We present PalanTír, a provenance-based system that enhances system observability to enable precise and scalable attack investigation.
- J. Zeng*, C. Zhang*, and Z. Liang, PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability. Appeared in the 2022 ACM Conference on Computer and Communication Security (CCS'22). Los Angeles, CA, USA. November 7--11, 2022.
We refer interested readers to Appendix for additional information to our paper (e.g., details of the binary operation in our static binary analysis).
PalanTir runs on the 16.04.6 LTS Ubuntu Linux 64-bit distribution. You should install this distro before proceeding.
Hardware Requirement: A physical machine with an Intel PT supported CPU. To know whether your current CPU supports Intel PT, please refer to our document.
To facilitate future research, we have released our experimental datasets in the following link: https://drive.google.com/drive/folders/1UDWzg5jRd1Ngzl5hHFCV1-Ca2M5Sm_Sr
Our evaluation logs can be found under log.
If you want to use our codes and datasets in your research, please cite:
@inproceedings{PalanTir22,
author = {Jun Zeng and
Chuqi Zhang and
Zhenkai Liang},
title = {PalanTir: Optimizing Attack Provenance with Hardware-enhanced System Observability},
booktitle = {{CCS}},
year = {2022}
}