Visible to the public APTrace: A Responsive System for Agile Enterprise Level Causality Analysis

TitleAPTrace: A Responsive System for Agile Enterprise Level Causality Analysis
Publication TypeConference Paper
Year of Publication2020
AuthorsGui, J., Li, D., Chen, Z., Rhee, J., Xiao, X., Zhang, M., Jee, K., Li, Z., Chen, H.
Conference Name2020 IEEE 36th International Conference on Data Engineering (ICDE)
KeywordsBacktracking, Backtracking analysis, domain language, Domain Specific Languages, expressiveness, Malware, Network security, phishing, predictability, pubcrawl, Resiliency, responsiveness, Scalability, Security Heuristics, unsolicited e-mail
AbstractWhile backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).
Citation Keygui_aptrace_2020