SaTC: CORE: Medium: Principled Foundations for the Design and Evaluation of Graph-Based Host Intrusion Detection Systems

SaTC：核心：中：基于图的主机入侵检测系统的设计和评估的原则基础

• 批准号: 2055127
• 负责人: Adam Bates
• 金额: $ 120.12万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2055127&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Principled; Foundations

Modern system intruders are extraordinarily sophisticated, leveraging expertise and financial means to "live off the land" and avoid detection as they penetrate large organizations. Unfortunately, over 25 years of host intrusion detection research has proven insufficient to detect today’s sophisticated attackers. Recently, advancements in machine learning and auditing have led researchers to reconceptualize intrusion detection as a graph learning problem -- provenance graphs that describe the history of system execution are analyzed in an attempt to differentiate typical from suspicious activity. However, at present it is unclear how (or even if) these graph intrusion detection systems (Graph IDS) are effective in the face of determined, resourceful adversaries, particularly adaptive attackers that pattern their actions to blend in with typical activity. This project measures the resilience of Graph IDS to so-called “mimicry attacks,” then design novel anomaly detection algorithms that are hardened against this threat. The project also contributes to work force development through student participation in research. The project examines the central challenges pertaining to the evaluation and design of Graph IDS. Using provenance graphs as an abstract model for system activity, the project develops novel techniques for automated generation of mimicry attack samples, allowing the IDS’ to be rigorously benchmarked against adaptive adversaries. The project then develops new primitives for Graph IDS by incorporating the intuitions that underpin human-in-the-loop threat investigation procedures, such as root cause analysis. In the final stages of the project, it considers methods for the practical deployment of these techniques in large organizations and networks. The findings from this work inform the next generation of enterprise security strategies, re-establishing host anomaly detection as a precise and practical means of detecting system intrusions.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代系统入侵者非常复杂，他们利用专业知识和经济手段“在陆地上生活”并在渗透到大型组织时避免被发现。不幸的是，超过 25 年的主机入侵检测研究尚未证明能够检测当今复杂的攻击者。机器学习和审计领域的研究使研究人员将入侵检测重新概念化为图形学习问题——分析描述系统执行历史的来源图，试图区分典型活动和可疑活动。目前还不清楚这些图入侵检测系统（Graph IDS）如何（或者即使）在面对坚定、足智多谋的对手时有效，特别是那些将其行为模式与典型活动融为一体的自适应攻击者。该项目衡量了 Graph IDS 的弹性。所谓的“模仿攻击”，然后设计针对这种威胁的新型异常检测算法。该项目还通过学生参与研究来研究与 Graph 评估和设计相关的核心挑战。 IDS。该项目使用起源图作为系统活动的抽象模型，开发了自动生成模仿攻击样本的新技术，从而使 IDS 能​​够针对自适应对手进行严格的基准测试，然后通过合并 IDS 的新原语。支撑人在环威胁调查程序的直觉，例如根本原因分析，在项目的最后阶段，它考虑了在大型组织和网络中实际部署这些技术的方法。这项工作的结果为我们提供了信息。下一代企业安全策略，重新建立主机异常检测作为检测系统入侵的精确实用手段。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Transparent DIFC: Harnessing Innate Application Event Logging for Fine-Grained Decentralized Information Flow Control

透明 DIFC：利用固有应用程序事件日志记录进行细粒度分散信息流控制

• DOI: 10.1109/eurosp53844.2022.00037
• 发表时间: 2022-06
• 期刊: Transparent DIFC: Harnessing Innate Application Event Logging for Fine-Grained Decentralized Information Flow Control
• 作者: Liu, Jason;Kandikuppa, Anant;Bates, Adam
• 通讯作者: Bates, Adam

ALASTOR: Reconstructing the Provenance of Serverless Intrusions

ALASTOR：重建无服务器入侵的根源

• DOI: ---
• 发表时间: 2022-01
• 期刊: 31st USENIX Security Symposium
• 作者: Pubali Datta; Isaac Polinsky
• 通讯作者: Isaac Polinsky

FAuST: Striking a Bargain between Forensic Auditing’s Security and Throughput

FAuST：在法证审计的安全性和吞吐量之间达成妥协

• DOI: 10.1145/3564625.3567990
• 发表时间: 2022-12
• 期刊: 38th Annual Computer Security Applications Conference
• 作者: Inam, Muhammad Adil;Goyal, Akul;Liu, Jason;Mink, Jaron;Michael, Noor;Gaur, Sneha;Bates, Adam;Hassan, Wajih Ul
• 通讯作者: Hassan, Wajih Ul

Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks

验证审核日志的完整性以防止执行重新分区攻击

• DOI: 10.1145/3460120.3484551
• 发表时间: 2021-11
• 期刊: 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Yagemann, Carter;Noureddine, Mohammad A.;Hassan, Wajih Ul;Chung, Simon;Bates, Adam;Lee, Wenke
• 通讯作者: Lee, Wenke

SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions

SoK：历史是一个巨大的预警系统：审计系统入侵的来源

• DOI: 10.1109/sp46215.2023.10179405
• 发表时间: 2023-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP
• 作者: Inam, Muhammad Adil;Chen, Yinfang;Goyal, Akul;Liu, Jason;Mink, Jaron;Michael, Noor;Gaur, Sneha;Bates, Adam;Hassan, Wajih Ul
• 通讯作者: Hassan, Wajih Ul