High Accuracy Attack Provenance Via Binary-Based Execution Partition
An important aspect of cyber attack forensics is to understand the provenance of suspicious events, as it discloses the root cause and ramifications of cyber attacks. Traditionally, this is done by analyzing audit log. However, the presence of long running programs makes a live process receiving a large volume of inputs and produces many outputs and each output may be causally related to all the preceding inputs, leading to dependence explosion and making attack investigations almost infeasible. The authors observe that a long running execution can be partitioned into individual units by monitoring the execution of the program's event-handling loops, with each iteration corresponding to the processing of an independent input/request.