Browse > Article
http://dx.doi.org/10.33778/kcsa.2022.22.3.087

A Survey on system-based provenance graph and analysis trends  

Park Chanil (국방과학연구소)
Publication Information
Convergence Security Journal / v.22, no.3, 2022 , pp. 87-99 More about this Journal
Abstract
Cyber attacks have become more difficult to detect and track as sophisticated and advanced APT attacks increase. System providence graphs provide analysts of cyber security with techniques to determine the origin of attacks. Various system provenance graph techniques have been studied to reveal the origin of penetration against cyber attacks. In this study, we investigated various system provenance graph techniques and described about data collection and analysis techniques. In addition, based on the results of our survey, we presented some future research directions.
Keywords
Provenance Graph; ATP attack; Tracking; Origin of penetration;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. G. Chun, L.P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones", ACM Trans. Comput. Syst. (TOCS), 32(2), p.1-29, 2014. 
2 S. Sitaraman and S. Venkatesan, "Forensic Analysis of File System Intrusions using Improved Backtracking" Proceedings of the Third IEEE International Workshop on Information Assurance(IWIA '05), pp. 154-163, 2005. 
3 X. Han, T. Pasquier, A. Bates, J. Mickens, and M. Seltzer, "UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats", arXiv preprint arXiv:2001.01525, 2020. 
4 M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V.N. Venkatakrishnan., "SLEUTH: real-time attack scenario reconstruction from COTS audit data", 26th USENIX Security Symposium, USENIX Security, pp. 487-504, 2017. 
5 K. H. Lee, X. Zhang, and D. Xu, "High accuracy attack provenance via binary-based execution partition", Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS, pp. 16, 2013. 
6 S. T. King and P. M. Chen, "Backtracking intrusions", Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 223-236, 2003. 
7 K. Belhajjame, R. B'Far, C. J. Cheney, Sam, S. Coppens, S. Cresswell, Y. Gil, P. Grothl, G. Klyne, T. Lebo, J. McCusker, S. Miles, J. Myers, S. Sahoo, and C. Tilmes, "Prov-DM: The PROV Data Model", Technical Report. World WideWeb Consortium(W3C). https://www.w3.org/TR/prov-dm/, 2013. 
8 "Fuse", http://fuse.sourceforce.net. 
9 "Event Tracing", https://docs.microsoft.com/en-un/windows/win32/etw/event-tracing-portal. 
10 Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang, and G. Jiang, "High fidelity data reduction for big data security dependency analyses", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504-516, 2016. 
11 A. P. Chapman, H.V. Jagadish, and P. Ramanan, "Efficient provenance storage", Proceedings of the 2008 ACM SIGMOD International Conference on Management of Data, pp. 993-1006, 2008. 
12 "PROV Model Overview", https://en.wikipedia.org/wiki/PROV_(Provenance). 
13 Z. Li, Q. A. Chen, R. Yang, Y. Chen, an W. Ruan, "Threat detection and investigation with system-level provenance graphs: A survey", Computers & Security, Vol. 106, 2021. 
14 S. M. Milajerdi, B. Eshete, R. Gjomemo, and V.N. Venkatakrishnan, "POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting", Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1795-1812, 2019. 
15 S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V.N. Venkatakrishnan, "HOLM- ES: real-time apt detection through correlation of suspicious information flows", IEEE Symposium on Security and Privacy (SP), pp. 1137-1152, 2019. 
16 W. U. Hassan, M. Lemay, N. Aguse, A. Bates, and T. Moyer, "Towards scalable cluster auditing through grammatical inference over provenance graphs", Proceedings Network and Distributed System Security Symposium, 2018. 
17 A. Woodruff and M. Stonebraker, "Supporting fine-grained data lineage in a database visualization environment", Proceedings 13th International Conference on Data Engineering, IEEE, pp. 91-102, 1997. 
18 "Elasitc, Elastic stack", https://www.elastic.co/, 2022. 
19 "Elastic, Filebeat", https://www.elastic.co/products/beats/filebeat, 2022. 
20 A. Gehani and D. Tariq, Spade: "Support for provenance auditing in distributed environments", Proceedings of the 13th International Middleware Conference. Springer, 2012. 
21 T. Pasquier, X. Han, and M. Goldstein, T. Moyer, D. Eyers, M. Seltzer, and J. Bacon, "Practical whole-system provenance capture", Proceedings of the 2017 Symposium on Cloud Computing, Association for Computing Machinery, pp. 405-418, 2017. 
22 J. Y, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, "RAIN: refinable attack investigation with on-demand inter-process information flow tracking", Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security-CCS, ACM Press, pp. 377-390, 2017. 
23 K. H. Lee, X. Zhang, and D. Xu, "LogGC: Garbage Collecting Audit Log", In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005-1016, 2013. 
24 S. Ma, X. Zhang, and D. Xu, "ProTracer: towards practical provenance tracing by alternating between logging and tainting", Internet Society, 2016. 
25 R. Yang, S. Ma, and H. Xu, "UISCOPE: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications", Network and Distributed Systems Symposium. 
26 J. Y, S. Lee, M. Fazzini, J. Allen, E. Downing, T. Kim, A. Orso, and W. Lee, "Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking", 27th USENIX Security Symposium, USENIX Association, pp. 1705-1722, 2018 
27 Y. Kwon, D. Kim, W. N. Sumner, K. Kim, B. Saltaformaggio, X. Zhang, and D. Xu, "LDX: causality inference by lightweight dual execution", In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, ACM, pp. 503-515, 2016. 
28 H. Irshad, G. Ciocarlie, A. Gehani, V. Yegneswaran, K. H. Lee, J. Patel, S. Jha, Y. Kwon, D. Xu, and X. Zhang, "TRACE:Enterprise-Wide Provenance Tracking for Real-Time APT Detection", IEEE Transactions on Information Forensics and Security, Vol. 16, pp. 4363-4376, 2021.    DOI
29 S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. N. Venkatakrishnam, "ProPatrol: Attack Investigation via Extracted High-Level Tasks", In International Conference on Information Systems Security, Springer, LNCS 11281, pp. 107-126, 2018. 
30 W. U. Hassan, A. Bates, and D. Marino, "Tactical Provenance Analysis for Endpoint Detection and Response Systems", 2020 IEEE Symposium on Security and Privacy, pp. 1172-1189, 2020. 
31 "MITRE ATT&CK(R)", https://attack.mitre.org, 2022. 
32 "Common Attack Pattern Enumeration and Classification", https://capec.mitre.org, 2022. 
33 Y. Liu, M. Zhang, D. Li, K.Jee, Z. Li, Z.Wu, J. Rhee, P. Mitt, "Towards a Timely Causality Analysis for Enterprise Security", Network and Distributed Systems Security Symposium '18, 2018. 
34 M. N. Hossain, J. Wang, R. Sekar, and S. D. Stoller, "Dependence-Preserving Data Compaction for Scalable Forensic Analysis", USENIX Security Symposium, pp. 1723-1740, 2018. 
35 L. Moreau, B. Clifford, J. Freire, J. Futrelle, Y. Gil, P. Groth, N. Kwasnikowska, S. MIles, P. Missier, J. Myers, B. Plale, Y. Simmhan, E. Stephan, J. V. Bussche, "The Open Provenance Model Core Specification", Future Generation Computer Systems, 2010.