Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SecTracer: A Framework for Uncovering the Root Causes of Network Intrusions via Security Provenance

Seunghyeon Lee, Hyunmin Seo, Hwanjo Heo, Anduo Wang, Seungwon Shin, Jinwoo Kim

TL;DR

SecTracer addresses the challenge of root-cause analysis for network-scale intrusions in heterogeneous enterprise environments. It introduces network-level security provenance built on SDN, enabling reconstruction of attack histories across multiple hosts and automated RCA via probabilistic soft logic. The framework implements three core modules—provenance collection, provenance analysis, and root-cause analysis—and demonstrates effectiveness through APT and botnet scenarios with less than 1% network overhead. This work offers a practical approach to high-fidelity forensics and proactive threat mitigation in modern, complex networks.

Abstract

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1% network throughput overhead and negligible latency impact.

SecTracer: A Framework for Uncovering the Root Causes of Network Intrusions via Security Provenance

TL;DR

SecTracer addresses the challenge of root-cause analysis for network-scale intrusions in heterogeneous enterprise environments. It introduces network-level security provenance built on SDN, enabling reconstruction of attack histories across multiple hosts and automated RCA via probabilistic soft logic. The framework implements three core modules—provenance collection, provenance analysis, and root-cause analysis—and demonstrates effectiveness through APT and botnet scenarios with less than 1% network overhead. This work offers a practical approach to high-fidelity forensics and proactive threat mitigation in modern, complex networks.

Abstract

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1% network throughput overhead and negligible latency impact.

Paper Structure

This paper contains 26 sections, 3 equations, 15 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Motivating Example
  4. Research Goal and Limitations
  5. Assumptions and Threat Model
  6. Related Work
  7. SecTracer Design
  8. High-level Approaches
  9. SecTracer Overview
  10. Provenance Collection
  11. Packet Monitoring
  12. Security Snapshot Recording
  13. Evidence Generation
  14. Provenance Analysis
  15. Security Provenance Graph
  16. ...and 11 more sections

Figures (15)

  • Figure 1: Example scenario where an attacker aims to steal confidential information through the manager's machine via an APT zhang2000detecting. The dotted line indicates that the attacker controls compromised victims.
  • Figure 2: Overall architecture of SecTracer. The SecTracer is hosted over a wide enterprise infrastructure above the SDN control plane. The solid and dotted lines indicate an internal and external event, respectively.
  • Figure 3: Working scenario of 2PC when H1 sends a packet to H2. Monitoring parts are highlighted in blue.
  • Figure 4: Format of a single SecTracer evidence. The gray box represents index fields for unique identifiers, and the white box is a list of feature fields. The text in bold represents features from the security devices, and the others in the white box are generated from enterprise-wide security inspections.
  • Figure 5: Example scenario of a local integrity violation between Hosts A and B, where an attacker intercepts a packet from Host A, spoofs its IP address to appear as Host A, and sends it to Host B.
  • ...and 10 more figures