Next Generation Provenance-based Intrusion Detection System

下一代基于来源的入侵检测系统

• 批准号: RGPIN-2022-03639
• 负责人: Pasquier, Thomas
• 金额: $ 2.11万
• 依托单位: University of British Columbia
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=749889
• 关键词: Next; Generation; Provenance; based; Intrusion

Worldwide, attacks on computer systems are adversely affecting everyday life, from schools closing in Iowa, cancellation of hospital appointments in Ireland, supermarkets closure in Sweden, to fuel disruption in the US. Of particular concern is the increased number of Advanced Persistent Threat (APT) attacks. APTs are subtle targeted attacks designed by well-resourced and skilled attackers. The attackers extend their control of a system over a period of months or years before finally launching a potentially devastating attack that can, in certain cases, affect critical infrastructures. APTs remain undetected for years due to the opacity and complexity of modern computer systems. Over the last few years, provenance-based intrusion detection has been heralded as a potential solution in the academic security community. Provenance is the representation of system execution as a directed acyclic graph that captures the causal relationship between events greatly increasing system observability. Intrusion detection techniques applied to this graph data can detect attacks and investigate suspicious behaviors. However, such systems have not been widely deployed for a few fundamental reasons. First, current academic prototypes and experimental setups are not adapted to current industry standards and practices. Second, there is a global shortage of security talent making attack investigation an expensive endeavor. Provenance-based systems are unfamiliar and require complex investigation strategies, leading to a high adoption cost. Finally, academic evaluation standards have been relatively poor when compared with more conventional intrusion detection techniques casting doubt upon their real effectiveness. In the proposed research program, I will design a practical end-to-end provenance-based intrusion detection solution that meets current industry standards and practices. A core objective of this research is to design a solution that can be readily deployed in modern cloud-based platforms that are today's prevalent deployment choice. Further, the solution we develop will focus on reducing expert time dedicated to low-value tasks (e.g., triaging false positives or parsing through gigabytes of log records). Finally, I will design a strong evaluation strategy to demonstrate the validity of provenance-based approaches. This research is at the intersection of systems and applied machine learning. I envision my group contributing to systems observability research by developing trustworthy tools providing visibility into systems behavior and to machine learning applied to security by developing explainable graph-based intrusion detection solutions. As part of this research, my team will also work to integrate this new knowledge into robust open-source tools. These tools can then be used by industry practitioners to develop trustworthy security solutions.

在世界范围内，对计算机系统的攻击正在对日常生活产生不利影响，从爱荷华州的学校关闭，爱尔兰的医院预约取消，瑞典的超市关闭，到美国的燃料中断。特别值得关注的是高级持续性威胁（APT）攻击的数量增加。APT是由资源丰富且技术熟练的攻击者设计的微妙的目标攻击。攻击者在几个月或几年的时间内扩展他们对系统的控制，然后最终发动可能具有破坏性的攻击，在某些情况下，可能会影响关键基础设施。由于现代计算机系统的不透明性和复杂性，APT多年来一直未被发现。在过去的几年里，基于出处的入侵检测已被誉为学术安全社区的一个潜在的解决方案。起源是系统执行的表示，作为一个有向无环图，捕捉事件之间的因果关系，大大提高系统的可观测性。应用于此图数据的入侵检测技术可以检测攻击并调查可疑行为。然而，由于一些基本原因，这种系统没有得到广泛部署。首先，当前的学术原型和实验设置不适应当前的行业标准和实践。其次，全球缺乏安全人才，使得攻击调查成为一项昂贵的奋进。基于种源的系统是不熟悉的，需要复杂的调查策略，导致采用成本高。最后，学术评估标准相对较差，与传统的入侵检测技术相比，怀疑其真实的有效性。在拟议的研究计划中，我将设计一个实用的端到端的基于出处的入侵检测解决方案，满足当前的行业标准和实践。这项研究的核心目标是设计一个解决方案，可以很容易地部署在现代基于云的平台，这是当今流行的部署选择。此外，我们开发的解决方案将专注于减少专家用于低价值任务的时间（例如，分类误报或解析千兆字节的日志记录）。最后，我将设计一个强大的评估策略来证明基于出处的方法的有效性。这项研究处于系统和应用机器学习的交叉点。我设想我的团队通过开发可信赖的工具来提供对系统行为的可见性，并通过开发可解释的基于图的入侵检测解决方案来应用于安全的机器学习，从而为系统可观察性研究做出贡献。作为这项研究的一部分，我的团队还将努力将这些新知识整合到强大的开源工具中。然后，行业从业者可以使用这些工具来开发值得信赖的安全解决方案。