ABSTRACT
Provenance-Based Endpoint Detection and Response (P-EDR) systems are deemed crucial for future Advanced Persistent Threats (APT) defenses. Despite the fact that numerous new techniques to improve P-EDR systems have been proposed in academia, it is still unclear whether the industry will adopt P-EDR systems and what improvements the industry desires for P-EDR systems. To this end, we conduct the first set of systematic studies on the effectiveness and the limitations of P-EDR systems. Our study consists of four components: a one-to-one interview, an online questionnaire study, a survey of the relevant literature, and a systematic measurement study. Our research indicates that all industry experts consider P-EDR systems to be more effective than conventional Endpoint Detection and Response (EDR) systems. However, industry experts are concerned about the operating cost of P-EDR systems. In addition, our research reveals three significant gaps between academia and industry (1) overlooking client-side overhead; (2) imbalancedalarm triage cost and interpretation cost; and (3) excessive server side memory consumption. This paper's findings provide objective data on the effectiveness of P-EDR systems and how much improvements are needed to adopt P-EDR systems in industry.
- 2022. Top Cybersecurity Companies for 2022. https://www.esecurityplanet.com/products/top-cybersecurity-companies/.Google Scholar
- 2022. Top Cybersecurity Companies in China for 2022. https://www.maigoo.com/maigoo/9400wlaq_index.html/.Google Scholar
- 2023. An Empirical Study of Provenance-based Endpoint Detection and Response Tools. https://github.com/EmpiricalStudy2023/EDREmpiricalStudy.Google Scholar
- 2023. LinkedIn. https://www.linkedin.com/.Google Scholar
- 2023. MaiMai. https://maimai.cn/.Google Scholar
- 2023. NSFOCUS. https://www.nsfocus.com/.Google Scholar
- 2023. Rising. http://www.rising.com.cn/.Google Scholar
- 2023. Sangfor. https://www.sangfor.com/.Google Scholar
- 2023. Tencent Security. https://s.tencent.com/.Google Scholar
- 2023. Top 8 Challenges With Designing Accurate Surveys. https://surveytown.com/top-8-challenges-with-designing-accurate-surveys/.Google Scholar
- 2023. Trend Micro. https://www.trendmicro.com/en_hk/business.html.Google Scholar
- Adil Ahmad, Sangho Lee, and Marcus Peinado. 2022. HARDLOG: Practical Tamper-Proof System Auditing Using a Novel Audit Device. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1554--1554.Google ScholarCross Ref
- Bushra A Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False Positives: A Qualitative Study of SOC Analysts' Perspectives on Security Alarms. In Proceedings of the 31st USENIX Security Symposium, Boston, MA, USA. 10--12.Google Scholar
- Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z. Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS: A Sequence-based Learning Approach for Attack Investigation. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3005--3022.Google Scholar
- Pooneh Nikkhah Bahrami, Ali Dehghantanha, Tooska Dargahi, Reza M Parizi, Kim-Kwang Raymond Choo, and Hamid HS Javadi. 2019. Cyber kill chain-based taxonomy of advanced persistent threat actors: Analogy of tactics, techniques, and procedures. Journal of information processing systems, Vol. 15, 4 (2019), 865--889.Google Scholar
- Gianluca Borello. 2015. System and application monitoring and troubleshooting with sysdig. (2015).Google Scholar
- Bryan M. Cantrill, Michael W. Shapiro, and Adam H. Leventhal. 2004. Dynamic Instrumentation of Production Systems. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (Boston, MA) (ATEC '04). USENIX Association, USA, 2.Google Scholar
- Bin Cao, Beth Plale, Girish Subramanian, Ed Robertson, and Yogesh Simmhan. 2009. Provenance Information Model of Karma Version 3. SERVICES 2009 - 5th 2009 World Congress on Services, 348--351.Google ScholarDigital Library
- Jun Dai, Xiaoyan Sun, and Peng Liu. 2013. Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies. In Computer Security - ESORICS 2013, Jason Crampton, Sushil Jajodia, and Keith Mayes (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 536--555.Google Scholar
- LORIS DEGIOANNI. 2014. Sysdig vs DTrace vs Strace: A technical discussion. https://sysdig.com/blog/sysdig-vs-dtrace-vs-strace-a-technical-discussion/.Google Scholar
