| 摘要: |
| 近十年来,高级持续性威胁(APT,advanced persistent threat)越来越引起人们的关注。为了防御和检测APT攻击,学者提出了基于系统审计日志的入侵取证方案。系统审计日志可以详细记录主机上的系统调用过程,因此非常适用于入侵取证工作。然而,系统审计日志也有着致命的弊端:日志庞大冗余。再加上APT攻击往往长期潜伏、无孔不入,企业不得不为每台联网主机长期保存日志,因此导致巨大的存储计算成本。为了解决这一问题,本文提出一种模仿二进制动态污点分析的日志压缩方案T-Tracker。T-Tracker首先检测日志内部与外部数据发生交互的系统调用,生成初始污点集合,然后追踪污点在主机内的扩散过程,这个过程中只有污点扩散路径上的系统调用能被保留下来,其余均不保留,从而达到日志压缩的目的。本研究的测试表明,该方案可以达到80%的压缩效果,即企业将能够存储相当于原来数量五倍的日志数据。同时,T-Tracker完整保留了受到外部数据影响的日志记录,因此对于入侵取证而言,可以等价地替换原始日志,而不会丢失攻击痕迹。 |
| 关键词: 高级持续性威胁 入侵取证 系统级审计日志 日志压缩 污点追踪 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2020.09.03 |
| Received:July 26, 2018Revised:September 19, 2018 |
| 基金项目:本课题得到中国移动内容分发网络二期工程扩容部分采购内容管理层(No.Y8V0211105)、青年之星人才计划(No.Y7Z0091105)资助。 |
|
| A System Audit Log Compression Method based on Taint Tracking |
| BEN Yongming,HAN Yanni,An Wei,Xu Zhen |
| Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Schol of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
| Abstract: |
| In the past ten years, considerable attention has been paid to Advanced Persistent Threats(APTs). To defend and detect APT attack, intrusion forensics based on system-level audit log has been proposed. System-level audit log is highly suitable for intrusion forensics because it records the interactions among system entities in details. However, it has a fatal shortcoming due to its massive growth of log size. And the condition becomes worse when we are talking about defense of APTs. Enterprises have to monitor each host in a long period of time to expose stealthy attackers, which causes overwhelming storage costs. To address this issue, this paper proposes an audit log compression algorithm, named T-Tracker, which imitates Dynamic Taint Analysis in binary program. Firstly T-Tracker detects the events that cause the information flow from external data sources and generates the initial taint sets. Then it tracks the diffusion of the taint according to the audit log. By retaining the events on diffusion path only, we can achieve the audit log compression. Our evaluation on different system workloads and attack cases demonstrates that our approach can achieve significant log compression without affecting the accuracy of intrusion forensics. |
| Key words: advanced persistent threat intrusion forensics system-level audit log log compression taint tracking |
