学术报告|2月2日 Investigating Security Incidents with System Auditing

浙江大学网络空间安全学院

学术报告

  摘 要  

Security incidents in large enterprises have been on the rise globally. We have been witnessing cyber attacks with increasing sophistication and customization. In defense against advanced attacks, endpoint security solutions — e.g., Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) — are widely deployed in today’s production environments. These security solutions monitor system-level activities (e.g., system calls) on end hosts as audit logs, providing deep visibility into security incidents. Specifically, given a symptom of an attack, security analysts can investigate audit logs to understand how an attacker gains access to the victim’s systems and what damages are inflicted.

However, the usability of system auditing is limited in practical scenarios due to three inherent challenges. First, as computing systems to date become complex and ever-expanding, enterprise IT infrastructures typically generate a large volume of audit data that can easily overwhelm security analysts. Second, audit log analysis heavily depends on human expertise, making it difficult to scale to enterprise-wide security solutions. At last, system auditing monitors system-call-level activities without fine-grained (e.g., instruction-level) information, which usually leads to the dependency explosion problem in attack investigations.

To address the challenges above, we propose building and reasoning about rich contexts from audit logs. First, we present Watson, a system that automatically abstracts high-level system behaviors from low-level audit logs. By providing a quantitative representation of behavior semantics, it clusters semantically similar behaviors and presents only the representatives for inspections. Next, we present a recommendation-guided cyber threat analysis system, called ShadeWatcher, which predicts potentially malicious system entity interactions. It enables threat detection based on historical contexts in audit logs, which mitigates the burden on security analysts. Finally, we present PalanTír, a practical attack investigation system that integrates instruction-level provenance into system auditing to reduce the search space in attack scenario reconstructions. Together, Watson, ShadeWatcher, and PalanTír provide an end-to-end framework that facilitates attack investigations on system auditing and analysis.

  报告人简介  

Jun Zeng is a Ph.D. candidate in the School of Computing at the National University of Singapore (NUS). His research interests lie in the interaction of system auditing, program analysis, and recommendation systems. His research results are published in top cybersecurity and software engineering conferences, such as Oakland, CCS, NDSS, USENIX Security, ICSE, and ISSTA. He is a recipient of the Dean's Graduate Research Excellence and Research Achievement Award at the NUS.