융합보안논문지 (Convergence Security Journal)

  • 제22권3호
  • /
  • Pages.87-99
  • /
  • 2022
  • /
  • 1598-7329(pISSN)
  • /
  • 2508-7460(eISSN)
한국융합보안학회 (Korea convergence Security Association)
권호 표지
DOI QR코드

DOI QR Code

시스템 기반 프로비넌스 그래프와 분석 기술 동향

A Survey on system-based provenance graph and analysis trends

  • 투고 : 2022.05.25
  • 심사 : 2022.09.14
  • 발행 : 2022.09.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

사이버 공격이 정교해지고 고도화된 APT 공격이 증가함에 따라 공격을 탐지하고 추적하기가 더 어려워졌다. 시스템 프로비넌스 그래프는 분석가들에게 공격의 기원을 밝히기 위한 기법을 제공한다. 사이버 공격에 대한 침투 기원을 밝히기 위해서 다양한 시스템 프로비넌스 그래프 기법이 연구되었다. 본 연구에서는 다양한 시스템 프로비넌스 그래프 기법을 조사하고 데이터 수집과 분석 방법에 관련해서 기술하였다. 또한 조사 결과를 바탕으로 향후 연구 방향을 제시해 본다.

Cyber attacks have become more difficult to detect and track as sophisticated and advanced APT attacks increase. System providence graphs provide analysts of cyber security with techniques to determine the origin of attacks. Various system provenance graph techniques have been studied to reveal the origin of penetration against cyber attacks. In this study, we investigated various system provenance graph techniques and described about data collection and analysis techniques. In addition, based on the results of our survey, we presented some future research directions.

키워드

과제정보

본 논문은 2022년 정부(방위사업청)의 재원으로 국방과학연구소의 지원으로 수행된 연구 결과임(912410301)

