Seminars

View all Seminars  |  Download ICal for this event

Practical Techniques for Automated Detection and Reconstruction of Advanced Cyber Attack Campaigns from System Call Logs

Series: Department Seminar

Speaker: Prof. R. Sekar, SUNY Empire Innovation Professor in Cyber Security, and the Associate Chair of the Computer Science Department, Stony Brook University

Date/Time: Jul 19 11:00:00

Location: CSA Lecture Hall (Room No. 117, Ground Floor)

Abstract:
There is wide consensus in the research community that system-call level provenance is essential for detecting and understanding advanced cyberattack campaigns, otherwise called APT campaigns. Unfortunately, provenance collection and analysis at system call granularity poses several major challenges. First, existing system call loggers incur high overheads, slowing down workloads by 2x to 8x. By exploiting this weakness, APT actors can overwhelm loggers and cause them to drop the vast majority of system calls, thereby providing an effective vehicle for evasion. Secondly, provenance logs can grow to hundreds of GBs per day per host. The costs of storing months of logs across all the hosts can strain the IT budgets of even the well-resourced organizations. Third, even when all the attack activity is present in the logs, it is very challenging to filter out the benign background activity to zoom in on the attack activity, since attacks typically account for a vanishingly small fraction of the logs. In this talk, we describe these challenges and present our approach for addressing them. Our provenance collection system, called eAudit, incorporates several new techniques to reduce the performance overheads to single digits. To reduce data volume, we have developed compact event encoding that reduces log sizes by 10x. In addition, we developed novel techniques for identifying and eliminating
redundant events, further reducing the number of events by 10x, while provably preserving forensic analysis results. Finally, we present our attack detection and APT campaign reconstruction techniques that achieved excellent results in the DARPA Transparent Computing program.

Speaker Bio:
R. Sekar (http://www.cs.stonybrook.edu/~sekar/) is the SUNY Empire Innovation Professor in Cyber Security and the Associate Chair of the Computer Science Department at Stony Brook University. He received his Bachelors degree in Electrical Engineering from IIT, Madras, and his Ph.D. in Computer Science from Stony Brook. After working in the industry and at Iowa state university, Sekar has been a faculty member in the Computer Science Department at Stony Brook for 20+ years. Sekars research interests are focused on software security, with specialization in attack detection, prevention, containment, response, and recovery. His recent work emphasizes language-based approaches for solving these problems, including clean-slate approaches and domain-specific languages. Sekars research in these areas has been funded by several grants from AFOSR, DARPA, NSF and ONR, as well as the industry. He has supervised over 125 students, including four postdoctoral and international visiting researchers, 20+ Ph.D.s, and 80+ Masters.

Host Faculty: Prof. Vinod Ganapathy