MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning
Shiqing Ma - Purdue University
Aug 23, 2017Size: 4KB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractOperating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context information. To solve this problem, we propose MPI (short for Multiple Perspective attack Investigation), a semantics aware program annotation and instrumentation technique to partition process executions based on the application specific high level task structures. It converts current applications to be provenance-aware, generates execution partitions with rich semantic information and provides multiple perspectives of an attack. We develop a prototype and integrate it with three different provenance systems: the Linux Audit system, ProTracer and the LPM-HiFi system. The evaluation results show that our technique generates simple and accurate attack graphs with rich high-level semantics and has much lower space and time overheads.
About the SpeakerShiqing Ma is a Ph.D. student from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. His research focuses on system and software security especially data provenance problems. His past works include building low-overhead, cost-effective operating system level provenance systems, and automatically translating normal programs into provenance-aware programs to help assist accurate provenance analysis. He is a recipient of two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.