SLEUTH: Automated Attack Scenario Reconstruction from COTS Audit Data
Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott D. Stoller, and V.N. Venkatakrishnan

We present an approach and system that is aimed towards real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data and develop efficient tag-based analysis procedures that are aimed towards detecting attacks. We also develop methods to reveal the big picture of the attack by reconstruction of compact, visual graphs of attack steps that can be used by a security analyst to understand the scope and impact of the attack. Our system was evaluated on a government-agency led red team evaluation that conducted attacks on Windows, FreeBSD and Linux hosts over a two week period, and our system was able to successfully detect and reconstruct the details of these attacks.