Name: Accurate and Efficient Attack Provenance with Online Hardware Monitoring and Offline Reconstruction
Start: 2022-11-07T03:00:00-08:00
End: 2022-11-07T04:00:00-08:00

Cybersecurity Seminar Series

Accurate and Efficient Attack Provenance with Online Hardware Monitoring and Offline Reconstruction

When

Monday, November 7, 2022 11:00am - 12:00pm PDT

Add to calendar:

Presenter

Presented by:

Zhenkai Liang, Associate Professor in the Department of Computer Science at the National University of Singapore (NUS)

Location

Room 1165 - ISI MDR

Virtual URL

Online Link

This event is open to:

Everyone

Event Details

Talk Abstract:

System auditing is the foundation of attack provenance to investigate root causes and ramifications of cyber-attacks. However, provenance tracking on coarse-grained audit logs suffers from false causalities caused by dependency explosion. Recent approaches address this problem by increasing provenance granularity using execution partitioning or record-and-replay techniques. Unfortunately, they require program instrumentation and/or impose an unaffordable overhead, which is not practical in deployment.
In this talk, we first present PalanTir, a provenance-based system that enhances system observability to enable precise and scalable attack investigation. Leveraging hardware-assisted processor tracing (PT), PalanTir optimizes attack provenance in system-call-level audit logs by recovering instruction-level causalities, balancing between efficient hardware-based online monitoring and offline analysis. PalanTir statically profiles program binaries to identify instructions causally relevant to audit logs and pre-summarize their taint propagation logic at the coarse granularity of basic blocks. In the evaluation against real-life cyber-attacks, it incurs little overhead in large applications (e.g., Nginx and Sendmail). To further support the offline analysis, we also introduce solutions to reconstruct cyber events for more accurate and comprehensive system activity observation.

Speaker Bio

Zhenkai Liang is an Associate Professor in the Department of Computer Science at National University of Singapore. He is also a co-Lead Principal Investigator of National Security R&D Lab of Singapore. His research interests are in system and software security, such as binary program analysis, security in Web, mobile, and Internet-of-things (IoT) platforms. He has been publishing high-impact papers in top security and software engineering conferences, and has won several best paper awards in security and software engineering conference, including Annual Computer Security Applications Conference (ACSAC), USENIX Security Symposium, and ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). He has also won the Annual Teaching Excellence Award of NUS in 2014 and 2015. He is a current member of the Steering Group of NDSS and has served as technical committee members and editorial board members of main security conferences and journals, including ACM Conference on Computer and Communications Security (CCS), USENIX Security Symposium, Network and Distributed System Security Symposium (NDSS), and IEEE Transactions on Dependable and Secure Computing (TDSC) and ACM Transaction on Privacy and Security (TOPS). He received his Ph.D. degree in Computer Science from Stony Brook University in 2006, and B.S. degrees in Computer Science and Economics from Peking University in 1999. ISI Host: Dr. Christophe Hauser, Networking and Cybersecurity Division ISI POC: Matt Binkley, Networking and Cybersecurity Division

This program is open to all eligible individuals. Information Sciences Institute operates all of its programs and activities consistent with the University’s Notice of Non-Discrimination. Eligibility is not determined based on race, sex, ethnicity, sexual orientation, or any other prohibited factor.