Unifying intrusion detection and forensic analysis via provenance awareness

Future Generation Computer Systems

Volumn 61, Issue , 2016, Pages 26-36

  Xie, Yulai ^a   Feng, Dan ^a   Tan, Zhipeng ^a   Zhou, Junzhe ^a  

^a HUAZHONG UNIVERSITY OF SCIENCE AND TECHNOLOGY   (China)

Author keywords

False alarm; Forensic analysis; Intrusion detection; Provenance

Indexed keywords

ALARM SYSTEMS; ERRORS; GRAPHIC METHODS; MERCURY (METAL);

DEPENDENCY RELATIONSHIP; FALSE ALARMS; FORENSIC ANALYSIS; HIGH DETECTION RATE; HOST-BASED INTRUSION DETECTION; PROVENANCE; SYSTEM VULNERABILITY; SYSTEM-CALL SEQUENCE;

INTRUSION DETECTION;

EID: 84960429448     PISSN: 0167739X     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.future.2016.02.005     Document Type: Article

References (63)

1. Csdn password leak, http://en.people.cn/90778/7688084.html.
2. Heartbleed, http://www.bbc.com/news/technology-26969629.
3. S. Forrest, S.A. Hofmeyr, A. Somayaji, T.A. Longstaff, A sense of self for unix processes, in: Proc. of IEEE SP, May 1996.
4. P. Maciolek, P. Krol, and J. Kozlak Probabilistic anomaly detection based on system call analysis Comput. Sci. J. 8 2007
5. S.A. Hofmeyr, S. Forrest, and A. Somayaji Intrusion detection using sequences of system calls J. Comput. Secur. 6 3 1998 151 180
6. S.T. King, P.M. Chen, Backtracking intrusions, in: Proc. of ACM SOSP, October 2003.
7. D. Farmer, and W. Venema Forensic computer analysis: An introduction Dr. Dobb's J. 25 9(Sept.) 2000 70 72-75
8. X. Jiang, A. Walters, F. Buchholz, D. Xu, Y. Wang, E.H. Spafford, Provenance-aware tracing of worm break-in and contaminations: A process coloring approach, in: Proc. of IEEE ICDCS, July 2006.
9. K.-K. Muniswamy-Reddy, D.A. Holland, U. Braun, M.I. Seltzer, Provenance-aware storage systems, in: Proc. of USENIX ATC, May 2006.
10. J. Widom, Trio: A system for integrated management of data, accuracy, and lineage, in: Proc. of CIDR, Asilomar, CA, January, 2005, pp. 262-276.
11. S. Shah, C.A.N. Soules, G.R. Ganger, B.D. Noble, Using provenance to aid in personal file search, in: Proc. of USENIX ATC, June 2007.
12. S.T. King, and P.M. Chen Backtracking intrusions ACM Trans. Comput. Syst. 23 1 2005 51 76
13. A. Gehani, D. Tariq, SPADE: Support for provenance auditing in distributed environments, in: Proc. of ACM/IFIP/USENIX Middleware, December 2012.
14. R. Spillane, R. Sears, C. Yalamanchili, S. Gaikwad, M. Chinni, E. Zadok, Story book: An efficient extensible provenance framework, in: Proc. of USENIX Tapp, February 2009.
15. R. Bose, J. Frew, Composing lineage metadata with xml for custom satellite-derived data products, in: Proc. of IEEE SSDBM, June 2004.
16. A. Vahdat, T. Anderson, Transparent result caching, in: Proc. of USENIX ATC, June 1998.
17. K.-K. Muniswamy-Reddy, U. Braun, D.A. Holland, P. Macko, D. Maclean, D. Margo, M. Seltzer, R. Smogor, Layering in provenance systems, in: Proc. of USENIX ATC, June 2009.
18. K.-K. Muniswamy-Reddy, D.A. Holland, Provenance for the cloud, in: Proc. of USENIX FAST, February 2010.
19. J. Lyle, A. Martin, Trusted computing and provenance: Better together, in: Proc. of USENIX Tapp, 2010.
20. R. Hasan, R. Sion, M. Winslett, The case of the fake picasso: Preventing history forgery with secure provenance, in: Proc. of USENIX FAST, June 2009.
21. M.A. Olson, K. Bostic, M.I. Seltzer, Berkeley DB, in: Proc. of USENIX ATC, June 1999.
22. A. Goel, K. Po, K. Farhadi, Z. Li, E.d. Lara, The taser intrusion recovery system, in: Proc. of ACM SOSP, October 2005.
23. Secunia vulnerability report, http://www.secunia.com.
24. DARPA data sets, http://www.ll.mit.edu/ideval/data/.
25. UNM data sets, http://www.cs.unm.edu/~immsec/systemcalls.htm.
26. Y. Xie, K.-K. Muniswamy-Reddy, D. Feng, Y. Li, D.D.E. Long, Z. Tan, L. Chen, A hybrid approach for efficient provenance storage, in: Proc. of ACM CIKM, October 2012.
27. W. Lee, S.J. Stolfo, Data mining approaches for intrusion detection, in: Proc. of USENIX Security, January 1998.
28. D. Wagner, D. Dean, Intrusion detection via static analysis, in: Proc. of IEEE SP, 2001.
29. E. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, A fast automation-based method for detecting anomalous program behaviors, in: Proc. of IEEE SP, May 2001.
30. E. Eskin, Anomaly detection over noisy data using learned probability distributions, in: Proc. of IEEE ICML, 2000.
31. F. Apap, A. Honig, S. Hershkop, E. Eskin, S. Stolfo, Detecting malicious software by monitoring anomalous windows registry access, in: Proc. of RAID, October 2002.
