/Palantir

PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability, ACM CCS'22

Primary LanguageCGNU General Public License v3.0GPL-3.0

PalanTír

We present PalanTír, a provenance-based system that enhances system observability to enable precise and scalable attack investigation.

  • J. Zeng*, C. Zhang*, and Z. Liang, PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability. Appeared in the 2022 ACM Conference on Computer and Communication Security (CCS'22). Los Angeles, CA, USA. November 7--11, 2022.

Appendix

We refer interested readers to Appendix for additional information to our paper (e.g., details of the binary operation in our static binary analysis).

System Environment

PalanTir runs on the 16.04.6 LTS Ubuntu Linux 64-bit distribution. You should install this distro before proceeding.

Hardware Requirement: A physical machine with an Intel PT supported CPU. To know whether your current CPU supports Intel PT, please refer to our document.

Installation

Usage

Dataset

To facilitate future research, we have released our experimental datasets in the following link: https://drive.google.com/drive/folders/1UDWzg5jRd1Ngzl5hHFCV1-Ca2M5Sm_Sr

Our evaluation logs can be found under log.

Citation

If you want to use our codes and datasets in your research, please cite:

@inproceedings{PalanTir22,
  author    = {Jun Zeng and
               Chuqi Zhang and
               Zhenkai Liang},
  title     = {PalanTir: Optimizing Attack Provenance with Hardware-enhanced System Observability},
  booktitle = {{CCS}},
  year      = {2022}
}