Rain: Refinable attack investigation with on-demand inter-process information flow tracking

Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

82 Scopus citations


As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose Rain, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instructionlevel dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, Rain conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that Rain effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of Rain is similar to existing systemcall level provenance systems and its analysis overhead is much smaller than full-system DIFT.

Original languageEnglish (US)
Title of host publicationCCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Number of pages14
ISBN (Electronic)9781450349468
StatePublished - Oct 30 2017
Externally publishedYes
Event24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States
Duration: Oct 30 2017Nov 3 2017

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Conference24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Country/TerritoryUnited States

Bibliographical note

Funding Information:
This research was supported in part by NSF, under awards CNS-0831300, CNS-1017265, DGE-1500084, CCF-1548856, CNS-1563848, SFS-1565523, CRI-1629851, and CNS-1704701, ONR, under grants N000140911042, N000141512162, and N000141612710, DARPA TC (No. DARPA FA8650-15-C-7556) and XD3 programs (No. DARPA HR0011-16-C-0059), NRF-2017R1A6A3A03002506, ETRI IITP/KEIT [B0101-17-0644], and gifts from Facebook, Mozilla, and Intel.

Publisher Copyright:
© 2017 author(s).


  • Attack Provenance
  • Forensic Analysis
  • Information Flow Analysis
  • Record And Replay


Dive into the research topics of 'Rain: Refinable attack investigation with on-demand inter-process information flow tracking'. Together they form a unique fingerprint.

Cite this