32. S. Hershkop, L.H. Bui, R. Ferster, and S.J. Stolfo Host-based anomaly detection using wrapping file systems, Tech. Rep. 2004 Columbia University
33. G. Tandon, and P.K. Chan On the learning of system call attributes for host-based anomaly detection Int. J. Artif. Intell. Tools 15 6 2006 875 892
34. Z. Gu, K. Pei, Q. Wang, L. Si, X. Zhang, D. Xu, Leaps: Detecting camouflaged attacks with statistical learning guided by program analysis, in: Proc. of IEEE/IFIP DSN, 2015.
35. X. Shu, D. Yao, B.G. Ryder, A formal framework for program anomaly detection, in: Proc. of RAID, 2015.
36. M. Jamshed, J. Lee, S. Moon, I. Yun, D. Kim, S. Lee, Y. Yi, K. Park, Kargus: a highly scalable software-based intrusion detection system, in: Proc. of ACM CCS, October 2012.
37. N. Srndic, P. Laskov, Pratical evasion of a learning-based classifier: A case study, in: Proc. of IEEE SP, 2014.
38. B. Juba, C. Musco, F. Long, S.S. Douskos, M. Rinard, Principled sampling for anomaly detection, in: Proc. of NDSS, February 2015.
39. A. Goel, W. Feng, D. Maier, W. Feng, J. Walpole, Forensix: A robust, high performance reconstruction system, in: Proc. of IEEE SDCS, June 2005.
40. S.N. Jones, C.R. Strong, D.D.E. Long, E.L. Miller, Tracking emigrant data via transient provenance, in: Proc. of USENIX TaPP, June 2011.
41. S.T. King, Z.M. Mao, D.G. Lucchetti, P.M. Chen, Enriching intrusion alerts through multi-host causality, in: Proc. of NDSS, February 2005.
42. D.J. Pohly, S. McLaughlin, P. McDaniel, K. Butler, Hi-Fi: Collecting high-fidelity whole-system provenance, in: Proc. of ACM ACSAC, December 2012.
43. G.H. Kim, E.H. Spafford, The design and implementation of tripwire: A file system integrity checker, in: Proc. of ACM CCS, November 1994.
44. D. Devecsery, M. Chow, X. Dou, J. Flinn, P.M. Chen, Eidetic systems, in: Proc. of USENIX OSDI, 2014.
45. H. Yin, D. Song, M. Egele, C. Kruegel, E. Kirda, Panorama: Capturing system-wide information flow for malware detection and analysis, in: Proc. of ACM CCS, October 2007.
46. N. Zhu, T. Chiueh, Design, implementation and evaluation of repairable file service, in: Proc. of IEEE/IFIP DSN, June 2003.
47. P. Ammann, S. Jajodia, and P. Liu Recovery from malicious transactions TKDE 14 5 2002 1167 1185
48. G. Dunlap, S.T. King, S. Cinar, M.A. Basrai, P.M. Chen, Revirt: Enabling intrusion analysis through virtual-machine logging and replay, in: Proc. of USENIX OSDI, 2002.
49. T. Garfinkel, M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, in: Proc. of NDSS, 2003.
50. W. Zhou, Q. Fei, A. Narayan, A. Haeberlen, B.T. Loo, M. Sherr, Secure network provenance, in: Proc. of ACM SOSP, October 2011.
51. D. Tariq, B. Baig, A. Gehani, S. Mahmood, R. Tahir, A. Aqil, F. Zaffar, Identifying the provenance of correlated anomalies, in: Proc. of ACM SAC, March 2011.
52. A. Gehani, B. Baig, S. Mahmood, D. Tariq, F. Zaffar, Fine-grained tracking of grid infections, in: Proc. of IEEE GRID, October 2010.
53. P. McDaniel, K. Butler, R. Sion, E. Zadok, M. Winslett, Towards a secure and efficient system for end-to-end provenance, in: Proc. of USENIX Tapp, 2010.
54. R. Hasan, R. Sion, M. Winslett, Introducing secure provenance: Problems and challenges, in: Proc. of ACM StorageSS, October 2007.
55. U. Braun, A. Shinnar, M. Seltzer, Securing provenance, in: Proc. of USENIX HotSec, July 2008.
56. J. Cheney, A formal framework for provenance security, in: Proc. of IEEE CSF, 2011.
57. J. Zhang, A. Chapman, K. Lefevre, Do you know where your data's been? - tamper-evident database provenance, in: Proc. of SDM, 2010.
58. A. Bates, D. Tian, K. Butler, T. Moyer, Trustworthy whole-system provenance for the linux kernel, in: Proc. of USENIX Security, 2015.
59. S. Sultana, M. Shehab, and E. Bertino Secure provenance transmission for streaming data IEEE TKDE 25 8 2012 1890 1903
60. A. Bates, B. Mood, M. Valafar, K. Butler, Towards secure provenance-based access control in cloud environments, in: Proc. of CODASPY, 2013.
61. R. Lu, X. Lin, X. Liang, X. Shen, Secure provenance: The essential of bread and butter of data forensics in cloud computing, in: Proc. of ACM ASIACCS, April 2010.
62. C. Warrender, S. Forrest, B. Pearlmutter, Detecting intrusions using system calls: alternative data models, in: Proc. of IEEE SP, May 1999.
63. L.R. Rabiner A tutorial on hidden Markov models and selected applications in speech recognition Proc. IEEE 77 2 1989 257 286