ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. Ma, S., Zhang, X., & Xu, D. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS), of NDSS, 2, 2016.
ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting [link]Website  abstract   bibtex   
Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.
@inProceedings{
 title = {ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting},
 type = {inProceedings},
 year = {2016},
 identifiers = {[object Object]},
 keywords = {logging,operating-systems,provenance,secure-provenance,tracking,trainting},
 websites = {http://dx.doi.org/10.14722/ndss.2016.23350},
 month = {2},
 series = {NDSS},
 id = {72d1ddb1-fd67-332b-9fdc-144a467d66b3},
 created = {2018-08-13T15:36:59.237Z},
 file_attached = {false},
 profile_id = {f954d000-ce94-3da6-bd26-b983145a920f},
 group_id = {b0b145a3-980e-3ad7-a16f-c93918c606ed},
 last_modified = {2018-08-13T15:36:59.237Z},
 read = {false},
 starred = {false},
 authored = {false},
 confirmed = {true},
 hidden = {false},
 citation_key = {ma:protracer:16},
 source_type = {inproceedings},
 private_publication = {false},
 abstract = {Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.},
 bibtype = {inProceedings},
 author = {Ma, Shiqing and Zhang, Xiangyu and Xu, Dongyan},
 booktitle = {Proceedings of the Network and Distributed Systems Security Symposium (NDSS)}
}
Downloads: 0