Muhammad Adil Inam (University of Illinois at Urbana-Champaign), Wajih Ul Hassan (University of Illinois at Urbana-Champaign), Ali Ahad (University of Virginia), Adam Bates (University of Illinois at Urbana-Champaign), Rashid Tahir (University of Prince Mugrin), Tianyin Xu (University of Illinois at Urbana-Champaign), Fareed Zaffar (LUMS)

Causality analysis is an effective technique for investigating and detecting cyber attacks. However, by focusing on auditing at the Operating System level, existing causal analysis techniques lack visibility into important application-level semantics, such as configuration changes that control application runtime behavior. This leads to incorrect attack attribution and half-baked tracebacks.

In this work, we propose Dossier, a specialized provenance tracker that enhances the visibility of the Linux auditing infrastructure. By providing additional hooks into the system, Dossier can generate a holistic view of the target application’s event history and causal chains, particularly those pertaining to configuration changes that are among the most common attack vectors observed in the real world. The extra “vantage points” in Dossier enable forensic investigators to bridge the semantic gap and correctly piece together attack fragments. Dossier leverages the versatility of information flow tracking and system call introspection to track all configuration changes, including both dynamic modifications that are applied directly to configuration-related program variables in memory and revisions to configuration files on disk with negligible runtime overhead (less than 7%). Evaluation on realistic workloads and real-world attack scenarios shows that Dossier can effectively reason about configuration-based attacks and accurately reconstruct the whole attack stories.

View More Papers

Get a Model! Model Hijacking Attack Against Machine Learning...

Ahmed Salem (CISPA Helmholtz Center for Information Security), Michael Backes (CISPA Helmholtz Center for Information Security), Yang Zhang (CISPA Helmholtz Center for Information Security)

Read More

Let’s Authenticate: Automated Certificates for User Authentication

James Conners (Brigham Young University), Corey Devenport (Brigham Young University), Stephen Derbidge (Brigham Young University), Natalie Farnsworth (Brigham Young University), Kyler Gates (Brigham Young University), Stephen Lambert (Brigham Young University), Christopher McClain (Brigham Young University), Parker Nichols (Brigham Young University), Daniel Zappala (Brigham Young University)

Read More

Demystifying Local Business Search Poisoning for Illicit Drug Promotion

Peng Wang (Indiana University Bloomington), Zilong Lin (Indiana University Bloomington), Xiaojing Liao (Indiana University Bloomington), XiaoFeng Wang (Indiana University Bloomington)

Read More

Log4shell: Redefining the Web Attack Surface

Douglas Everson (Clemson University), Long Cheng (Clemson University), and Zhenkai Zhang (Clemson University)

Read More