CAPT:Context-Aware Provenance Tracing for Attack Investigation  

作　　者：Cheng Tan Lei Zhao Weijie Liu Lai Xu Lina Wang 

机构地区：[1]School of Computer, Wuhan University [2]Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education,Wuhan University

出　　处：《China Communications》2018年第2期153-169,共17页中国通信（英文版）

基　　金：partially supported by the NSFC-General Technology Basic Research Joint Fund (U1536204);the National Key Technologies R&D Program (2014BAH41B00);the National Nature Science Foundation of China (61672394; 61373168; 61373169);the National High-tech R&D Program of China (863 Program) (2015AA016004)

摘　　要：APT attacks are prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. Among all kinds of security tech- niques, provenance tracing is regarded as an important approach to attack investigation, as it discloses the root cause, the attacking path, and the results of attacks. However, existing techniques either suffer from the limitation of only focusing on the log type, or are high- ly susceptible to attacks, which hinder their applications in investigating APT attacks. We present CAPT, a context-aware provenance tracing system that leverages the advantages of virtualization technologies to transparently collect system events and network events out of the target machine, and processes them in the specific host which introduces no space cost to the target. CAPT utilizes the contexts of collected events to bridge the gap between them, and provides a panoramic view to the attack investigation. Our evaluation results show that CAPT achieves the efi＇ective prov- enance tracing to the attack cases, and it only produces 0.21 MB overhead in 8 hours. With our newly-developed technology, we keep the run-time overhead averages less than 4%.APT attacks are prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. Among all kinds of security techniques, provenance tracing is regarded as an important approach to attack investigation, as it discloses the root cause, the attacking path, and the results of attacks. However, existing techniques either suffer from the limitation of only focusing on the log type, or are highly susceptible to attacks, which hinder their applications in investigating APT attacks. We present CAPT, a context-aware provenance tracing system that leverages the advantages of virtualization technologies to transparently collect system events and network events out of the target machine, and processes them in the specific host which introduces no space cost to the target. CAPT utilizes the contexts of collected events to bridge the gap between them, and provides a panoramic view to the attack investigation. Our evaluation results show that CAPT achieves the effective provenance tracing to the attack cases, and it only produces 0.21 MB overhead in 8 hours. With our newly-developed technology, we keep the run-time overhead averages less than 4%.

关 键 词：attack investigation provenance tracing CONTEXT-AWARE virtualization technol-ogies APT attacks panoramic view 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术] TN953[自动化与计算机技术—计算机科学与技术]