ProPatrol: Attack Investigation via Extracted High-Level Tasks

TL;DR

ProPatrol is a system that improves cyber-attack investigation by inferring high-level application tasks from audit logs, reducing false dependencies and investigation effort without needing source code or instrumentation.

Contribution

It introduces a novel approach to model application tasks from audit logs, enhancing attack graph accuracy and investigation efficiency without source code reliance.

Findings

Significantly reduces forensic investigation effort.

Pinpoints attack root causes quickly.

Less than 2% runtime overhead.

Abstract

Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.