日志重融合:应用程序日志完整性对抗攻击及其防御方法  

作　　者：陈昌骅 万海 赵曦滨[1,2,3] Changhua CHEN;Hai WAN;Xibin ZHAO(Beijing National Research Center for Information Science and Technology(BNRist),Beijing 100084,China;Key Laboratory for Information System Security,Ministry of Education(KLISS),Beijing 100084,China;School of Software,Tsinghua University,Beijing 100084,China)

机构地区：[1]北京信息科学与技术国家研究中心,北京100084 [2]信息系统安全教育部重点实验室,北京100084 [3]清华大学软件学院,北京100084

出　　处：《中国科学：信息科学》2024年第9期2157-2180,共24页Scientia Sinica(Informationis)

基　　金：国家自然科学基金(批准号:62076146,U20A6003,62021002,6212780016);工信部产业技术基础公共服务平台项目“城市轨道交通装备信号系统检测及安全评估公共服务平台”(批准号:2022-233-225);国家重点研发计划(批准号:2023YFB3307500)资助项目。

摘　　要：在攻击调查领域,为应对依赖爆炸和语义鸿沟的挑战,日志融合通过引入多层级日志的丰富语义得到系统实体之间细粒度的因果关系,以逼近实际的执行历史.然而,由于审计日志的系统调用和应用日志的程序消息被用来推断复杂的系统状态,基于日志融合的攻击调查系统存在被对抗攻击的弱点,本文率先提出并称之为日志重融合攻击(log refusion attacks),其演示了攻击者如何增强实际漏洞来破坏日志完整性,绕过现有防御,破坏溯源中的联结并陷害良性用户.而后,本文提出一种攻击调查的新设计PRovGuARD(provenance guardian),它利用同时包含程序调用控制流和应用消息数据流的建模来交叉验证审计日志和应用日志的历史记录,以确保执行的合法性和一致性.如果攻击者毁损溯源数据,将检测到矛盾并告警,修正执行路径,得到正确的攻击根因和后果.本文在Linux上实现了原型,并在覆盖各类执行模型的14个实际应用场景及程序上进行了广泛评估.实验结果显示,其成功验证还原了正确的攻击故事,且平均性能开销比传统审计框架仅高3.62%,同时在最坏情况下只重新引入0.78%的错误依赖,证明了原型的有效性及其防御攻击的新颖性.In the field of attack investigation,log fusion achieves a fine-grained causality between system entities by introducing rich semantics from multi-level logs to address the challenges of dependency explosion and semantic gaps,aiming to approach the actual execution history.However,due to the use of audit logs for system calls and application logs for program messages to infer complex system states,log fusion-based attack investigation systems have vulnerabilities to adversarial attacks,which are introduced and referred to as log refusion attacks.It is demonstrated how attackers enhance real vulnerabilities to undermine log integrity,bypass existing defenses,disrupt links in provenance,and frame benign users.Subsequently,a new design for attack investigation named ProvGuard(provenance guardian)is proposed,which leverages modeling with both program call control flow and application message data flow for cross-verification of the records in audit and application logs.This ensures the legitimacy and consistency of the execution.If attackers damage provenance data,inconsistencies are detected,alarms are raised,execution paths are corrected,and accurate root causes and ramifications are obtained.This paper implements a prototype on Linux and evaluates it on 14 real-world programs covering all execution classes.The method in this paper successfully validates the reconstruction of correct attack stories,with an average overhead of only 3.62% compared to traditional audit frameworks.Moreover,it reintroduces only 0.78% of false dependencies in the worst case,demonstrating the effectiveness and novelty in defending against attacks.

关 键 词：攻击调查 对抗攻击 日志融合 控制流图 数据流图 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]