SemFlow: Accurate Semantic Identification from Low-Level System Data

Mohammad Kavousi, Runqing Yang, Shiqing Ma, Yan Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Forensic analysis, nowadays, is a crucial part of attack investigation in end-user and enterprise systems. Log collection and analysis enable investigators to rebuild the attack chain, find the attack source and possibly rollback the damage made to the system. However, building the full attack chain is often time-consuming and error-prone. The reason is that existing audit systems cannot provide high-level semantics for low-level system events. To address this issue, we propose SemFlow, to accurately identify semantics for system events. Specifically, we generate signatures to link low-level system events to a particular high-level application behavior during an offline training phase. Then, during the labeling phase, our realtime data collector matches the generated signatures against audit logs and labels individual system-level events with high-level semantics. Our evaluations show that in at set of 16 selected popular applications, our system can effectively identify semantics of certain system-level data while maintaining less than 4% of overhead on the CPU and memory.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings
EditorsJoaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, Moti Yung
PublisherSpringer Science and Business Media Deutschland GmbH
Pages513-535
Number of pages23
ISBN (Print)9783030900182
DOIs
StatePublished - 2021
Event17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021 - Virtual, Online
Duration: Sep 6 2021Sep 9 2021

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume398 LNICST
ISSN (Print)1867-8211
ISSN (Electronic)1867-822X

Conference

Conference17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021
CityVirtual, Online
Period9/6/219/9/21

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Keywords

  • Living-off-the-land
  • Provenance graph
  • Security
  • Semantic detection
  • System security

Fingerprint

Dive into the research topics of 'SemFlow: Accurate Semantic Identification from Low-Level System Data'. Together they form a unique fingerprint.

Cite this