Tactical provenance analysis for endpoint detection and response systems
Endpoint Detection and Response (EDR) tools provide visibility into sophisticated intrusions
by matching system events against known adversarial behaviors. However, current solutions …
by matching system events against known adversarial behaviors. However, current solutions …
Threat detection and investigation with system-level provenance graphs: A survey
With the development of information technology, the border of the cyberspace gets much
broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional …
broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional …
Combating dependence explosion in forensic analysis using alternative tag propagation semantics
We are witnessing a rapid escalation in targeted cyber-attacks called Advanced and
Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over …
Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over …
OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis
Recent advances in causality analysis have enabled investigators to trace multi-stage
attacks using whole-system provenance graphs. Based on system-layer audit logs (eg …
attacks using whole-system provenance graphs. Based on system-layer audit logs (eg …
Nodoze: Combatting threat alert fatigue with automated provenance triage
Large enterprises are increasingly relying on threat detection softwares (eg, Intrusion
Detection Systems) to allow them to spot suspicious activities. These softwares generate …
Detection Systems) to allow them to spot suspicious activities. These softwares generate …
Extractor: Extracting attack behavior from threat reports
The knowledge on attacks contained in Cyber Threat Intelligence (CTI) reports is very
important to effectively identify and quickly respond to cyber threats. However, this …
important to effectively identify and quickly respond to cyber threats. However, this …
Sok: History is a vast early warning system: Auditing the provenance of system intrusions
Auditing, a central pillar of operating system security, has only recently come into its own as
an active area of public research. This resurgent interest is due in large part to the notion of …
an active area of public research. This resurgent interest is due in large part to the notion of …
Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning
Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent
Threats (APT), are commonly adopted by modern attackers. Recent studies propose …
Threats (APT), are commonly adopted by modern attackers. Recent studies propose …
[PDF][PDF] High Accuracy Attack Provenance via Binary-based Execution Partition.
An important aspect of cyber attack forensics is to understand the provenance of suspicious
events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is …
events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is …
Rain: Refinable attack investigation with on-demand inter-process information flow tracking
As modern attacks become more stealthy and persistent, detecting or preventing them at
their early stages becomes virtually impossible. Instead, an attack investigation or …
their early stages becomes virtually impossible. Instead, an attack investigation or …