server room

Cyber attacks detailed minute-by-minute with Rain monitoring system

Image credit: dt

A new software system being developed by cyber-security researchers at the Georgia Institute of Technology will be able to accurately pinpoint how intruders enter a network, what data they took and which computer systems were compromised.

Until now, assessing the extent and impact of network or computer system attacks has been largely a time-consuming manual process.

The new software will largely automate that process, providing forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks.

Known as Refinable Attack INvestigation (Rain), the system provides multiple levels of detail, facilitating automated searches through information at a high level to identify the specific events for which more detailed data is reproduced and analysed.

“You can go back and find out what has gone wrong in your system, not just at the point where you realised that something is wrong, but far enough back to figure out how the attacker got into the system and what has been done,” said Wenke Lee, co-director of Georgia Tech’s Institute for Information Security & Privacy.

Existing forensic techniques can provide detailed information about the current status of computers and networks; from that information, investigators can then attempt to infer how attacks unfolded.

Digital logs maintained by the systems provide some information about attacks, but because of concerns about data storage issues usually don’t record enough detail. Other programs provide snapshots in time, but those snapshots may miss important details of an attack.

The Rain system continuously monitors a system and logs events that it recognizes as potentially interesting. That ability to selectively record information likely to be useful later allows a trade-off between realistic overhead - in terms of system performance and data storage - and useful levels of detail.

The system “effectively prunes out unrelated processes and determines attack causality with negligible false positive rates,” the authors state in a paper on the project.

In addition to its selectivity in recording events, Rain creates a multi-level review capability that is coarse at first, then more detailed when specific events of interest are identified. Timing of the activities - the inputs, environment and resulting actions - are also synchronized to help investigators understand a complex sequence of activities.

“During the replay of an event, we use binary dynamic instrumentation tools to do the extraction of the appropriate information,” said Taesoo Kim, one of the paper’s co-authors. “We organise information in a hierarchical way, and for each level apply a different type of automated analysis. At the deepest layer, we can tell what happened at the byte level.”

The hierarchical approach allows still more flexibility in how the analysis is done after an attack.

“These fine-grained analyses, which can be extremely useful when investigating an attack, would be too expensive to perform on a deployed system, but our hierarchical approach allows us to run these analyses offline and only when necessary,” said Alessandro Orso, another co-author.

Even with Rain’s selectivity, storing the relevant information requires significant capacity, but the advent of inexpensive storage makes that practical, said Kim.

For instance, an average desktop computer might generate four gigabytes of system data per day, less than two terabytes per year. That amount of storage can now be purchased for as little as £40 per year.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles