System auditing is a vital technique for collecting system call events as system provenance and investigating complex multi-step attacks such as Advanced Persistent Threats. However, existing attack investigation methods struggle to uncover long attack sequences due to the massive volume of system provenance data and their inability to focus on attack-relevant parts. In this paper, we present Raptor, a defense system that enables human analysts to effectively analyze large-scale system provenance to reveal multi-step attack sequences. Raptor introduces an expressive domain-specific language, ProvQL, that offers essential primitives for various types of attack analyses (e.g., attack pattern search, attack dependency tracking) with user-defined constraints, enabling analysts to focus on attack-relevant parts and iteratively sift through the large provenance data. Moreover, Raptor provides an optimized execution engine for efficient language execution. Our extensive evaluations on a wide range of attack scenarios demonstrate the practical effectiveness of Raptor in facilitating timely attack investigation.

翻译：系统审计作为一种关键技术，通过收集系统调用事件构建系统溯源数据，用于调查诸如高级持续性威胁等复杂的多步骤攻击。然而，现有攻击调查方法因系统溯源数据规模庞大且无法聚焦于攻击相关部分，难以揭示冗长的攻击序列。本文提出Raptor防御系统，该系统使分析人员能够有效分析大规模系统溯源数据以揭示多步骤攻击序列。Raptor引入了一种表达力强的领域特定语言ProvQL，该语言通过用户定义约束为各类攻击分析（例如攻击模式搜索、攻击依赖追踪）提供必要原语，使分析人员能够聚焦攻击相关部分并迭代筛选大规模溯源数据。此外，Raptor提供了优化的执行引擎以实现高效的语言执行。我们在广泛攻击场景下的综合评估表明，Raptor在促进及时攻击调查方面具有实际有效性。