A group of CERIAS researchers recently won the
Distinguished Paper Award at the USENIX Security Symposium 2017, a top-tier
cybersecurity conference held in Vancouver, Canada from August 16th to 18th.
The paper, “MPI: Multiple Perspective Attack Investigation with Semantic
Aware Execution Partitioning”, is co-authored by Computer Science Ph.D. students Shiqing
Ma and Fei Wang, their advisors Professors Xiangyu Zhang and Dongyan Xu, and
collaborators Professor Juan Zhai from Nanjing University (former visiting
scholar in the group) and Professor Kyu Hyung Lee from University of Georgia
(former Ph.D. student from the group). It was one of the six papers
sharing the award, out of 85 papers accepted from 522 submissions.
The paper presents the authors’ novel idea of automatically transforming
application source code to facilitate provenance tracking. For the first
time, it exposes application-specific semantics to operating system level
provenance collectors, and provides multiple perspectives for the
investigators to understand an advanced persistent threat (APT) attack. The
technique substantially reduces the manual efforts to identify the root
cause and the ramifications of the attack. It also offers a very flexible
interface to couple with different types of OS level provenance collectors.
The technique views the execution of an application as a sequence of tasks.
For example, the execution of Firefox can be viewed as loading different
tabs, pages, and even individual DOM elements. It asks the users to provide
their desired investigation perspectives by annotating data structures
corresponding to such tasks. Then it instruments the application using an
compiler. The execution of the instrumented application generates a
provenance log. The log contains rich semantic information related to tasks,
which substantially improves the precision of the attack causal graphs.
The team’s current research in APT attack prevention, detection, forensics,
and recovery has been supported in part by the Defense Advanced Research
Projects Agency (DRAPA), National Science Foundation (NSF), Office of Naval
Research (ONR), Sandia National Labs, and Cisco Systems. In particular, it is part of the DARPA’s Transparent Computing Program which aims at making system/network
component operations and interactions more transparent for better defense
against advanced, stealthy cyberattacks such as APTs. It is worth mentioning
that this is the second Distinguished Paper Award they won from top-tier
cybersecurity conferences in this line of work (the first one was from NDSS 2016).