Jason Liu (University of Illinois at Urbana-Champaign), Muhammad Adil Inam (University of Illinois at Urbana-Champaign), Akul Goyal (University of Illinois at Urbana-Champaign), Dylen Greenenwald (University of Illinois at Urbana-Champaign), Adam Bates (University of Illinois at Urbana-Champaign), Saurav Chittal (Purdue University)

Academic research on provenance analysis is primarily based on high-fidelity event streams captured on Linux/Unix devices (e.g., Linux Audit). Unfortunately, provenance tracing becomes much more complicated on Windows, where microkernel design principles lead to far noisier provenance graphs. These complications further compound when analyzing the efficient, low-fidelity event streams generated by commercial Endpoint Detection & Response products.

Fortunately, provenance tracing is still possible in spite of these obstacles. We first present a method of recovering whole-system provenance from commercial EDR telemetry. This graph conservatively models all possible information flows, but is even less precise than traditional whole-system provenance graphs – that is, there is more dependency explosion, or false provenance. We go on to present four heuristics that allow us to denoise the provenance graph under realistic threat investigation scenarios. The first two heuristics are process-centric, leveraging domain knowledge of Windows service control flow patterns to mitigate the dependency explosion caused by Windows IPC. The second two heuristics are data-centric, intended to cluster and denoise data accesses on Windows where accesses to environmental configuration data (i.e., Registry keys) are auditable events. In evaluations based on the MITRE Enginuity simulation of the Carbanak APT, we demonstrate that these heuristics reduce graph complexity by up to 98% as compared to a baseline tracing algorithm. These tracing strategies enable further research into provenance integrations for EDR, moving the community towards a more realistic and relevant deployment model.

View More Papers

Beyond Raw Bytes: Towards Large Malware Language Models

Luke Kurlandski (Rochester Institute of Technology, Rochester New York USA), Harel Berger (Ariel University, Israel), Yin Pan (Rochester Institute of Technology, Rochester New York USA), Matthew Wright (Rochester Institute of Technology, Rochester New York USA)

Read More

DQN-IDS: A Deep Reinforcement Learning Approach for Open Set-Enabled...

Shreyash Tiwari (Computer and Information Science, University of Massachusetts Dartmouth), Nathaniel D. Bastian (Electrical Engineering and Computer Science, United States Military Academy), Gokhan Kul (Computer and Information Science, University of Massachusetts Dartmouth)

Read More

CryptPEFT: Efficient and Private Neural Network Inference via Parameter-Efficient...

Saisai Xia (State Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS and School of Cyber Security, University of Chinese Academy of Sciences), Wenhao Wang (State Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS and School of Cyber Security, University of Chinese Academy of Sciences), Zihao Wang (Nanyang Technological University),…

Read More