Modern computing systems are sprawling and complex, creating many opportunities for would-be intruders to break-in and remain undetected. Attackers can now dwell inside of networks for months or years before being noticed, as evidenced by numerous high-profile data breaches in the news. Our research seeks to empower system defenders by improving the ways in which we audit computers, allowing them to understand and react to attacks before serious damage is inflicted. A key technique we leverage in this work isf data provenance, which iteratively parses low-level events (e.g., Process A read File 1) into a causal dependency graph that describes the entire history of system execution. These graphs allow security analysts to identify the root causes of suspicious activities through causal analysis, and can also be used to improve automated intrusion detection systems.

Recent Papers:

• Tactical Provenance Analysis for Endpoint Detection and Response Systems
• UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
• OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis
• CUSTOS: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution
• Can Data Provenance Put an End to the Data Breach?
• NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage
• Runtime Analysis of Whole-System Provenance
• Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs.
• Trustworthy Whole-System Provenance for the Linux Kernel