Giter VIP home page Giter VIP logo

depimpact's Introduction

DepImpact

Introduction

Workflow of DepImpact Causality analysis on system auditing data has emerged as an important solution for attack investigation. Given a POI (Point-Of-Interest) event (e.g. an alert fired on a suspicious file creation), causality analysis constructs a dependency graph, in which nodes represent system entities (e.g. processes and files) and edges represent dependencies among entities, to reveal the attack sequence. However, causality analysis often produce a huge graph. We propose DepImpact identifies the gritical component of a dependency graph by assigning discriminative weights to edges to distinguish critical edges that represent the attack seqence from less-important dependencies, propagating dependency impacts backwards from the POI event to entry points, and ranking entry points by their impacts. In particular, DepImpact performs forward causality analysis from the top-ranked entry points that are likely to be the attack entries to filter out edges in the original dependency graph that are not found in the forward causality analysis.

Requirements

JAVA Version:1.8

Usage

Input

  1. Log file
  2. Path of output
  3. File includes necessary parameters

Command

java -jar DepImpactJar-1.0-SNAPSHOT-jar-with-dependencies.jar log-path output-path parameter-file-path

Data

Due to the limit of Github, we can't upload the extreme large log file. The folder example contains a log and parameter file that can be used for demo. For this case, the POI event is a file, which contains the user's sensitive information. For the DARPA Attack used in evaluation, here is the github link. You can follow their instructions to download data.

Output

DepImpact will output several different files.

  1. The original dependency graph of the given POI event, the file name starts with Backtrack
  2. The dependency graph processed by the edge-merge module.
  3. A json file contains the final weight of each edge, this file ends with weights
  4. There are two files contains entry points. The name are start_rank. One is json file, the other one is txt file.
  5. The folder DepImact includes the critical components. This folder contains a txt file, which shows the entry point of the critical component.

depimpact's People

Contributors

291831388 avatar usenixsub avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.