A new cybersecurity system developed by researchers at the Georgia Institute of Technology and known as Refinable Attack INvestigation (RAIN) will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. Image shows a schematic of how the system prunes information about system operation.
Until now, assessing the extent and impact of network or computer system attacks has been largely a time-consuming manual process. A new software system being developed by cybersecurity researchers at the Georgia Institute of Technology will largely automate that process, allowing investigators to quickly and accurately pinpoint how intruders entered the network, what data they took and which computer systems were compromised.
Known as Refinable Attack INvestigation (RAIN), the system will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. The system provides multiple levels of detail, facilitating automated searches through information at a high level to identify the specific events for which more detailed data is reproduced and analyzed.
“You can go back and find out what has gone wrong in your system, not just at the point where you realized that something is wrong, but far enough back to figure out how the attacker got into the system and what has been done,” said Wenke Lee, co-director of Georgia Tech’s Institute for Information Security & Privacy.
The research, supported largely by the Defense Advanced Research Projects Agency (DARPA) and also by the National Science Foundation and Office of Naval Research, is scheduled to be reported October 31 at the 2017 ACM Conference on Computer and Communications Security (CCS).
Existing forensic techniques can provide detailed information about the current status of computers and networks; from that information, investigators can then attempt to infer how attacks unfolded. Digital logs maintained by the systems provide some information about attacks, but because of concerns about data storage issues, usually don’t record enough detail. Other programs provide snapshots in time, but those snapshots may miss important details of an attack.
The RAIN system continuously monitors a system and logs events that it recognizes as potentially interesting. That ability to selectively record information likely to be useful later allows a trade-off between realistic overhead – in terms of system performance and data storage – and useful levels of detail. The system “effectively prunes out unrelated processes and determines attack causality with negligible false positive rates,” the authors wrote in their conference paper.
In addition to its selectivity in recording events, RAIN creates a multi-level review capability that is coarse at first, then more detailed when specific events of interest are identified. Timing of the activities – the inputs, environment and resulting actions – are also synchronized to help investigators understand a complex sequence of activities.
“During the replay of an event, we use binary dynamic instrumentation tools to do the extraction of the appropriate information,” said Taesoo Kim, an assistant professor in Georgia Tech’s School of Computer Science and one of the paper’s co-authors. “We organize information in a hierarchical way, and for each level apply a different type of automated analysis. At the deepest layer, we can tell what happened at the byte level.”
The hierarchical approach allows still more flexibility in how the analysis is done after an attack.
“These fine-grained analyses, which can be extremely useful when investigating an attack, would be too expensive to perform on a deployed system; but our hierarchical approach allows us to run these analysis off-line, and only when necessary,” said Alessandro Orso, associate chair of Georgia Tech’s School of Computer Science and another co-author.
Even with RAIN’s selectivity, storing the relevant information requires significant capacity, but the advent of inexpensive storage makes that practical, said Kim. For instance, an average desktop computer might generate four gigabytes of system data per day, less than two terabytes per year. That amount of storage can now be purchased for as little as $50 per year.
“I think we are getting into an affordable range of storage cost,” Kim said.
Assessing the damage done by intruders now often takes weeks or months. Beyond accelerating that process, RAIN could help the operators of high-value military or commercial computer networks continually improve their security by providing a level of visibility that is impossible today, Lee said.
“When this is deployed, organizations can have complete transparency, or visibility, about what went wrong,” he explained. “The operators of any network housing important data would want to have something like this to replace a manual process with a much more precise and automated technique.”
The research team is in the third year of a four-year project funded by DARPA. Additional improvements are being made to the system with a goal of transitioning it to industry.
“This would likely become an independent system that does the logging and interface for other security systems to understand what has happened,” Lee explained. “This could be the first product that actually logs the necessary information to reconstruct, or replay, and analyze events that have happened on a computer system, for the first time enabling automated forensics.”
Learn more: “Instant Replay” for Computer Systems Shows Cyber Attack Details
The Latest on: Cyber attacks
- City of Pensacola suffers cyber attackon December 9, 2019 at 10:56 am
The City of Pensacola has been hit by an apparent cyber attack. In a Facebook post, the city described the issue as a “cyber incident,” and that much of its network has been disconnected. City email ...
- Pensacola Hit by Cyber Attack After Shooting at Naval Air Station That FBI Is Investigating as ‘Act of Terror’on December 9, 2019 at 10:22 am
Mayor Grover Robinson told CNN affiliate WEAR that the city has been dealing with a cyber attack since late Friday night. The city said the issue has impacted city emails and phones, 311 customer ...
- City of Pensacola has fallen victim to a cyber attack, mayor sayson December 9, 2019 at 10:15 am
PENSACOLA, Fla. – The City of Pensacola has fallen victim to a cyber attack, according to Mayor Grover Robinson. Robinson made the announcement at a weekly press conference Monday, saying almost all ...
- Cyber attack cripples city of Pensacola, officials not sure if personal data was exposedon December 9, 2019 at 10:03 am
Cyber attack cripples city of Pensacola, officials not sure if personal data was exposed Pensacola Mayor Grover Robinson said the city of Pensacola is currently experiencing a cyber attack. Check out ...
- City of Pensacola, Florida is under a cyber attackon December 9, 2019 at 10:01 am
The city of Pensacola, Florida, said it has experienced a cyber "incident" and has disconnected several city services until the issue can be resolved. Mayor Grover Robinson told CNN affiliate WEAR ...
- Federal council to Trump: Cyber threats pose 'existential threat' to the nationon December 9, 2019 at 9:47 am
The members wrote in the draft report that “bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures. The nation is ...
- This Coast city was hit with cyber attack. The hackers asked for ransom money.on December 9, 2019 at 9:39 am
The city of Pascagoula is dealing with a cyber attack, according to city officials. The hackers asked for a ransom payment and compromised the city’s computer system, interrupting access to some city ...
- Cyber attack hits Pensacola | NAS reopens after deadly shootingon December 9, 2019 at 9:06 am
As the Naval Air Station in Pensacola, Florida, reopens after Friday’s deadly shooting, the city’s mayor said the city is under a cyber attack. Mayor Grover Robinson said Monday morning almost all ...
- Ask the Expert: Cyber attacks are more frequent during holiday shopping season; here’s what to doon December 8, 2019 at 5:11 pm
This year, Adobe Analytics reported a 19.7% increase in spending on Cyber Monday to $9.4 billion. Research conducted by Check Point finds that the volume of e-commerce-related phishing websites ...
- LIFARS Introduces Cyber Vaccine in the Battle Against Ransomware Attackson December 6, 2019 at 1:52 pm
"Something we've seen over and over during incident response cases is a detrimentally lean IT team. Understaffing makes day-to-day cyber hygiene nearly impossible, let alone a full network rebuild ...
via Google News and Bing News