orso; Wenke Lee

Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking

Yang Ji
, Sangho Lee
, Mattia Fazzini
, Joey Allen
, Evan Downing
, Taesoo Kim
, Alessandro Orso
, Wenke Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90% and decreases the overall analysis time by 60%-90% compared with previous investigation systems.

Original language	English (US)
Title of host publication	Proceedings of the 27th USENIX Security Symposium
Publisher	USENIX Association
Pages	1705-1722
Number of pages	18
ISBN (Electronic)	9781939133045
State	Published - 2018
Externally published	Yes
Event	27th USENIX Security Symposium, USENIX Security 2018 - Baltimore, United States Duration: Aug 15 2018 → Aug 17 2018

Publication series

Name	Proceedings of the 27th USENIX Security Symposium

Conference

Conference	27th USENIX Security Symposium, USENIX Security 2018
Country/Territory	United States
City	Baltimore
Period	8/15/18 → 8/17/18

Bibliographical note

Funding Information:
We thank the anonymous reviewers for their helpful feedback. This research was supported in part by NSF, under awards CNS-0831300, CNS-1017265, CCF-1548856, CNS-1563848, CRI-1629851, CNS-1704701, and CNS-1749711, ONR, under grants N000140911042, N000141512162, N000141612710, and N000141712895, DARPA TC (No. DARPA FA8650-15-C-7556), NRF-2017R1A6A3A03002506, ETRI IITP/KEIT [2014-0-00035], and gifts from Facebook, Mozilla, and Intel.

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 16 Peace, Justice and Strong Institutions

Find It

Find It at U of M Libraries

Cite this

Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. / Ji, Yang; Lee, Sangho; Fazzini, Mattia et al.
Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. p. 1705-1722 (Proceedings of the 27th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ji, Y, Lee, S, Fazzini, M, Allen, J, Downing, E, Kim, T, Orso, A & Lee, W 2018, Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. in Proceedings of the 27th USENIX Security Symposium. Proceedings of the 27th USENIX Security Symposium, USENIX Association, pp. 1705-1722, 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, United States, 8/15/18.

@inproceedings{9395cb6f5c224590907c63b7e79b1829,

title = "Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking",

abstract = "Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05\% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90\% and decreases the overall analysis time by 60\%-90\% compared with previous investigation systems.",

author = "Yang Ji and Sangho Lee and Mattia Fazzini and Joey Allen and Evan Downing and Taesoo Kim and Alessandro Orso and Wenke Lee",

note = "Funding Information: We thank the anonymous reviewers for their helpful feedback. This research was supported in part by NSF, under awards CNS-0831300, CNS-1017265, CCF-1548856, CNS-1563848, CRI-1629851, CNS-1704701, and CNS-1749711, ONR, under grants N000140911042, N000141512162, N000141612710, and N000141712895, DARPA TC (No. DARPA FA8650-15-C-7556), NRF-2017R1A6A3A03002506, ETRI IITP/KEIT [2014-0-00035], and gifts from Facebook, Mozilla, and Intel.; 27th USENIX Security Symposium, USENIX Security 2018 ; Conference date: 15-08-2018 Through 17-08-2018",

year = "2018",

language = "English (US)",

series = "Proceedings of the 27th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "1705--1722",

booktitle = "Proceedings of the 27th USENIX Security Symposium",

}

TY - GEN

T1 - Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking

AU - Ji, Yang

AU - Lee, Sangho

AU - Fazzini, Mattia

AU - Allen, Joey

AU - Downing, Evan

AU - Kim, Taesoo

AU - Orso, Alessandro

AU - Lee, Wenke

N1 - Funding Information: We thank the anonymous reviewers for their helpful feedback. This research was supported in part by NSF, under awards CNS-0831300, CNS-1017265, CCF-1548856, CNS-1563848, CRI-1629851, CNS-1704701, and CNS-1749711, ONR, under grants N000140911042, N000141512162, N000141612710, and N000141712895, DARPA TC (No. DARPA FA8650-15-C-7556), NRF-2017R1A6A3A03002506, ETRI IITP/KEIT [2014-0-00035], and gifts from Facebook, Mozilla, and Intel.

PY - 2018

Y1 - 2018

N2 - Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90% and decreases the overall analysis time by 60%-90% compared with previous investigation systems.

AB - Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90% and decreases the overall analysis time by 60%-90% compared with previous investigation systems.

UR - https://www.scopus.com/pages/publications/85075925186

UR - https://www.scopus.com/pages/publications/85075925186#tab=citedBy

M3 - Conference contribution

AN - SCOPUS:85075925186

T3 - Proceedings of the 27th USENIX Security Symposium

SP - 1705

EP - 1722

BT - Proceedings of the 27th USENIX Security Symposium

PB - USENIX Association

T2 - 27th USENIX Security Symposium, USENIX Security 2018

Y2 - 15 August 2018 through 17 August 2018

ER -

Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking

Abstract

Publication series

Conference

Bibliographical note

UN SDGs

Find It

Other files and links

Fingerprint

Cite this