Automated Provenance Analytics: A Regular Grammar Based Approach with Applications in Security ∗ Mark Lemay Wajih Ul Hassan Thomas Moyer Boston University University of Illinois at Nabil Schear Warren Smith [email protected] Urbana-Champaign MIT Lincoln Laboratory [email protected] ftmoyer,nabil,warren.smithg @ll.mit.edu Abstract 1. Introduction Provenance collection techniques have been carefully stud- Conventional security wisdom assumes that the best way to ied in the literature, and there are now several systems to secure a system is to build high, strong walls to keep attack- automatically capture provenance data. However, the anal- ers out of the system entirely. However, attackers continually ysis of provenance data is often left “as an exercise for breach these walls, gaining access to sensitive data and con- the reader”. The provenance community needs tools that al- trol over sensitive systems. Until these boundary defenses low users to quickly sort through large volumes of prove- are sufficient, techniques will be needed to detect intrusions. nance data and identify records that require further investi- Data provenance provides a detailed history of the own- gation. By detecting anomalies in provenance data that de- ership and processing of data. Provenance supports a wide- viate from established patterns, we hope to actively thwart range of applications, from network troubleshooting [22, security threats. In this paper, we discuss issues with cur- 23] and forensic analysis of attacks [18] to intrusion detec- rent graph analysis techniques as applied to data provenance, tion [16, 17] and secure auditing [6, 13]. In each case, the particularly Frequent Subgraph Mining (FSM). Then we in- developers built analytic frameworks tailored for the sys- troduce Directed Acyclic Graph regular grammars (DAGr) tem in question and targeting specific types of attacks. Un- as a model for provenance data and show how they can de- fortunately these “hand-crafted” analytics techniques do not tect anomalies. These DAGr provide an expressive charac- scale [12], and we need a general solution that can be applied terization of DAGs, and by using regular grammars as a for- to any system. Fortunately, data provenance are commonly malism, we can apply results from formal language theory represented using Directed Acyclic Graphs (DAG)s [20]. By to learn the difference between “good” and “bad” prove- viewing provenance as DAGs we can simplify provenance nance. We propose a restricted subclass of DAGr called analysis to DAG analysis. deterministic Directed Acyclic Graph automata (dDAGa) For any significant attack, the provenance DAG should that guarantees parsing in linear time. Finally, we propose be different from the provenance DAGs of normal execu- a learning algorithm for dDAGa, inspired by Minimum De- tion. If we can differentiate normal graphs from bad graphs, scription Length for Grammar Induction [1]. we could sort through the noise of benign behavior and iden- tify anomalies that require troubleshooting and remediation. ∗ DISTRIBUTION STATEMENT A. Approved for public release: distribu- This strategy would make the attack provenance analytics tion unlimited. This material is based, in part, upon work supported by the Assistant Secre- easier, general, and scalable. tary of Defense for Research and Engineering under Air Force Contract In this paper, we propose a general purpose DAG anal- No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, find- ysis that extends regular grammars to DAGs. Like regular ings, conclusions or recommendations expressed in this material are those expressions, we expect these to be a general purpose tool of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering. to analyse DAGs in general and provenance DAGs specif- ically. We will focus our examples and analysis on a secu- rity scenario that aims to identify when a given graph dif- fers from known good graphs, with the end goal of identi- fying those provenance graphs that require further analysis. First we explore existing graph analysis techniques, partic- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee ularly Frequent Subgraph Mining (FSM), to analyze prove- provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. nance graphs. There are several deficiencies with FSM in TaPP 2017, June 22-23, 2017, Seattle, Washington. Copyright remains with the owner/author(s). the context of provenance DAGs that we will illustrate. Then we will present 2 new DAG modeling frameworks inspired By reframing the question of graph characterization to one by existing work in graph grammars, (string) regular gram- of graph grammar parsing, we can leverage the extensive mars, and finite state automata. These frameworks do not literature on grammars and automata. Since graph gram- suffer from the problems of FSM. mars should degenerate into (string) grammars, classic string We are not the first