ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. Ma, S., Zhang, X., & Xu, D. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS), of NDSS, 2, 2016. Website abstract bibtex Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.
@inProceedings{
title = {ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting},
type = {inProceedings},
year = {2016},
identifiers = {[object Object]},
keywords = {logging,operating-systems,provenance,secure-provenance,tracking,trainting},
websites = {http://dx.doi.org/10.14722/ndss.2016.23350},
month = {2},
series = {NDSS},
id = {72d1ddb1-fd67-332b-9fdc-144a467d66b3},
created = {2018-08-13T15:36:59.237Z},
file_attached = {false},
profile_id = {f954d000-ce94-3da6-bd26-b983145a920f},
group_id = {b0b145a3-980e-3ad7-a16f-c93918c606ed},
last_modified = {2018-08-13T15:36:59.237Z},
read = {false},
starred = {false},
authored = {false},
confirmed = {true},
hidden = {false},
citation_key = {ma:protracer:16},
source_type = {inproceedings},
private_publication = {false},
abstract = {Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.},
bibtype = {inProceedings},
author = {Ma, Shiqing and Zhang, Xiangyu and Xu, Dongyan},
booktitle = {Proceedings of the Network and Distributed Systems Security Symposium (NDSS)}
}
Downloads: 0
{"_id":"2yZAu4pjjT73hM9SJ","bibbaseid":"ma-zhang-xu-protracertowardspracticalprovenancetracingbyalternatingbetweenloggingandtainting-2016","downloads":0,"creationDate":"2019-02-15T15:15:02.598Z","title":"ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting","author_short":["Ma, S.","Zhang, X.","Xu, D."],"year":2016,"bibtype":"inProceedings","biburl":null,"bibdata":{"title":"ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting","type":"inProceedings","year":"2016","identifiers":"[object Object]","keywords":"logging,operating-systems,provenance,secure-provenance,tracking,trainting","websites":"http://dx.doi.org/10.14722/ndss.2016.23350","month":"2","series":"NDSS","id":"72d1ddb1-fd67-332b-9fdc-144a467d66b3","created":"2018-08-13T15:36:59.237Z","file_attached":false,"profile_id":"f954d000-ce94-3da6-bd26-b983145a920f","group_id":"b0b145a3-980e-3ad7-a16f-c93918c606ed","last_modified":"2018-08-13T15:36:59.237Z","read":false,"starred":false,"authored":false,"confirmed":"true","hidden":false,"citation_key":"ma:protracer:16","source_type":"inproceedings","private_publication":false,"abstract":"Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.","bibtype":"inProceedings","author":"Ma, Shiqing and Zhang, Xiangyu and Xu, Dongyan","booktitle":"Proceedings of the Network and Distributed Systems Security Symposium (NDSS)","bibtex":"@inProceedings{\n title = {ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting},\n type = {inProceedings},\n year = {2016},\n identifiers = {[object Object]},\n keywords = {logging,operating-systems,provenance,secure-provenance,tracking,trainting},\n websites = {http://dx.doi.org/10.14722/ndss.2016.23350},\n month = {2},\n series = {NDSS},\n id = {72d1ddb1-fd67-332b-9fdc-144a467d66b3},\n created = {2018-08-13T15:36:59.237Z},\n file_attached = {false},\n profile_id = {f954d000-ce94-3da6-bd26-b983145a920f},\n group_id = {b0b145a3-980e-3ad7-a16f-c93918c606ed},\n last_modified = {2018-08-13T15:36:59.237Z},\n read = {false},\n starred = {false},\n authored = {false},\n confirmed = {true},\n hidden = {false},\n citation_key = {ma:protracer:16},\n source_type = {inproceedings},\n private_publication = {false},\n abstract = {Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation on different real-world system workloads and a number of advanced attacks show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The runtime overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.},\n bibtype = {inProceedings},\n author = {Ma, Shiqing and Zhang, Xiangyu and Xu, Dongyan},\n booktitle = {Proceedings of the Network and Distributed Systems Security Symposium (NDSS)}\n}","author_short":["Ma, S.","Zhang, X.","Xu, D."],"urls":{"Website":"http://dx.doi.org/10.14722/ndss.2016.23350"},"bibbaseid":"ma-zhang-xu-protracertowardspracticalprovenancetracingbyalternatingbetweenloggingandtainting-2016","role":"author","keyword":["logging","operating-systems","provenance","secure-provenance","tracking","trainting"],"downloads":0},"search_terms":["protracer","towards","practical","provenance","tracing","alternating","between","logging","tainting","ma","zhang","xu"],"keywords":["logging","operating-systems","provenance","secure-provenance","tracking","trainting"],"authorIDs":[]}