@inproceedings{e79c94823e2e4c4787e3fbf645d59615,
title = "SemFlow: Accurate Semantic Identification from Low-Level System Data",
abstract = "Forensic analysis, nowadays, is a crucial part of attack investigation in end-user and enterprise systems. Log collection and analysis enable investigators to rebuild the attack chain, find the attack source and possibly rollback the damage made to the system. However, building the full attack chain is often time-consuming and error-prone. The reason is that existing audit systems cannot provide high-level semantics for low-level system events. To address this issue, we propose SemFlow, to accurately identify semantics for system events. Specifically, we generate signatures to link low-level system events to a particular high-level application behavior during an offline training phase. Then, during the labeling phase, our realtime data collector matches the generated signatures against audit logs and labels individual system-level events with high-level semantics. Our evaluations show that in at set of 16 selected popular applications, our system can effectively identify semantics of certain system-level data while maintaining less than 4% of overhead on the CPU and memory.",
keywords = "Living-off-the-land, Provenance graph, Security, Semantic detection, System security",
author = "Mohammad Kavousi and Runqing Yang and Shiqing Ma and Yan Chen",
note = "Publisher Copyright: {\textcopyright} 2021, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.; 17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021 ; Conference date: 06-09-2021 Through 09-09-2021",
year = "2021",
doi = "10.1007/978-3-030-90019-9_26",
language = "English (US)",
isbn = "9783030900182",
series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",
publisher = "Springer Science and Business Media Deutschland GmbH",
pages = "513--535",
editor = "Joaquin Garcia-Alfaro and Shujun Li and Radha Poovendran and Herv{\'e} Debar and Moti Yung",
booktitle = "Security and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings",
address = "Germany",
}