The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Shiqing Ma - Purdue University

Students: Spring 2023, unless noted otherwise, sessions will be virtual on Zoom.

MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning

Aug 23, 2017

Download: Video Icon MP4 Video Size: 4KB  
Watch on Youtube Watch on YouTube


Operating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context information. To solve this problem, we propose MPI (short for Multiple Perspective attack Investigation), a semantics aware program annotation and instrumentation technique to partition process executions based on the application specific high level task structures. It converts current applications to be provenance-aware, generates execution partitions with rich semantic information and provides multiple perspectives of an attack. We develop a prototype and integrate it with three different provenance systems: the Linux Audit system, ProTracer and the LPM-HiFi system. The evaluation results show that our technique generates simple and accurate attack graphs with rich high-level semantics and has much lower space and time overheads.

About the Speaker

Shiqing Ma
Shiqing Ma is a Ph.D. student from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. His research focuses on system and software security especially data provenance problems. His past works include building low-overhead, cost-effective operating system level provenance systems, and automatically translating normal programs into provenance-aware programs to help assist accurate provenance analysis. He is a recipient of two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!