RTAG, a new tool created by School of Computer Science researchers, makes investigating cyberattacks across multiple computers on a network more efficient by reducing attack analysis times by as much as 90 percent.
Many cyberattacks are investigated using dynamic taint analysis. This approach monitors how data flows through a system by labeling inputs and tracking them as the software processes them. Yet taint analysis normally uses considerable time and memory, making it a slow and expensive method. It also can track on only one computer (or host) in the network, making a large-scale attack hard to follow.
RTAG, however, makes the attack analysis independent, so each investigation can be performed in parallel. It also distributes tags according to the size of the problem, optimizing memory.
RTAG deploys three methods to make investigations more efficient:
1. Record-replay separates dynamic taint analysis from execution runtime, which allows the system to work more efficiently. Because the analysis and resolving tag processes are not entirely synchronized, they can be performed in parallel.
2. Syscall-level provenance simplifies the workload of dynamic taint analysis. It also advises tag allocation in a more efficient way.
3. Embedded tags allow the tag to move from one host to another, enabling the investigation to take place on more than one computer and shorten the workload.
“RTAG is an important cornerstone technique for enabling practical investigation on multi-host attacks, which are more prevalent these days,” said Ph.D. student Yang Ji.
RTAG decreases memory consumption by up to 90 percent and reduces overall analysis time by 60 to 90 percent compared to previous investigation systems.
RTAG is part of a $4.5 million Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) project called THEIA. The objective is to improve how data is tracked between computers, internet hosts, and browsers for optimized cybersecurity.
The researchers presented this result at USENIX in the paper Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking by SCS Ph.D. students Ji, Mattia Fazzini, Joey Allen, and Evan Downing; postdoctoral fellow Sangho Lee; and Assistant Professor Taesoo Kim, Professor Alessandro Orso, and Professor Wenke Lee.