SecTracer: A Framework for Uncovering the Root Causes of Network Intrusions via Security Provenance

TL;DR

SecTracer is a comprehensive framework that uses network provenance analysis, SDN-based data collection, and probabilistic models to detect, reconstruct, and predict complex network intrusions with minimal network impact.

Contribution

It introduces the concept of network security provenance and presents SecTracer, a framework combining data collection, attack reconstruction, and prediction for enterprise networks.

Findings

Effective attack reconstruction via provenance graphs

Low network overhead (<1%) during data collection

Successful prediction of attack progression in real-world scenarios

Abstract

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1% network throughput overhead and negligible latency impact.