TRACE: Preventing Advanced Persistent Threat Cyberattacks | SRI International

Toggle Menu
TRACE: Preventing Advanced Persistent Threat Cyberattacks

TRACE: Preventing Advanced Persistent Threat Cyberattacks

SRI is developing an advanced system that would quickly help detect APTs and other increasingly sophisticated attacks

Advanced persistent threats (APTs) are responsible for some of the most costly and prolonged cyberattacks in history. SRI leads a collaborative effort to create an innovative system that will expose advanced persistent threats (APTs) in computer networks. The technology could eventually be used for other applications such as program debugging, privacy leakage analysis and scientific data curation.

APTs quietly access networks at vulnerable points, then “hide out” within the system while stealing information or funds. SRI is working with partner institutions Purdue University, University of Wisconsin and University of Georgia to develop TRacking and Analysis of Causality at Enterprise level (TRACE), a highly scalable, distributed and programmable tracking and data collection system.

TRACE is being funded by a $5.3 million award from the Defense Advanced Research Projects Agency’s (DARPA) transparent computing (TC) initiative, which aims to make opaque computing systems more transparent. TRACE is built on the foundations of prior work from SRI on provenance tracking, Purdue and Georgia’s research on fine-grained information-flow tracking, and Wisconsin’s QuickLog storage system for fast query processing.

How It Works

APTs and other cyberattacks continue to become more targeted and stealthy, yet most computing systems offer only minimal visibility into their inner workings. This provides countless places for malicious attacks to take cover and do damage without being detected for months or even years.

TRACE will make enterprise networks more transparent by holistically combining new host-level tracking techniques and a proven enterprise-wide tracking system. It will efficiently tag and track two key elements of a system’s data:

  1. Provenance: the origins and history of a piece of data
  2. Causality: how data propagates from one entity to another

Just as the origins and history of a painting are used to establish its authenticity, TRACE uses data provenance and causality information to verify data’s legitimacy. Advanced instrumentation captures provenance information at the host level to see how data propagates from one entity to another, then provides pervasive tracking to interpret causal relationships. 

Armed with fine-grained provenance and causality information, TRACE can automatically or semi-automatically “connect the dots” across multiple activities that may seem individually legitimate but collectively signal malice or abnormal behavior.

TRACE also features a programmable causality plane (PCP) that will make it easier to integrate TRACE with existing systems and significantly more scalable than current solutions. Enterprise networks typically consist of numerous subsystems that are highly impractical to configure individually. The PCP allows administrators to specify enterprise-wide policies that define what to track and how to track it.

Benefits of the TRACE Approach

Comparable technologies today force enterprises to choose between data accuracy and system performance. TRACE’s advanced, high-performance tracking technologies provide high-accuracy data without sacrificing speed. Core benefits include:

Ability to track complex information flows: Efficient and accurate provenance tracking can be specified at various granularities.
Scalability and runtime efficiency: Host-level tagging and tracking should incur significantly lower overhead than current state-of-the-art solutions.
Security-focused data analysis: TRACE provides scalable data collection with complete system coverage.

TRACE’s holistic approach will enable timely and efficient APT detection, forensics and mitigation, but it is not specific to APT strategies. With its ability to determine cause-and-effect relationships across the enterprise, TRACE can be an effective tool against evolving cyberattacks in the future.

This material is based upon work supported by the United States Air Force and the Defense Advanced Research Projects Agency under Contract No. FA8650-15-C-7562. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force or DARPA.