TY - GEN
T1 - APTrace
T2 - 36th IEEE International Conference on Data Engineering, ICDE 2020
AU - Gui, Jiaping
AU - Li, Ding
AU - Chen, Zhengzhang
AU - Rhee, Junghwan
AU - Xiao, Xusheng
AU - Zhang, Mu
AU - Jee, Kangkook
AU - Li, Zhichun
AU - Chen, Haifeng
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/4
Y1 - 2020/4
N2 - While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).
AB - While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).
KW - Backtracking analysis
KW - Domain language
KW - Expressiveness
KW - Responsiveness
UR - http://www.scopus.com/inward/record.url?scp=85085867340&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85085867340&partnerID=8YFLogxK
U2 - 10.1109/ICDE48307.2020.00151
DO - 10.1109/ICDE48307.2020.00151
M3 - Conference contribution
AN - SCOPUS:85085867340
T3 - Proceedings - International Conference on Data Engineering
SP - 1701
EP - 1712
BT - Proceedings - 2020 IEEE 36th International Conference on Data Engineering, ICDE 2020
PB - IEEE Computer Society
Y2 - 20 April 2020 through 24 April 2020
ER -