CAREER: Scalable Information Flow Monitoring and Enforcement through Data Provenance Unification

职业：通过数据来源统一进行可扩展的信息流监控和执行

• 批准号: 1750024
• 负责人: Adam Bates
• 金额: $ 52.81万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-04-01 至 2024-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1750024&HistoricalAwards=false
• 关键词: CAREER; Scalable; Information; Flow; Monitoring

System intrusions have becoming more subtle and complex. Attackers now covertly observe and probe systems for prolonged periods before launching devastating attacks. In such an environment, it has grown prohibitively difficult for system administrators to identify suspicious events, correlate these events into an attack pattern, and determine an appropriate response. Data Provenance is a method of modeling a system's execution in the form of a causal relationship graph, allowing investigators to trace the ancestry of data objects and identify relationships between seemingly independent events. The goal of the proposed work is to develop techniques that enable the use of data provenance as an expressive and efficient monitoring tool in large distributed systems. These mechanisms will enable unprecedented capability to reason about system events, centrally monitor activities within data centers, and express fine-grained enforcement of security properties based on the historical flow of data. Research and software artifacts will be made available to the broader community through the Linux provenance web site.The proposed work will examine central challenges related to expressivity and scalability that currently prevent the further proliferation of provenance-based auditing techniques. To address the semantic gap that has traditionally prevented system-layer auditing from being able to explain higher-level application behaviors, this project pursues the design of universal provenance mechanisms that leverage binary analysis to transparently identify siloed application-layer logging activities, extract their semantics, and graft the information onto a causal relationship graph that encodes the entire system's execution. Grammar induction techniques will be leveraged to overcome the tremendous storage burden of provenance and provide a scalable central monitoring framework for data centers. After enriching system-layer auditing and enabling the efficient communication of suspicious activities via provenance traces, data provenance will be integrated into enforcement mechanisms to address critical security challenges including regulatory compliance, information flow control, and fault attribution. The advancement of state-of-the-art of provenance-based tracing and enforcement should establish a new baseline for reasoning about the flow of data in today's complex computing systems.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

系统入侵变得更加微妙和复杂。现在，攻击者在发动毁灭性攻击之前，会秘密观察和探测系统很长一段时间。在这样的环境中，系统管理员识别可疑事件、将这些事件关联到攻击模式以及确定适当的响应变得异常困难。数据起源是一种以因果关系图的形式对系统执行进行建模的方法，允许调查人员跟踪数据对象的祖先，并识别看似独立的事件之间的关系。拟议工作的目标是开发能够在大型分布式系统中使用数据来源作为一种富有表现力和高效的监测工具的技术。这些机制将支持前所未有的能力来推断系统事件，集中监控数据中心内的活动，并根据历史数据流表达安全属性的细粒度实施。研究和软件产品将通过Linux出处网站向更广泛的社区提供。拟议的工作将审查与表现力和可扩展性有关的主要挑战，目前这些挑战阻碍了基于出处的审计技术的进一步扩散。为了解决传统上阻止系统层审计能够解释更高级别应用程序行为的语义鸿沟，该项目致力于通用起源机制的设计，该机制利用二进制分析来透明地识别孤立的应用层日志记录活动，提取其语义，并将信息移植到对整个系统的执行进行编码的因果关系图上。语法归纳技术将被用来克服来源的巨大存储负担，并为数据中心提供一个可扩展的中央监控框架。在丰富系统层审计并通过来源跟踪实现可疑活动的有效沟通之后，数据来源将被整合到执行机制中，以应对包括法规遵从性、信息流控制和故障归属在内的关键安全挑战。最先进的基于来源的追踪和执行的进步应该为在当今复杂的计算系统中推理数据流建立一个新的基线。这一奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Emerging Threats in Internet of Things Voice Services

• DOI: 10.1109/msec.2019.2910013
• 发表时间: 2019-07-01
• 期刊: IEEE SECURITY & PRIVACY
• 影响因子: 1.9
• 作者: Kumar, Deepak;Paccagnella, Riccardo;Bailey, Michael
• 通讯作者: Bailey, Michael

Analysis of Privacy Protections in Fitness Tracking Social Networks -or- You can run, but can you hide?

• 发表时间: 2018
• 作者: Wajih Ul Hassan;Saad Hussain;Adam Bates

OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis

• DOI: 10.14722/ndss.2020.24270
• 发表时间: 2020
• 期刊: Proceedings 2020 Network and Distributed System Security Symposium
• 作者: Wajih Ul Hassan;Mohammad A. Noureddine;Pubali Datta;Adam Bates

Towards Efficient Auditing for Real-Time Systems.

实现实时系统的高效审计。

• 发表时间: 2022
• 期刊: 27th European Symposium on Research in Computer Security
• 作者: Bansal, A.;Kandikuppa, A.;Chen, CY.;Hasan, M.;Bates, A.;Mohan, S.
• 通讯作者: Mohan, S.

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

• DOI: 10.14722/ndss.2020.24046
• 发表时间: 2020-01
• 期刊: ArXiv
• 作者: Xueyuan Han;Thomas Pasquier;Adam Bates;James W. Mickens;M. Seltzer