Until now, assessing the extent and impact of network or computer system attacks has been largely a time-consuming manual process. A new software system being developed by cybersecurity researchers at the Georgia Institute of Technology will largely automate that process, allowing investigators to quickly and accurately pinpoint how intruders entered the network, what data they took and which computer systems were compromised.
Known as Refinable Attack INvestigation (RAIN), the system will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. The system provides multiple levels of detail, facilitating automated searches through information at a high level to identify the specific events for which more detailed data is reproduced and analyzed.
“You can go back and find out what has gone wrong in your system, not just at the point where you realized that something is wrong, but far enough back to figure out how the attacker got into the system and what has been done,” said Wenke Lee, co-director of Georgia Tech’s Institute for Information Security & Privacy.
这项研究在很大程度上得到了国防高级研究项目局(DARPA)以及国家科学基金会和海军研究办公室的支持,计划于10月31日在2017年ACM计算机和通信安全会议上报道。
Existing forensic techniques can provide detailed information about the current status of computers and networks; from that information, investigators can then attempt to infer how attacks unfolded. Digital logs maintained by the systems provide some information about attacks, but because of concerns about data storage issues, usually don’t record enough detail. Other programs provide snapshots in time, but those snapshots may miss important details of an attack.
雨系统不断监视系统,并记录其识别为潜在有趣的事件。这种能力有选择性记录信息可能以后有用的能力可以在系统性能和数据存储方面进行现实的开销之间的权衡以及有用的细节级别。作者在会议论文中写道,该系统“有效地修剪了无关的过程,并以可忽略的假阳性利率来确定攻击因果关系。”
除了在录制事件中的选择性之外,Rain还创建了一个多层次的评论功能,最初是粗略的,然后在确定感兴趣的特定事件时更详细。活动的时机 - 投入,环境和最终行动 - 也被同步,以帮助研究人员了解一系列复杂的活动序列。
佐治亚理工学院计算机科学学院的助理教授,本文的合着者之一Taesoo Kim说:“在重播活动期间,我们使用二进制动态仪器工具来提取适当的信息。”“我们以分层的方式组织信息,并且对于每个级别,我们都采用不同类型的自动分析。在最深的层,我们可以分辨出在字节级别发生了什么。”
The hierarchical approach allows still more flexibility in how the analysis is done after an attack.
“这些细粒度分析,可以极端ly useful when investigating an attack, would be too expensive to perform on a deployed system; but our hierarchical approach allows us to run these analysis off-line, and only when necessary,” said Alessandro Orso, associate chair of Georgia Tech’s School of Computer Science and another co-author.
Kim说,即使降雨的选择性,存储相关信息也需要大量的容量,但是廉价存储的出现使得这一实用性。例如,一台普通台式计算机每天可能会生成四倍的系统数据,每年少于两个TB。现在,可以购买该存储量的每年50美元。
金说:“我认为我们正在达到负担得起的存储成本。”
评估入侵者造成的损害现在通常需要数周或数月。李说,除了加速这一过程外,降雨还可以帮助高价值军事或商业计算机网络的运营商通过提供今天不可能的知名度来不断提高其安全性。
“When this is deployed, organizations can have complete transparency, or visibility, about what went wrong,” he explained. “The operators of any network housing important data would want to have something like this to replace a manual process with a much more precise and automated technique.”
研究团队是由DARPA资助的四年项目的第三年。该系统正在对系统进行其他改进,以将其转换为行业。
“This would likely become an independent system that does the logging and interface for other security systems to understand what has happened,” Lee explained. “This could be the first product that actually logs the necessary information to reconstruct, or replay, and analyze events that have happened on a computer system, for the first time enabling automated forensics.”
Filed Under:行业法规,网络安全
