SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data

TL;DR

SLEUTH is a real-time system that reconstructs attack scenarios from enterprise audit logs using dependency graphs, enabling effective detection, source identification, and visualization of cyber attacks across multiple operating systems.

Contribution

The paper introduces a platform-neutral, main-memory dependency graph approach and tag-based techniques for real-time attack detection and reconstruction, including visualization methods.

Findings

Successfully detected and reconstructed red team attacks on multiple OSes

Participated in DARPA evaluation with positive results

Demonstrated scalability and effectiveness in real-time attack analysis

Abstract

We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.