Cyberattacks have caused significant damage and losses in various domains. While existing attack investigations against cyberattacks focus on identifying compromised system entities and reconstructing attack stories, there is a lack of information that security analysts can use to locate software vulnerabilities and thus fix them. In this paper, we present AiVl, a novel software vulnerability location method to push the attack investigation further. AiVl relies on logs collected by the default built-in system auditing tool and program binaries within the system. Given a sequence of malicious log entries obtained through traditional attack investigations, AiVl can identify the functions responsible for generating these logs and trace the corresponding function call paths, namely the location of vulnerabilities in the source code. To achieve this, AiVl proposes an accurate, concise, and complete specific-domain program modeling that constructs all system call flows by static-dynamic techniques from the binary, and develops effective matching-based algorithms between the log sequences and program models. To evaluate the effectiveness of AiVl, we conduct experiments on 18 real-world attack scenarios and an APT, covering comprehensive categories of vulnerabilities and program execution classes. The results show that compared to actual vulnerability remediation reports, AiVl achieves a 100% precision and an average recall of 90%. Besides, the runtime overhead is reasonable, averaging at 7%.

中文翻译：

---

攻击调查的最后一英里：针对软件漏洞位置的审计日志分析


网络攻击在各个领域造成了重大损害和损失。虽然针对网络攻击的现有攻击调查侧重于识别受感染的系统实体和重建攻击故事，但缺乏安全分析师可用于定位软件漏洞并修复它们的信息。在本文中，我们提出了 AiVl，这是一种新颖的软件漏洞定位方法，可进一步推动攻击调查。AiVl 依赖于默认内置系统审计工具和系统内程序二进制文件收集的日志。给定通过传统攻击调查获得的一系列恶意日志条目，AiVl 可以识别负责生成这些日志的函数，并追踪相应的函数调用路径，即源代码中漏洞的位置。为此，AiVl 提出了一种准确、简洁、完整的特定域程序建模方法，通过静态-动态技术从二进制构建所有系统调用流，并在日志序列和程序模型之间开发有效的基于匹配的算法。为了评估 AiVl 的有效性，我们对 18 个真实世界的攻击场景和一个 APT 进行了实验，涵盖了全面的漏洞类别和程序执行类别。结果表明，与实际漏洞修复报告相比，AiVl 的准确率达到了 100%，平均召回率达到了 90%。此外，运行时开销是合理的，平均为 7%。