I-Corps: Translation potential of using provenance-based threat detection for improving cybersecurity

I-Corps：使用基于来源的威胁检测来提高网络安全的转化潜力

• 批准号: 2424261
• 负责人: Adam Bates
• 金额: $ 5万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-04-15 至 2025-03-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2424261&HistoricalAwards=false
• 关键词: Corps; Translation; potential; using; provenance

The broader impact of this I-Corps project is the development of technology for securing computer workstations and servers from attack. The approach based on the historical record that traces data from its original source to its current location (called data provenance analysis). Securing endpoint computers is a vital component of enterprise security. Current solutions adopt a strategy for detecting attacks by comparing endpoint activity to a set of detection rules that describe common attack behaviors. However, this is an error prone practice, leading to large volumes of false alerts while failing to detect sophisticated attacks. In addition, the maintenance requirements of investigating these false alerts pose a formidable challenge within smaller to medium-sized businesses (SMBs), which lack the necessary security resources and personnel. This impediment is even more visible within SMBs housing sensitive user data, where a security breach can have profound and enduring financial and societal consequences. This technology may be used to establish data provenance analysis as a more precise and practical means of detecting attacks on endpoints. In addition, this solution may save U.S. companies millions of dollars by thwarting attacks that could have otherwise resulted in the compromise of customer data.This I-Corps project utilizes experiential learning coupled with a first-hand investigation of the industry ecosystem to assess the translation potential of the technology. The solution is based on the development of analysis of data provenance to ensure cyber security. Data provenance techniques incrementally parse individual endpoint events (e.g., process executions and file accesses) into a causal dependency graph that describes the history of system execution. The graphical representation of endpoint activity highlights the relationships between objects, making it easier to identify suspicious activities. A key finding of this research is a method of overcoming the inherent architectural limitations in the machine learning models used to analyze data provenance graphs. Leveraging this method, a model was trained that comprehensively captures the typical behavior of programs by associating them with their full historical context. Attacks are detected by comparing suspicious programs to the models’ expectations of each program’s behavior, which is informed by the programs’ provenance. This approach significantly reduces the occurrence of false alerts when compared to current endpoint security solutions, while also eliminating the need for frequent system tuning such as the adding and removing of detection rules.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

I-Corps项目的更广泛影响是开发保护计算机工作站和服务器免受攻击的技术。基于历史记录的方法，将数据从原始来源追溯到当前位置（称为数据起源分析）。 保护端点计算机是企业安全的重要组成部分。当前的解决方案采用通过将端点活动与描述常见攻击行为的一组检测规则进行比较来检测攻击的策略。然而，这是一种容易出错的做法，导致大量的错误警报，同时无法检测到复杂的攻击。此外，调查这些错误警报的维护要求对缺乏必要安全资源和人员的中小型企业（SMB）构成了巨大挑战。这种障碍在存储敏感用户数据的中小企业中更加明显，安全漏洞可能会产生深远而持久的财务和社会后果。该技术可用于建立数据来源分析，作为检测对端点的攻击的更精确和实用的手段。此外，该解决方案还可以阻止可能导致客户数据泄露的攻击，从而为美国公司节省数百万美元。该I-Corps项目利用体验式学习以及对行业生态系统的第一手调查来评估该技术的翻译潜力。该解决方案基于对数据来源的分析，以确保网络安全。数据起源技术递增地解析各个端点事件（例如，进程执行和文件访问）转换成描述系统执行历史的因果依赖图。端点活动的图形化表示突出显示了对象之间的关系，从而更容易识别可疑活动。这项研究的一个关键发现是克服用于分析数据来源图的机器学习模型中固有的架构限制的方法。利用这种方法，训练了一个模型，通过将它们与完整的历史背景相关联，全面捕获程序的典型行为。通过将可疑程序与模型对每个程序行为的期望进行比较来检测攻击，该期望由程序的出处通知。与当前的端点安全解决方案相比，这种方法大大减少了错误警报的发生，同时也消除了频繁的系统调优（如添加和删除检测规则）的需要。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。