Review. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data

Paper: SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data

by Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott D. Stoller, and V.N. Venkatakrishnan

The paper presents a system to track attacks and methods to reconstruction the attack in real time. This real-time attack detection and scenario reconstruction system is used as a forensic tool where all the event logs are stored and analyzed in real time. The system creates a dependency graph based on the tag developed. The tag-based approach helps in identifying the objects and events involved in the attack. The tags are, and if it contains any attacker’s objective, then it is marked as an attack and the process is killed. The paper describes four types of objectives of the attacker and the value of the tag generated based on the event. Based on the tag value, an attack is detected. The backward analysis from the detected point to the entry point is backtracked using the dependence graph. The backward analysis is implemented using a cost function design where edge-based tag analysis and Dijkstra’s algorithm is used to measure the multiple paths. The forward analysis and reconstruction are possible by pruning nodes and filtering repeated events. The tag detection and dependence graph help in real time attack scenario reconstruction. The design of tag defines the policies like trustworthiness and confidentiality. The attacks are detected based on the detection policies defined which are a combination of motive and means. The system has a framework for defining policies, and the rule is triggered when an event occurs. The framework is set up with stages for tag initialization and tag propagation policies.

The concept presented in the paper is relevant and can be deployed in enterprise and academic machines. This system of real-time attack scenario reconstruction is better than anti-malware detection software since it does not have backtracking. The feature of plotting the dependence graph is a novel idea. This helps analysts and reverse engineers to find out the cause of the attack and its entry point. According to the paper, it presents a scenario where there is multiple point entry in the system during the malware attack. The dependence graph can track all the points of entry using Dijkstra’s shortest path algorithm. The paper also explains how the rules/policies can be set up in the system. This is a right approach since the security engineers can set up custom rules and tags and need not wait for the anti-malware software’s system setups to perform a change of rules and policies. The system has been tested with various Operating systems like Windows, Linux, and FreeBSD. The analysis results show the validity of the SLEUTH application. The chances of false alarms are high since the algorithm is just driven on tag tracking based on events and policies. There is no intelligent system agent or AI algorithm which is incorporated along with this application. So, the application should be tested in a higher number of systems and practice attacks before establishing false alarm rates. The system according to the paper has only been tested according to 4 different types of OS attacks. There must be more ways to attack an OS with a malware which is not described in the paper. SLEUTH uses graph data structure rather than graph database for fast detection and real-time analysis which provides better performance.

The paper on SLEUTH explains all the concepts well, but the explanations are less when it reaches for engagement setup and implementation. During the experiment phase, the paper does not explain the implementation and the application design. The paper does not provide a link for actual graph generated. All the graph is given in the paper seen to be synthetically generated through other sources and not through the application. The paper explains how splitting the tag helps in reducing the number of false alarms, but I did not understand how the tag splitting is done. I did not understand how the trustworthiness tag and code and integrity tag together can make a difference in the false alarm rate.