Acknowledgement
본 논문은 2022년 정부(방위사업청)의 재원으로 국방과학연구소의 지원으로 수행된 연구 결과임(912410301)
References
- W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. G. Chun, L.P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones", ACM Trans. Comput. Syst. (TOCS), 32(2), p.1-29, 2014.
- S. Sitaraman and S. Venkatesan, "Forensic Analysis of File System Intrusions using Improved Backtracking" Proceedings of the Third IEEE International Workshop on Information Assurance(IWIA '05), pp. 154-163, 2005.
- X. Han, T. Pasquier, A. Bates, J. Mickens, and M. Seltzer, "UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats", arXiv preprint arXiv:2001.01525, 2020.
- M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V.N. Venkatakrishnan., "SLEUTH: real-time attack scenario reconstruction from COTS audit data", 26th USENIX Security Symposium, USENIX Security, pp. 487-504, 2017.
- K. H. Lee, X. Zhang, and D. Xu, "High accuracy attack provenance via binary-based execution partition", Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS, pp. 16, 2013.
- S. T. King and P. M. Chen, "Backtracking intrusions", Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 223-236, 2003.
- K. Belhajjame, R. B'Far, C. J. Cheney, Sam, S. Coppens, S. Cresswell, Y. Gil, P. Grothl, G. Klyne, T. Lebo, J. McCusker, S. Miles, J. Myers, S. Sahoo, and C. Tilmes, "Prov-DM: The PROV Data Model", Technical Report. World WideWeb Consortium(W3C). https://www.w3.org/TR/prov-dm/, 2013.
- "Fuse", http://fuse.sourceforce.net.
- "Event Tracing", https://docs.microsoft.com/en-un/windows/win32/etw/event-tracing-portal.
- Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang, and G. Jiang, "High fidelity data reduction for big data security dependency analyses", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504-516, 2016.
- A. P. Chapman, H.V. Jagadish, and P. Ramanan, "Efficient provenance storage", Proceedings of the 2008 ACM SIGMOD International Conference on Management of Data, pp. 993-1006, 2008.
- Z. Li, Q. A. Chen, R. Yang, Y. Chen, an W. Ruan, "Threat detection and investigation with system-level provenance graphs: A survey", Computers & Security, Vol. 106, 2021.
- S. M. Milajerdi, B. Eshete, R. Gjomemo, and V.N. Venkatakrishnan, "POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting", Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1795-1812, 2019.
- S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V.N. Venkatakrishnan, "HOLM- ES: real-time apt detection through correlation of suspicious information flows", IEEE Symposium on Security and Privacy (SP), pp. 1137-1152, 2019.
- "PROV Model Overview", https://en.wikipedia.org/wiki/PROV_(Provenance).
- W. U. Hassan, M. Lemay, N. Aguse, A. Bates, and T. Moyer, "Towards scalable cluster auditing through grammatical inference over provenance graphs", Proceedings Network and Distributed System Security Symposium, 2018.
- A. Woodruff and M. Stonebraker, "Supporting fine-grained data lineage in a database visualization environment", Proceedings 13th International Conference on Data Engineering, IEEE, pp. 91-102, 1997.
- "Elasitc, Elastic stack", https://www.elastic.co/, 2022.
- "Elastic, Filebeat", https://www.elastic.co/products/beats/filebeat, 2022.
- A. Gehani and D. Tariq, Spade: "Support for provenance auditing in distributed environments", Proceedings of the 13th International Middleware Conference. Springer, 2012.
- T. Pasquier, X. Han, and M. Goldstein, T. Moyer, D. Eyers, M. Seltzer, and J. Bacon, "Practical whole-system provenance capture", Proceedings of the 2017 Symposium on Cloud Computing, Association for Computing Machinery, pp. 405-418, 2017.
- K. H. Lee, X. Zhang, and D. Xu, "LogGC: Garbage Collecting Audit Log", In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005-1016, 2013.
- S. Ma, X. Zhang, and D. Xu, "ProTracer: towards practical provenance tracing by alternating between logging and tainting", Internet Society, 2016.
- R. Yang, S. Ma, and H. Xu, "UISCOPE: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications", Network and Distributed Systems Symposium.
- J. Y, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, "RAIN: refinable attack investigation with on-demand inter-process information flow tracking", Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security-CCS, ACM Press, pp. 377-390, 2017.
- J. Y, S. Lee, M. Fazzini, J. Allen, E. Downing, T. Kim, A. Orso, and W. Lee, "Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking", 27th USENIX Security Symposium, USENIX Association, pp. 1705-1722, 2018
- Y. Kwon, D. Kim, W. N. Sumner, K. Kim, B. Saltaformaggio, X. Zhang, and D. Xu, "LDX: causality inference by lightweight dual execution", In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, ACM, pp. 503-515, 2016.
- H. Irshad, G. Ciocarlie, A. Gehani, V. Yegneswaran, K. H. Lee, J. Patel, S. Jha, Y. Kwon, D. Xu, and X. Zhang, "TRACE:Enterprise-Wide Provenance Tracking for Real-Time APT Detection", IEEE Transactions on Information Forensics and Security, Vol. 16, pp. 4363-4376, 2021. https://doi.org/10.1109/TIFS.2021.3098977
- S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. N. Venkatakrishnam, "ProPatrol: Attack Investigation via Extracted High-Level Tasks", In International Conference on Information Systems Security, Springer, LNCS 11281, pp. 107-126, 2018.
- W. U. Hassan, A. Bates, and D. Marino, "Tactical Provenance Analysis for Endpoint Detection and Response Systems", 2020 IEEE Symposium on Security and Privacy, pp. 1172-1189, 2020.
- "MITRE ATT&CK(R)", https://attack.mitre.org, 2022.
- "Common Attack Pattern Enumeration and Classification", https://capec.mitre.org, 2022.
- Y. Liu, M. Zhang, D. Li, K.Jee, Z. Li, Z.Wu, J. Rhee, P. Mitt, "Towards a Timely Causality Analysis for Enterprise Security", Network and Distributed Systems Security Symposium '18, 2018.
- M. N. Hossain, J. Wang, R. Sekar, and S. D. Stoller, "Dependence-Preserving Data Compaction for Scalable Forensic Analysis", USENIX Security Symposium, pp. 1723-1740, 2018.
- L. Moreau, B. Clifford, J. Freire, J. Futrelle, Y. Gil, P. Groth, N. Kwasnikowska, S. MIles, P. Missier, J. Myers, B. Plale, Y. Simmhan, E. Stephan, J. V. Bussche, "The Open Provenance Model Core Specification", Future Generation Computer Systems, 2010.