UIScope: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications

—Existing attack investigation solutions for GUI applications suffer from a few limitations such as inaccuracy (because of the dependence explosion problem), requiring instrumentation, and providing very low visibility. Such limitations have hindered their widespread and practical deployment. In this paper, we present UIS COPE , a novel accurate, instrumentation-free, and visible attack investigation system for GUI applications. The core idea of UIS COPE is to perform causality analysis on both UI elements/events which represent users’ perspective and low-level system events which provide detailed information of what happens under the hood, and then correlate system events with UI events to provide high accuracy and visibility. Long running processes are partitioned to individual UI transitions, to which low-level system events are attributed, making the results accurate. The produced graphs contain (causally related) UI elements with which users are very familiar, making them easily accessible. We deployed UIS COPE on 7 machines for a week, and also utilized UIS COPE to conduct an investigation of 6 real-world attacks. Our evaluation shows that compared to existing works, UIS COPE introduces neglibible overhead (less than 1% runtime overhead and 3.05 MB event logs per hour on average) while UIS COPE can precisely identify attack provenance while offering users thorough visibility into the attack context.