참고문헌

  1. W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. G. Chun, L.P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones", ACM Trans. Comput. Syst. (TOCS), 32(2), p.1-29, 2014. 
  2. S. Sitaraman and S. Venkatesan, "Forensic Analysis of File System Intrusions using Improved Backtracking" Proceedings of the Third IEEE International Workshop on Information Assurance(IWIA '05), pp. 154-163, 2005. 
  3. X. Han, T. Pasquier, A. Bates, J. Mickens, and M. Seltzer, "UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats", arXiv preprint arXiv:2001.01525, 2020. 
  4. M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V.N. Venkatakrishnan., "SLEUTH: real-time attack scenario reconstruction from COTS audit data", 26th USENIX Security Symposium, USENIX Security, pp. 487-504, 2017. 
  5. K. H. Lee, X. Zhang, and D. Xu, "High accuracy attack provenance via binary-based execution partition", Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS, pp. 16, 2013. 
  6. S. T. King and P. M. Chen, "Backtracking intrusions", Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 223-236, 2003. 
  7. K. Belhajjame, R. B'Far, C. J. Cheney, Sam, S. Coppens, S. Cresswell, Y. Gil, P. Grothl, G. Klyne, T. Lebo, J. McCusker, S. Miles, J. Myers, S. Sahoo, and C. Tilmes, "Prov-DM: The PROV Data Model", Technical Report. World WideWeb Consortium(W3C). https://www.w3.org/TR/prov-dm/, 2013. 
  8. "Fuse", http://fuse.sourceforce.net. 
  9. "Event Tracing", https://docs.microsoft.com/en-un/windows/win32/etw/event-tracing-portal. 
  10. Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang, and G. Jiang, "High fidelity data reduction for big data security dependency analyses", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504-516, 2016. 
  11. A. P. Chapman, H.V. Jagadish, and P. Ramanan, "Efficient provenance storage", Proceedings of the 2008 ACM SIGMOD International Conference on Management of Data, pp. 993-1006, 2008. 
  12. Z. Li, Q. A. Chen, R. Yang, Y. Chen, an W. Ruan, "Threat detection and investigation with system-level provenance graphs: A survey", Computers & Security, Vol. 106, 2021. 
  13. S. M. Milajerdi, B. Eshete, R. Gjomemo, and V.N. Venkatakrishnan, "POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting", Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1795-1812, 2019. 
  14. S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V.N. Venkatakrishnan, "HOLM- ES: real-time apt detection through correlation of suspicious information flows", IEEE Symposium on Security and Privacy (SP), pp. 1137-1152, 2019. 
  15. "PROV Model Overview", https://en.wikipedia.org/wiki/PROV_(Provenance). 
  16. W. U. Hassan, M. Lemay, N. Aguse, A. Bates, and T. Moyer, "Towards scalable cluster auditing through grammatical inference over provenance graphs", Proceedings Network and Distributed System Security Symposium, 2018. 
  17. A. Woodruff and M. Stonebraker, "Supporting fine-grained data lineage in a database visualization environment", Proceedings 13th International Conference on Data Engineering, IEEE, pp. 91-102, 1997. 
  18. "Elasitc, Elastic stack", https://www.elastic.co/, 2022. 
  19. "Elastic, Filebeat", https://www.elastic.co/products/beats/filebeat, 2022. 
  20. A. Gehani and D. Tariq, Spade: "Support for provenance auditing in distributed environments", Proceedings of the 13th International Middleware Conference. Springer, 2012. 
  21. T. Pasquier, X. Han, and M. Goldstein, T. Moyer, D. Eyers, M. Seltzer, and J. Bacon, "Practical whole-system provenance capture", Proceedings of the 2017 Symposium on Cloud Computing, Association for Computing Machinery, pp. 405-418, 2017. 
  22. K. H. Lee, X. Zhang, and D. Xu, "LogGC: Garbage Collecting Audit Log", In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005-1016, 2013. 
  23. S. Ma, X. Zhang, and D. Xu, "ProTracer: towards practical provenance tracing by alternating between logging and tainting", Internet Society, 2016. 
  24. R. Yang, S. Ma, and H. Xu, "UISCOPE: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications", Network and Distributed Systems Symposium. 
  25. J. Y, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, "RAIN: refinable attack investigation with on-demand inter-process information flow tracking", Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security-CCS, ACM Press, pp. 377-390, 2017. 
  26. J. Y, S. Lee, M. Fazzini, J. Allen, E. Downing, T. Kim, A. Orso, and W. Lee, "Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking", 27th USENIX Security Symposium, USENIX Association, pp. 1705-1722, 2018 
  27. Y. Kwon, D. Kim, W. N. Sumner, K. Kim, B. Saltaformaggio, X. Zhang, and D. Xu, "LDX: causality inference by lightweight dual execution", In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, ACM, pp. 503-515, 2016. 
  28. H. Irshad, G. Ciocarlie, A. Gehani, V. Yegneswaran, K. H. Lee, J. Patel, S. Jha, Y. Kwon, D. Xu, and X. Zhang, "TRACE:Enterprise-Wide Provenance Tracking for Real-Time APT Detection", IEEE Transactions on Information Forensics and Security, Vol. 16, pp. 4363-4376, 2021.  https://doi.org/10.1109/TIFS.2021.3098977
  29. S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. N. Venkatakrishnam, "ProPatrol: Attack Investigation via Extracted High-Level Tasks", In International Conference on Information Systems Security, Springer, LNCS 11281, pp. 107-126, 2018. 
  30. W. U. Hassan, A. Bates, and D. Marino, "Tactical Provenance Analysis for Endpoint Detection and Response Systems", 2020 IEEE Symposium on Security and Privacy, pp. 1172-1189, 2020. 
  31. "MITRE ATT&CK(R)", https://attack.mitre.org, 2022. 
  32. "Common Attack Pattern Enumeration and Classification", https://capec.mitre.org, 2022. 
  33. Y. Liu, M. Zhang, D. Li, K.Jee, Z. Li, Z.Wu, J. Rhee, P. Mitt, "Towards a Timely Causality Analysis for Enterprise Security", Network and Distributed Systems Security Symposium '18, 2018. 
  34. M. N. Hossain, J. Wang, R. Sekar, and S. D. Stoller, "Dependence-Preserving Data Compaction for Scalable Forensic Analysis", USENIX Security Symposium, pp. 1723-1740, 2018. 
  35. L. Moreau, B. Clifford, J. Freire, J. Futrelle, Y. Gil, P. Groth, N. Kwasnikowska, S. MIles, P. Missier, J. Myers, B. Plale, Y. Simmhan, E. Stephan, J. V. Bussche, "The Open Provenance Model Core Specification", Future Generation Computer Systems, 2010.