A User-Centric Causality Analysis System

Our system utilizes how a user views and interacts with the operating system through the Graphical User Interface (GUI) to track attacker’s behavior and provide schematic investigation results. Our system represents a new paradigm of user-centric attack investigation by highlighting activities from users’ perspective. Specifically, it leverages users interaction logs and system events to establish the dependency between involved system entities (e.g., compromised files, or processes), obtain high level human-perceivable semantics (both on GUI and low-level system events), and establish a causal dependence graph.