Vote for this team on Twitter before April 12 at 6 p.m., using the hashtag #cyberfinaleteam2. Votes count toward the $2,000 "People's Choice" award.
"RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking"
Yang Ji, with Evan Downing, Mattia Fazzini, Sangho Lee and Weiren Wang
School of Computer Science
As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack, which resources were affected by the attack, and how to recover from any damage incurred. We propose RAIN, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instruction-level dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, RAIN conducts system-call-level reachability analysis to filter out unrelated processes and minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that RAIN effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of RAIN is similar to existing system-call level provenance systems and its analysis overhead is much smaller than full-system DIFT.
About the Students
Yang Ji: Linkedin
Research Paper: https://dl.acm.org/citation.cfm?id=3133956.3134045
ACM Conference on Computer and Communications Security (CCS 2017): https://www.youtube.com/watch?v=lJVOn-V2mE0