High Accuracy Attack Provenance via Binary-based Execution Partition

An important aspect of cyber attack forensics is to understand the provenance of suspicious events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is done by analyzing audit log. However, the presence of long running programs makes a live process receiving a large volume of inputs and produce many outputs and each output may be causally related to all the preceding inputs, leading to dependence explosion and making attack investigations almost infeasible. We observe that a long running execution can be partitioned into individual units by monitoring the execution of the program’s event-handling loops, with each iteration corresponding to the processing of an independent input/request. We reverse engineer such loops from application binaries. We also reverse engineer instructions that could cause workflows between units. Detecting such a workflow is critical to disclosing causality between units. We then perform selective logging for unit boundaries and unit dependences. Our experiments show that our technique, called BEEP, has negligible runtime overhead (< 1.4%) and low space overhead (12.28% on average). It is effective in capturing the minimal causal graph for every attack case we have studied, without any dependence explosion.