From the system investigator who needs to analyze an intrusion (“how did the intruder break in?”), to the forensic expert who needs to investigate digital crimes (“did the suspect commit the crime?”), security experts frequently have to answer questions about the cause-effect relationships between the various events that occur in a computer system. The implications of using causality determination techniques with a low accuracy vary from slowing down incident response to undermining the evidence unearthed by forensic experts.
This dissertation presents research done in two areas: (1) We present an empirical study evaluating the accuracy and performance overhead of existing causality determination techniques. Our study shows that existing causality determination techniques are either accurate or efficient, but seldom both. (2) We propose a novel approach to causality determination based on coarse-grained observation of control-flow of program execution. Our evaluation shows that our approach is both practical in terms of low runtime overhead and accurate in terms of low false positives and false negatives.