FNF: Flow-net based fingerprinting and its applications

Relationships among events in conventional system and network logs are not explicitly recorded and can only be determined from examining ancillary attributes of the events, such as, time stamps and event identifiers, or sometimes the semantics of the event attributes with some learning algorithms. The accuracy of the event relations is subject to the design of the algorithms, the experience of the users of the algorithms, and the completeness and accuracy of the attributes and the semantics. On the other hand, a flow-net based logging approach builds comprehensive system and network logs in the forms of direct acyclic graph. Specifically, it records both flows of events and intersections of the flows, and the flows capture relations among the events explicitly in real time and allow tracking the events and analyzing event relation efficiently. Taking advantage of flow-net based logs, we propose a flow-net based fingerprinting (FNF) scheme to capture system or network behaviors, and design a fingerprint lookup algorithm to solve the fingerprint matching problem, i.e., to determine whether a flow-net log contains the behavior characterized by some behavior fingerprints. To demonstrate the effectiveness of the flow-net based fingerprinting scheme, we conduct evaluation experiments where we apply the FNF to detecting a few known malicious behaviors in TCP/IP networks. The evaluation results demonstrate that FNF has superior computational efficiency to those based on conventional logging schemes.