Tracking and Analysis of Causality at Enterprise Level (TRACE)

Abstract

We report on our work in developing the TRACE framework, which combines novel host-level tracking techniques with a proven enterprise-wide tracking system. Specifically, TRACE aimed to enable the detection and investigation of advanced persistent threat (APT) attacks in an enterprise environment using provenance and supports both what-provenance and how provenance. Our design and implementation provided both logging and provenance propagation primitives. Its host-level provenance tracking component monitors host execution and collects both what- and how provenance for individual host systems at the granularity of program execution units [22]. The enterprise-wide provenance tracking component builds upon the SPADE engine [10], which has been proven to be scalable and high-performance, and QuickGrail [7], which provides advanced query capabilities. In the course of four years and five engagements, we developed, evaluated, and refined TRACE to provide improvements on performance, scalability, and fidelity. During this time, the system call coverage increased (from 47 to 66 syscalls), while the time and space overhead reduced by over one and two orders of magnitude, respectively. In addition, we found that the TRACE instrumentation stack provided TA2 teams sufficient evidence to detect 80 percent of the attack stages across all evaluations, being one of the top-performing TA1 systems in the program. Our work was disseminated in 13 top-tier publications (ACSAC 2015, NDSS 2016, ASPLOS 2016, NDSS 2017, Usenix Security, NDSS2018, Usenix ATC 2018, ACSAC 2018), and received best paper awards at both the Network and Distributed System Security Symposium (NDSS2016) and Usenix Security 2017. The team also graduated three PhD students who contributed to TRACE.

Document Details

Document Type

Technical Report

Publication Date

Mar 11, 2020

Accession Number

AD1092861

Entities

Tags