- Mathieu Desnoyers and Michel Dagenais. 2008. LTTng: Tracing across execution layers, from the hypervisor to user-space. In Linux symposium, Vol. 101.Google Scholar
- DOMARS. 2021. Event Tracing for Windows (ETW). https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows-etw-.Google Scholar
- Frank C Eigler, Vara Prasad, Will Cohen, Hien Nguyen, Martin Hunt, Jim Keniston, and Brad Chen. 2005. Architecture of systemtap: a Linux trace/probe tool. (2005).Google Scholar
- Pengcheng Fang, Peng Gao, Changlin Liu, Erman Ayday, Kangkook Jee, Ting Wang, Yanfang Ye, Zhuotao Liu, and Xusheng Xiao. 2022. Back-Propagating System Dependency Impact for Attack Investigation. In Proceedings of the USENIX Security Symposium.Google Scholar
- Rayees Farooq. 2018. How to design and frame a questionnaire. In Innovations in measuring and evaluating scientific information. IGI Global, 50--60.Google Scholar
- Athenas Jimenez Gabriela Cervantes. 2022. Go Benchmarks. https://openbenchmarking.org/test/pts/go-benchmark.Google Scholar
- Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime provenance-based detector for advanced persistent threats. (2020).Google Scholar
- Xueyuan Han, Thomas Pasquier, and Margo Seltzer. 2018. Provenance-based intrusion detection: opportunities and challenges. In 10th USENIX Workshop on the Theory and Practice of Provenance (TaPP 2018).Google ScholarDigital Library
- Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical provenance analysis for endpoint detection and response systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1172--1189.Google ScholarCross Ref
- Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting threat alert fatigue with automated provenance triage. In Network and Distributed Systems Security Symposium.Google ScholarCross Ref
- Viet Tung Hoang, Cong Wu, and Xin Yuan. 2022. Faster Yet Safer: Logging System Via Fixed-Key Blockcipher. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 2389--2406. https://www.usenix.org/conference/usenixsecurity22/presentation/hoangGoogle Scholar
- Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. 2017. {SLEUTH}: Real-time attack scenario reconstruction from {COTS} audit data. In 26th USENIX Security Symposium (USENIX Security 17). 487--504.Google Scholar
- Md Nahid Hossain, Sanaz Sheikhi, and R Sekar. 2020. Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1139--1155.Google ScholarCross Ref
- Md Nahid Hossain, Jun Ao Wang, R. Sekar, and Scott D. Stoller. 2018. Dependence-Preserving Data Compaction for Scalable Forensic Analysis. In Proceedings of the USENIX Security Symposium. 1723--1740.Google Scholar
- M. Inam, Y. Chen, A. Goyal, J. Liu, J. Mink, N. Michael, S. Gaur, A. Bates, and W. Ul Hassan. 2023. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. In 2023 2023 IEEE Symposium on Security and Privacy (SP) (SP). IEEE Computer Society, Los Alamitos, CA, USA, 307--325.Google Scholar
- Bart Jacob, Paul Larson, B Leitao, and SAMM Da Silva. 2008. SystemTap: instrumenting the Linux kernel for analyzing performance and functional problems. IBM Redbook, Vol. 116 (2008).Google Scholar
- Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee. 2017. RAIN: Refinable Attack Investigation with On-Demand Inter-Process Information Flow Tracking (CCS '17). Association for Computing Machinery, New York, NY, USA, 377--390.Google ScholarDigital Library
- Yang Ji, Sangho Lee, Mattia Fazzini, Joey Allen, Evan Downing, Taesoo Kim, Alessandro Orso, and Wenke Lee. 2018. Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking. In USENIX Security Symposium.Google Scholar
- Jeffrey Katcher. 1997. Postmark: A new file system benchmark. TR3022 (1997).Google Scholar
- Samuel T King and Peter M Chen. 2003. Backtracking intrusions. In Proceedings of the nineteenth ACM symposium on Operating systems principles. 223--236.Google ScholarDigital Library
- Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, X. Zhang, Dongyan Xu, Somesh Jha, Gabriela F. Cretu-Ciocarlie, Ashish Gehani, and Vinod Yegneswaran. 2018. MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In Network and Distributed System Security Symposium.Google Scholar
- Michael Larabel. 2022. PyPerformance Benchmark. https://openbenchmarking.org/test/pts/pyperformance.Google Scholar
