I-Corps: Translation potential of using provenance-based threat detection for improving cybersecurity

I-Corps：使用基于来源的威胁检测来提高网络安全的转化潜力

• 批准号: 2424261
• 负责人: Adam Bates
• 金额: $ 5万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-04-15 至 2025-03-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2424261&HistoricalAwards=false
• 关键词: Corps; Translation; potential; using; provenance

The broader impact of this I-Corps project is the development of technology for securing computer workstations and servers from attack. The approach based on the historical record that traces data from its original source to its current location (called data provenance analysis). Securing endpoint computers is a vital component of enterprise security. Current solutions adopt a strategy for detecting attacks by comparing endpoint activity to a set of detection rules that describe common attack behaviors. However, this is an error prone practice, leading to large volumes of false alerts while failing to detect sophisticated attacks. In addition, the maintenance requirements of investigating these false alerts pose a formidable challenge within smaller to medium-sized businesses (SMBs), which lack the necessary security resources and personnel. This impediment is even more visible within SMBs housing sensitive user data, where a security breach can have profound and enduring financial and societal consequences. This technology may be used to establish data provenance analysis as a more precise and practical means of detecting attacks on endpoints. In addition, this solution may save U.S. companies millions of dollars by thwarting attacks that could have otherwise resulted in the compromise of customer data.This I-Corps project utilizes experiential learning coupled with a first-hand investigation of the industry ecosystem to assess the translation potential of the technology. The solution is based on the development of analysis of data provenance to ensure cyber security. Data provenance techniques incrementally parse individual endpoint events (e.g., process executions and file accesses) into a causal dependency graph that describes the history of system execution. The graphical representation of endpoint activity highlights the relationships between objects, making it easier to identify suspicious activities. A key finding of this research is a method of overcoming the inherent architectural limitations in the machine learning models used to analyze data provenance graphs. Leveraging this method, a model was trained that comprehensively captures the typical behavior of programs by associating them with their full historical context. Attacks are detected by comparing suspicious programs to the models’ expectations of each program’s behavior, which is informed by the programs’ provenance. This approach significantly reduces the occurrence of false alerts when compared to current endpoint security solutions, while also eliminating the need for frequent system tuning such as the adding and removing of detection rules.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该 I-Corps 项目的更广泛影响是开发保护计算机工作站和服务器免受攻击的技术，该方法基于从原始来源跟踪数据到当前位置的数据（称为数据来源分析）。计算机是企业安全的重要组成部分。当前的解决方案采用一种通过将端点活动与描述常见攻击行为的检测规则进行比较来检测攻击的策略，但是，这是一种容易出错的做法，会导致大量错误警报。无法检测复杂的攻击。此外，调查这些虚假警报的维护要求对中小型企业 (SMB) 构成了巨大的挑战，因为这些企业缺乏必要的安全资源和人员，这种障碍在存储敏感用户数据的中小型企业中更为明显。安全漏洞可能会产生深远而持久的财务和社会后果。该技术可用于建立数据来源分析，作为检测端点攻击的更精确和实用的方法。此外，该解决方案还可以为美国公司节省数百万美元。阻止可能导致客户项目数据泄露的攻击。该 I-Corps 利用体验式学习以及对行业生态系统的第一手调查来评估该技术的翻译潜力。该解决方案基于以下技术的开发。数据来源分析以确保网络安全。数据来源技术逐步将各个端点事件（例如进程执行和文件访问）解析为描述系统执行历史的因果依赖图。端点活动的图形表示突出了之间的关系。这项研究的一个重要发现是克服用于分析数据来源图的机器学习模型的固有架构限制的方法，利用该方法训练了一个全面捕获典型活动的模型。通过将可疑程序与模型对每个程序行为的预期进行比较来检测程序的行为，与此方法相比，这种方法显着减少了错误警报的发生率。当前端点该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。