Cost-effective Attack Forensics by Recording and Correlating File System Changes

Authors: 

Le Yu, Yapeng Ye, Zhuo Zhang, and Xiangyu Zhang, Purdue University

Abstract: 

Attack forensics is particularly challenging for systems with restrictive resource constraints, such as IoT systems, because most existing methods entail logging high frequency events in the temporal dimension, which is costly. We propose a novel and cost-effective forensics technique that records information in the spatial dimension. It takes regular file-system snapshots that only record deltas between two timestamps. It infers causality by analyzing and correlating file changes (e.g., through methods similar to information retrieval). We show that in practice the resulting provenance graphs are as informative as the traditional attack provenance graphs based on temporal event logging. In the context of IoT attacks, they are better than those by existing techniques. In addition, our runtime and space overheads are only 8.08% and 5.13% of those for the state-of-the-arts, respectively.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299569,
author = {Le Yu and Yapeng Ye and Zhuo Zhang and Xiangyu Zhang},
title = {Cost-effective Attack Forensics by Recording and Correlating File System Changes},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {1705--1722},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/yu-le},
publisher = {USENIX Association},
month = aug
}

Presentation Video