to explore general purpose analytics algorithms provide best case scenarios, and an intractable for data provenance. The PLUS system proposes the use of string problem will certainly be intractable when extended statistical properties of graphs as a rough filtering mecha- to graphs. Equivalences to automata and other mathematical nism [4]. Several query languages have been proposed in- structures are well studied. The learning problem for (string) cluding OPQL [19] and Datalog [11]. Our system is unique grammars is also well studied [9, 10, 21], and there are well in that it is both automatic and can learn causal relationships known limits on what can be learned. between nodes. Regular (string) grammars are the simplest languages in The main contributions of this paper are as follows: the Chomsky Hierarchy and are perhaps the most studied grammar in this heavily studied field. Regular grammars are • The definition of DAGr that provides a simple model of famously equivalent to Nondeterministic Finite State Au- DAGs analogous to regular string grammars. tomata (NFA) which are in turn equivalent to Deterministic • A proof that characterizing graphs with DAGr is NP-hard Finite State Automata (DFA). Because of this equivalence in general. Regular grammars can be parsed in linear time. There exists • Defining a strict subset of DAGr called dDAGa, where a standard framework for different DFA learning tasks: al- characterizing graphs takes linear time in the size of the gorithms share a standard preprocessing step, state merging graph. procedure, and search strategies. For the sake of simplicity and tractability, we limit the discussion in this paper to reg- • A framework for learning dDAGa from examples. ular grammars. The rest of this paper is structured as follows: we first re- For our security analysis we assume there are many ex- view the background on different graph learning techniques amples of “good” provenance data, for the target system. in x 2. In x 4, we give motivating examples for our gram- Hopefully we will have few, if any examples of attack prove- matical approach. In subsection 6.4 and x 7 we discuss our nance data. This corresponds to the case of grammar learn- approach for general purpose analytics. In x 8 we give some ing with only positive examples. The textbook algorithm rough preliminary results. Finally, we propose future direc- for this case is Adriaans and Jacobs’s Minimum Description tions for our work in x 9 before concluding in x 10. Length DFA learning algorithm [1]. Their algorithm makes use of the standard grammar learning framework, which we 2. Background will generalize to DAGs. Researchers that hope to character- 2.1 Frequent Subgraph Mining ize DAGs under different assumptions can use our general- izations and apply them to the appropriate algorithms in the There has been a large amount of research into general graph DFA literature. analytics [2,3,8]. Since provenance data is represented as a DAG, we had hoped existing graph analytics techniques 2.3 Graph Grammars and Automata would help us develop the analytics framework we wanted. We are not the first to advocate for the use of grammars Unfortunately little of it seems applicable to data provenance and automata to characterize graphs. Regular tree grammars and DAG analysis more generally. are well studied and have very nice properties. Like reg- The most relevant existing techniques for graph analy- ular (string) grammars there exist variants of DFA’s that sis are in the field of Frequent Subgraph Mining (FSM). are equivalently expressive to regular tree grammars. This FSM is generally hard (the problem of subgraph isomor- means parsing can be performed linearly in the size of the phism alone is NP-complete). However, there are many algo- tree. With a little ingenuity DFA learning techniques can be rithms that mitigate this difficulty with different assumptions applied to these tree DFAs. Babic‘ et. al. have even applied and heuristics [14]. Of particular interest is Chen et. al.’s al- these in a system security context [5]. Babic‘ et. al.’s work gorithm that efficiently finds frequent rooted DAGs [7]. Fun- differs from ours in precision and scope, they attempted to damentally, FSM algorithms, target noisy graphs, and recog- learn malicious tree structures from positive and negative ex- nize a small amount of structure within them. We argue that amples in general. We attempt to characterize specific pro- highly structured DAGs (such as provenance graphs) are bet- grams from their provenance DAGs and report any structural ter modeled with simpler more precise models. deviation. Another strain of research is centered around the Sub- 2.2 Grammars and Automata due system [15]. Subdue leverages Graph Grammars to find Grammars and Automata provide a guide for how interest- FSM in general graphs. Subdue also uses the MDL principle ing and precise properties of graphs can be modeled.