This is WhyWe Can't Cache Nice Things: Lightning-Fast Threat Hunting using Suspicion-Based Hierarchical Storage

Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Dawei Wang, Zhengzhang Chen, Zhichun Li, Junghwan Rhee, Jiaping Gui, Adam Bates

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Recent advances in the causal analysis can accelerate incident response time, but only after a causal graph of the attack has been constructed. Unfortunately, existing causal graph generation techniques are mainly offline and may take hours or days to respond to investigator queries, creating greater opportunity for attackers to hide their attack footprint, gain persistency, and propagate to other machines. To address that limitation, we present Swift, a threat investigation system that provides high-throughput causality tracking and real-time causal graph generation capabilities. We design an in-memory graph database that enables space-efficient graph storage and online causality tracking with minimal disk operations. We propose a hierarchical storage system that keeps forensically-relevant part of the causal graph in main memory while evicting rest to disk. To identify the causal graph that is likely to be relevant during the investigation, we design an asynchronous cache eviction policy that calculates the most suspicious part of the causal graph and caches only that part in the main memory. We evaluated Swift on a real-world enterprise to demonstrate how our system scales to process typical event loads and how it responds to forensic queries when security alerts occur. Results show that Swift is scalable, modular, and answers forensic queries in real-time even when analyzing audit logs containing tens of millions of events.

Original languageEnglish (US)
Title of host publicationProceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
PublisherAssociation for Computing Machinery
Pages165-178
Number of pages14
ISBN (Electronic)9781450388580
DOIs
StatePublished - Dec 7 2020
Event36th Annual Computer Security Applications Conference, ACSAC 2020 - Virtual, Online, United States
Duration: Dec 7 2020Dec 11 2020

Publication series

NameACM International Conference Proceeding Series

Conference

Conference36th Annual Computer Security Applications Conference, ACSAC 2020
CountryUnited States
CityVirtual, Online
Period12/7/2012/11/20

Keywords

  • Auditing
  • Data Provenance
  • Digital Forensics

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'This is WhyWe Can't Cache Nice Things: Lightning-Fast Threat Hunting using Suspicion-Based Hierarchical Storage'. Together they form a unique fingerprint.

Cite this