Search for: All records

Advanced Persistent Threats (APT) attacks have plagued modern enterprises, causing significant financial losses. To counter these attacks, researchers propose techniques that capture the complex and stealthy scenarios of APT attacks by using provenance graphs to model system entities and their dependencies. Particularly, to accelerate attack detection and reduce financial losses, online provenance-based detection systems that detect and investigate APT attacks under the constraints of timeliness and limited resources are in dire need. Unfortunately, existing online systems usually sacrifice detection granularity to reduce computational complexity and produce provenance graphs with more than 100,000 nodes, posing challenges for security admins to interpret the detection results. In this paper, we design and implement NODLINK, the first online detection system that maintains high detection accuracy without sacrificing detection granularity. Our insight is that the APT attack detection process in online provenance-based detection systems can be modeled as a Steiner Tree Problem (STP), which has efficient online approximation algorithms that recover concise attack-related provenance graphs with a theoretically bounded error. To utilize the frameworks of the STP approximation algorithm for APT attack detection, we propose a novel design of in-memory cache, an efficient attack screening method, and a new STP approximation algorithm that is more efficient than the conventional one in APT attack detection while maintaining the same complexity. We evaluate NODLINK in a production environment. The openworld experiment shows that NODLINK outperforms two state-ofthe- art (SOTA) online provenance analysis systems by achieving magnitudes higher detection and investigation accuracy while having the same or higher throughput. 

Recent advances in the causal analysis can accelerate incident response time, but only after a causal graph of the attack has been constructed. Unfortunately, existing causal graph generation techniques are mainly offline and may take hours or days to respond to investigator queries, creating greater opportunity for attackers to hide their attack footprint, gain persistency, and propagate to other machines. To address that limitation, we present Swift, a threat investigation system that provides high-throughput causality tracking and real-time causal graph generation capabilities. We design an in-memory graph database that enables space-efficient graph storage and online causality tracking with minimal disk operations. We propose a hierarchical storage system that keeps forensically-relevant part of the causal graph in main memory while evicting rest to disk. To identify the causal graph that is likely to be relevant during the investigation, we design an asynchronous cache eviction policy that calculates the most suspicious part of the causal graph and caches only that part in the main memory. We evaluated Swift on a real-world enterprise to demonstrate how our system scales to process typical event loads and how it responds to forensic queries when security alerts occur. Results show that Swift is scalable, modular, and answers forensic queries in real-time even when analyzing audit logs containing tens of millions of events. 

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NoDoze to combat this challenge using contextual and historical information of generated threat alert in an enterprise. NoDoze first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each event in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDoze then propagates those scores along the edges of the graph using a novel network diffusion algorithm and generates a subgraph with an aggregate anomaly score which is used to triage alerts. Evaluation on our dataset of 364 threat alerts shows that NoDoze decreases the volume of false alarms by 86%, saving more than 90 hours of analysts’ time, which was required to investigate those false alarms. Furthermore, NoDoze generated dependency graphs of true alerts are 2 orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software. 

ABSTRACT Cyanobacteria are foundational drivers of global nutrient cycling, with high intracellular iron (Fe) requirements. Fe is found at extremely low concentrations in aquatic systems, however, and the ways in which cyanobacteria take up Fe are largely unknown, especially the initial step in Fe transport across the outer membrane. Here, we identified one TonB protein and four TonB-dependent transporters (TBDTs) of the energy-requiring Fe acquisition system and six porins of the passive diffusion Fe uptake system in the model cyanobacterium Synechocystis sp. strain PCC 6803. The results experimentally demonstrated that TBDTs not only participated in organic ferri-siderophore uptake but also in inorganic free Fe (Fe′) acquisition. 55 Fe uptake rate measurements showed that a TBDT quadruple mutant acquired Fe at a lower rate than the wild type and lost nearly all ability to take up ferri-siderophores, indicating that TBDTs are critical for siderophore uptake. However, the mutant retained the ability to take up Fe′ at 42% of the wild-type Fe′ uptake rate, suggesting additional pathways of Fe′ acquisition besides TBDTs, likely by porins. Mutations in four of the six porin-encoding genes produced a low-Fe-sensitive phenotype, while a mutation in all six genes was lethal to cell survival. These diverse outer membrane Fe uptake pathways reflect cyanobacterial evolution and adaptation under a range of Fe regimes across aquatic systems. IMPORTANCE Cyanobacteria are globally important primary producers and contribute about 25% of global CO 2 fixation. Low Fe bioavailability in surface waters is thought to limit the primary productivity in as much as 40% of the global ocean. The Fe acquisition strategies that cyanobacteria have evolved to overcome Fe deficiency remain poorly characterized. We experimentally characterized the key players and the cooperative work mode of two Fe uptake pathways, including an active uptake pathway and a passive diffusion pathway in the model cyanobacterium Synechocystis sp. PCC 6803. Our finding proved that cyanobacteria use ferri-siderophore transporters to take up Fe′, and they shed light on the adaptive mechanisms of cyanobacteria to cope with widespread Fe deficiency across aquatic environments.