This project is based on system logs and alarm information to conduct trace analysis of received attacks. Given the log files and alarm events as input, it can reconstruct attack chain diagrams and identify attack entry for further analysis. This project refers to the idea of Fang et al. [1], and after reproducing it, optimizations were made in the attack path recognition and weight normalization parts.
Architecture:
-
src:source code -
input: log file to be processed -
outputoutput of the model
-
Set up the Python 3 environment and install the dependencies.
pip install graphviz pip install numpy pip install scikit-learn
-
Switch to the
srcfolder and run the program.cd src python main.py -n crackhost2 -l ../input/crackhost2.log -e /tmp/john/password_crack.txt -r /tmp/john/password_crack.txt -o ../output -s 124
In the input folder, there is a sample input file named crackhost2.log, which records both normal system log behavior and password theft attacks over a period of time. The attack chain is illustrated in the following diagram:
Entry Point of the attack:192.168.29.207:55150->192.168.29.145:22
PoI (point of interest) event:/tmp/john/password_crack.txt
_pathsave the identified attack pathFinal.dotfinal compressed attack subgraphBackTrack.dotdependency graph after back-propagation
[1] Fang P, Gao P, Liu C, et al. {Back-Propagating} System Dependency Impact for Attack Investigation[C]//31st USENIX Security Symposium (USENIX Security 22). 2022: 2461-2478.