- Michael Larabel and Matthew Tippett. 2011. Phoronix test suite. Phoronix Media, [Online]. Available: http://www.phoronix-test-suite.com/. [Accessed October 2022] (2011).Google Scholar
- Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. LogGC: garbage collecting audit log. In CCS.Google Scholar
- Zhenyuan Li, Qi Alfred Chen, Runqing Yang, Yan Chen, and Wei Ruan. 2021. Threat detection and investigation with system-level provenance graphs: a survey. Computers & Security, Vol. 106 (2021), 102282.Google ScholarDigital Library
- Yushan Liu, Xiaokui Shu, Yixin Sun, Jiyong Jang, and Prateek Mittal. 2022. RAPID: Real-Time Alert Investigation with Context-Aware Prioritization for Efficient Threat Discovery. In Proceedings of the 38th Annual Computer Security Applications Conference (Austin, TX, USA) (ACSAC '22). Association for Computing Machinery, New York, NY, USA, 827--840.Google ScholarDigital Library
- Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, and Prateek Mittal. 2018a. Towards a Timely Causality Analysis for Enterprise Security.. In NDSS.Google Scholar
- Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, and Prateek Mittal. 2018b. Towards a Timely Causality Analysis for Enterprise Security.. In NDSS.Google Scholar
- Redis Ltd. 2022. Redis 6.0.9. https://redis.io/.Google Scholar
- Steve Mann. 2016. The research interview. Reflective practice and reflexivity in research processes (2016).Google Scholar
- Emaad A. Manzoor, Sadegh Momeni, Venkat N. Venkatakrishnan, and Leman Akoglu. 2016. Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs. CoRR, Vol. abs/1602.04844 (2016). showeprint[arXiv]1602.04844 http://arxiv.org/abs/1602.04844Google Scholar
- Fernando Maymí, Robert Bixler, Randolph Jones, and Scott Lathrop. 2017. Towards a definition of cyberspace tactics, techniques and procedures. In 2017 IEEE International Conference on Big Data (Big Data). IEEE, Boston, MA, USA, 4674--4679.Google ScholarCross Ref
- Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and VN Venkatakrishnan. 2019a. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1795--1812.Google ScholarDigital Library
- Sadegh M Milajerdi, Rigel Gjomemo, Birhanu Eshete, R Sekar, and VN Venkatakrishnan. 2019b. HOLMES: real-time APT detection through correlation of suspicious information flows. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 1137--1152.Google ScholarCross Ref
- Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo Seltzer. 2006. Provenance-Aware Storage Systems. In Proceedings of the Annual Conference on USENIX '06 Annual Technical Conference (Boston, MA) (ATEC '06). USENIX Association, USA, 4.Google ScholarDigital Library
- p7zip. 2022. p7zip Version 16.02. https://www.7-zip.org/.Google Scholar
- Riccardo Paccagnella, Kevin Liao, Dave Tian, and Adam Bates. 2020. Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1551--1574.Google ScholarDigital Library
- Thomas Pasquier, Xueyuan Han, Mark Goldstein, Thomas Moyer, David Eyers, Margo Seltzer, and Jean Bacon. 2017. Practical whole-system provenance capture. In Proceedings of the 2017 Symposium on Cloud Computing. 405--418.Google ScholarDigital Library
- DARPA Transparent Computing Program. 2022. The DARPA Transparent Computing (TC) program Data Release. https://github.com/darpa-i2o/Transparent-Computing.Google Scholar
- Open Source Project. 2022a. Wrk. https://github.com/wg/wrk.Google Scholar
- The OpenSSL Project. 2022b. OpenSSL 1.1.1. https://www.openssl.org/.Google Scholar
- Redhat. 2017. The Linux audit framework. https://github.com/linux-audit/.Google Scholar
- Will Reese. 2008. Nginx: the high-performance web server and reverse proxy. Linux Journal, Vol. 2008, 173 (2008), 2.Google ScholarDigital Library
- Basu A Sharath S. 2013. Performance of Eucalyptus and OpenStack Clouds on FutureGrid. In International Journal of Computer Applications.Google Scholar
- Yogesh Simmhan, Beth Plale, Dennis Gannon, and Suresh Marru. 2006. Performance Evaluation of the Karma Provenance Framework for Scientific Workflows. In International Provenance and Annotation Workshop (IPAW) international provenance and annotation workshop (ipaw) ed.) (Lecture Notes in Computer Science (LNCS), Vol. 4145). Springer, 222--236. https://www.microsoft.com/en-us/research/publication/performance-evaluation-of-the-karma-provenance-framework-for-scientific-workflows/Google Scholar
- Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, and John Yen. 2018. Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths. IEEE Transactions on Information Forensics and Security, Vol. 13, 10 (2018), 2506--2521.Google ScholarCross Ref
- Yutao Tang, Ding Li, Zhichun Li, Mu Zhang, Kangkook Jee, Xusheng Xiao, Zhenyu Wu, Junghwan Rhee, Fengyuan Xu, and Qun Li. 2018. NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis. In Proceedings of ACM Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Daniel W Turner III and Nicole Hagstrom-Schmidt. 2022. Qualitative interview design. Howdy or Hello? Technical and Professional Communication (2022).Google Scholar
- Benjamin E Ujcich, Samuel Jero, Richard Skowyra, Adam Bates, William H Sanders, and Hamed Okhravi. 2021. Causal Analysis for {Software-Defined} Networking Attacks. In 30th USENIX Security Symposium (USENIX Security 21). 3183--3200.Google Scholar
- Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A Gunter, et al. 2020. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis.. In Proceedings of the Network and Distributed Systems Security (NDSS) Symposium.Google ScholarCross Ref
- Xiayang Wang, Fuqian Huang, and Haibo Chen. 2019. DTrace: Fine-grained and efficient data integrity checking with hardware instruction tracing. Cybersecurity, Vol. 2, 1 (2019), 1--15.Google ScholarCross Ref
- Yulai Xie, Dan Feng, Yuchong Hu, Yan Li, Staunton Sample, and Darrell Long. 2020. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments. IEEE Transactions on Dependable and Secure Computing, Vol. 17, 6 (2020), 1283--1296.Google ScholarCross Ref
- Yulai Xie, Yafeng Wu, Dan Feng, and Darrell Long. 2021. P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases. IEEE Transactions on Dependable and Secure Computing, Vol. 18, 6 (2021), 2658--2674.Google ScholarDigital Library
- Zhiqiang Xu, Pengcheng Fang, Changlin Liu, Xusheng Xiao, Yu Wen, and Dan Meng. 2022. Graph Summarization on System Audit Logs for Attack Investigation. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S & P).Google ScholarCross Ref
- Zhang Xu, Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao, Fengyuan Xu, Haining Wang, and Guofei Jiang. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of ACM Conference on Computer and Communications Security (CCS). 504--516.Google ScholarDigital Library
- Carter Yagemann, Mohammad A. Noureddine, Wajih Ul Hassan, Simon Chung, Adam Bates, and Wenke Lee. 2021. Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 3337--3351.Google ScholarDigital Library
- Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, and Jian Mao. 2021. Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics. In Proceedings of the 28th Annual Network and Distributed System Security Symposium, NDSS.Google ScholarCross Ref
- Jun Zeng, Xiang Wang, Jiahao Liu, Yinfang Chen, Zhenkai Liang, Tat-Seng Chua, and Zheng Leong Chua. 2022. Shadewatcher: Recommendation-guided cyber threat analysis using system audit records. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 489--506.Google ScholarCross Ref
Index Terms
- Are we there yet? An Industrial Viewpoint on Provenance-based Endpoint Detection and Response Tools
Recommendations
New approach for APT malware detection on the workstation based on process profile
The Advanced Persistent Threat (APT) attack is a form of dangerous, intentionally and clearly targeted attack. Currently, the APT attack trend is through the end-users and then escalating privileges in the system by spreading malware which is widely used ...
A Context-Based Detection Framework for Advanced Persistent Threats
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber SecurityBesides a large set of malware categories such as worms and Trojan horses, Advanced Persistent Threat (APT) is another more sophisticated attack entity emerging in the cyber threats environment. In this paper we propose a model of the APT detection ...
Demand response application in industrial scenarios: A systematic mapping of practical implementation
AbstractThe industrial sector is the one that consumes the most energy in the world, whereas manufacturing activities play an important role in the energy consumption in the industry. The efficient scheduling/planning of production through ...
Highlights- Demand Response (DR) in industrial manufacturing processes is investigated.
- 53 ...
Comments