Publication Date: 12/13/2019
Event: The 35th Annual Computer Security Applications Conference (ACSAC 2019)
Reference: pp. 378-389, 2019
Authors: Jiaping Gui, NEC Laboratories America, Inc.; Xusheng Xiao, Case Western Reserve University; Ding Li, NEC Laboratories America, Inc.; Chung Hwan Kim, NEC Laboratories America, Inc.; Haifeng Chen, NEC Laboratories America, Inc.
Abstract: System monitoring has recently emerged as an effective way to analyze and counter advanced cyber attacks. The monitoring data records a series of system events and provides a global view of system behaviors in an organization. Querying such data to identify potential system risks and malicious behaviors helps security analysts detect and analyze abnormal system behaviors caused by attacks. However, since the data volume is huge, queries could easily run for a long time, making it difficult for system experts to obtain prompt and continuous feedback. To support interactive querying over system monitoring data, we propose ProbeQ, a system that progressively processes system-behavioral queries. It allows users to concisely compose queries that describe system behaviors and specify an update frequency to obtain partial results progressively. The query engine of ProbeQ is built based on a framework that partitions ProbeQ queries into sub-queries for parallel execution and retrieves partial results periodically based on the specified update frequency. We concretize the framework with three partition strategies that predict the workloads for sub-queries, where the adaptive workload partition strategy (AdWd) dynamically adjusts the predicted workloads for subsequent sub-queries based on the latest execution information. We evaluate the prototype system of ProbeQ on commonly used queries for suspicious behaviors over real-world system monitoring data, and the results show that the ProbeQ system can provide partial updates progressively (on average 9.1% deviation from the update frequencies) with only 1.2% execution overhead compared to the execution without progressive processing.
Publication Link: https://dl.acm.org/doi/10.1145/3359789.3359818