Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, and Margo Seltzer. 10/19/2018. “
Runtime Analysis of Whole-System Provenance.” In Conference on Computer and Communications Security. Toronto, Canada: ACM.
Publisher's VersionAbstractIdentifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.
We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms by at least 89%, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.
Xueyuan Han, Thomas Pasquier, and Margo Seltzer. 7/13/2018. “
Provenance-based Intrusion Detection: Opportunities and Challenges.” In Workshop on Theory and Practice of Provenance (TaPP'18). London: USENIX.
Publisher's VersionAbstractAttackers constantly evade intrusion detection systems as new attack vectors sidestep their defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection as it offers a holistic, attack-vector-agnostic view of system execution. We believe that graph analysis on provenance graphs fundamentally strengthens detection robustness. Towards this goal, we discuss opportunities and challenges associated with provenance-based intrusion detection and offer our insights based on our past experience.
Thomas Pasquier, Matthew K. Lau, Xueyuan Han, Elizabeth Fong, Barbara S. Lerner, Emery Boose, Mercè Crosas, Aaron Ellison, and Margo Seltzer. 7/2018. “
Sharing and Preserving Computational Analyses for Posterity with encapsulator.” Computing in Science and Engineering (CiSE).
Publisher's VersionAbstractOpen data and open-source software may be part of the solution to sciences reproducibility crisis, but they are insufficient to guarantee reproducibility. Requiring minimal end-user expertise, encapsulator creates a “time capsule” with reproducible code in a self-contained computational environment. encapsulator provides end-users with a fully-featured desktop environment for reproducible research.
Xueyuan Han. 4/23/2018. “
Using Provenance for Security and Interpretability.” EuroSys Doctoral Workshop (EuroDW'18).
Publisher's VersionAbstractSystem security is somewhat stymied because it is difficult, if not impossible, to design
system defenses that address the full complexity of a system's interaction. Interestingly, this
problem has parallels in understanding how machine learning (ML) algorithms make
predictions. Both of these problems require a structured, comprehensive understanding of
what a system/model is doing. My dissertation addresses these seemingly disparate
problems by exploiting data provenance, which provides just such a solution. I exploit
provenance both to design intrusion detection systems and to explain how ML algorithms
arrive at their predictions.