Tracking and Analysis of Causality at Enterprise Level (TRACE)
Technical Report,16 Jul 2015,20 Dec 2019
SRI International Menlo Park United States
Pagination or Media Count:
We report on our work in developing the TRACE framework, which combines novel host-level tracking techniques with a proven enterprise-wide tracking system. Specifically, TRACE aimed to enable the detection and investigation of advanced persistent threat APT attacks in an enterprise environment using provenance and supports both what-provenance and how provenance. Our design and implementation provided both logging and provenance propagation primitives. Its host-level provenance tracking component monitors host execution and collects both what- and how provenance for individual host systems at the granularity of program execution units 22. The enterprise-wide provenance tracking component builds upon the SPADE engine 10, which has been proven to be scalable and high-performance, and QuickGrail 7, which provides advanced query capabilities. In the course of four years and five engagements, we developed, evaluated, and refined TRACE to provide improvements on performance, scalability, and fidelity. During this time, the system call coverage increased from 47 to 66 syscalls, while the time and space overhead reduced by over one and two orders of magnitude, respectively. In addition, we found that the TRACE instrumentation stack provided TA2 teams sufficient evidence to detect 80 percent of the attack stages across all evaluations, being one of the top-performing TA1 systems in the program. Our work was disseminated in 13 top-tier publications ACSAC 2015, NDSS 2016, ASPLOS 2016, NDSS 2017, Usenix Security, NDSS2018, Usenix ATC 2018, ACSAC 2018, and received best paper awards at both the Network and Distributed System Security Symposium NDSS2016 and Usenix Security 2017. The team also graduated three PhD students who contributed to TRACE.
- Computer Programming and Software
- Computer Systems Management and Standards