Publication Date: 2/21/2018
Event: Proceedings of Network and Distributed Systems Security (NDSS) Symposium 2018
Reference: 1-15, 2018
Authors: Yushan Liu, Princeton University; Mu Zhang, NEC Laboratories America, Inc.; Kangkook Jee, NEC Laboratories America, Inc.; Ding Li, NEC Laboratories America, Inc.; Zhenyu Wu, NEC Laboratories America, Inc.; Junghwan Rhee, NEC Laboratories America, Inc.; Prateek Mittal, Princeton University
Abstract: The increasingly sophisticated Advanced Persistent Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop causal relationships between files and processes to diagnose attack provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since attack causality analysis is a time-critical mission, it is essential to design causality tracking systems that extract useful attack information in a timely manner. However, prior work is limited in serving this need. Existing approaches have largely focused on pruning causal dependencies totally irrelevant to the attack, but fail to differentiate and prioritize abnormal events from numerous relevant, yet benign and complicated system operations, resulting in long investigation time and slow responses.