TY - GEN
T1 - Forensic Analysis of Configuration-based Attacks
AU - Inam, Muhammad Adil
AU - Ul Hassan, Wajih
AU - Ahad, Ali
AU - Bates, Adam
AU - Tahir, Rashid
AU - Xu, Tianyin
AU - Zaffar, Fareed
N1 - Publisher Copyright:
© 2022 29th Annual Network and Distributed System Security Symposium, NDSS 2022. All Rights Reserved.
PY - 2022
Y1 - 2022
N2 - Causality analysis is an effective technique for investigating and detecting cyber attacks. However, by focusing on auditing at the Operating System level, existing causal analysis techniques lack visibility into important application-level semantics, such as configuration changes that control application runtime behavior. This leads to incorrect attack attribution and half-baked tracebacks. In this work, we propose Dossier, a specialized provenance tracker that enhances the visibility of the Linux auditing infrastructure. By providing additional hooks into the system, Dossier can generate a holistic view of the target application's event history and causal chains, particularly those pertaining to configuration changes that are among the most common attack vectors observed in the real world. The extra vantage points in Dossier enable forensic investigators to bridge the semantic gap and correctly piece together attack fragments. Dossier leverages the versatility of information flow tracking and system call introspection to track all configuration changes, including both dynamic modifications that directly update configuration-related program variables and revisions to configuration files on disk with negligible runtime overhead (less than 7%). Evaluation on realistic workloads and real-world attack scenarios shows that Dossier can effectively reason about configuration-based attacks and accurately reconstruct the whole attack stories.
AB - Causality analysis is an effective technique for investigating and detecting cyber attacks. However, by focusing on auditing at the Operating System level, existing causal analysis techniques lack visibility into important application-level semantics, such as configuration changes that control application runtime behavior. This leads to incorrect attack attribution and half-baked tracebacks. In this work, we propose Dossier, a specialized provenance tracker that enhances the visibility of the Linux auditing infrastructure. By providing additional hooks into the system, Dossier can generate a holistic view of the target application's event history and causal chains, particularly those pertaining to configuration changes that are among the most common attack vectors observed in the real world. The extra vantage points in Dossier enable forensic investigators to bridge the semantic gap and correctly piece together attack fragments. Dossier leverages the versatility of information flow tracking and system call introspection to track all configuration changes, including both dynamic modifications that directly update configuration-related program variables and revisions to configuration files on disk with negligible runtime overhead (less than 7%). Evaluation on realistic workloads and real-world attack scenarios shows that Dossier can effectively reason about configuration-based attacks and accurately reconstruct the whole attack stories.
UR - http://www.scopus.com/inward/record.url?scp=85147014154&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85147014154&partnerID=8YFLogxK
U2 - 10.14722/ndss.2022.23057
DO - 10.14722/ndss.2022.23057
M3 - Conference contribution
AN - SCOPUS:85147014154
T3 - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
BT - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
PB - The Internet Society
T2 - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
Y2 - 24 April 2022 through 28 April 2022
ER -