Log refusion:adversarial attacks against the integrity of application logs and defense methods
In the field of attack investigation,log fusion achieves a fine-grained causality between system entities by introducing rich semantics from multi-level logs to address the challenges of dependency explosion and semantic gaps,aiming to approach the actual execution history.However,due to the use of audit logs for system calls and application logs for program messages to infer complex system states,log fusion-based attack investigation systems have vulnerabilities to adversarial attacks,which are introduced and referred to as log refusion attacks.It is demonstrated how attackers enhance real vulnerabilities to undermine log integrity,bypass existing defenses,disrupt links in provenance,and frame benign users.Subsequently,a new design for attack investigation named PROVGUARD(provenance guardian)is proposed,which leverages modeling with both program call control flow and application message data flow for cross-verification of the records in audit and application logs.This ensures the legitimacy and consistency of the execution.If attackers damage provenance data,inconsistencies are detected,alarms are raised,execution paths are corrected,and accurate root causes and ramifications are obtained.This paper implements a prototype on Linux and evaluates it on 14 real-world programs covering all execution classes.The method in this paper successfully validates the reconstruction of correct attack stories,with an average overhead of only 3.62%compared to traditional audit frameworks.Moreover,it reintroduces only 0.78%of false dependencies in the worst case,demonstrating the effectiveness and novelty in defending against attacks.
万方数据
