Efficient and Secure Approaches to Investigating System Intrusions

April 1, 2021

3:00-4:00 pm EST

Sococo Halligan 102, Zoom

Speaker: Adam Bates, University of Illinois at Urbana-Champaign

Host: Dan Votipka

Abstract

Auditing is a central pillar of system security, allowing us to gather and analyze event logs that describe the history of system execution. Excitingly, we can use these logs to trace the actions of intruders, enabling smarter and faster incident response. In this talk, I will describe our efforts to analyze and secure system logs in large complex organizations. First, I will share our recent results on combating the problem of threat detection “alert fatigue” through a novel triage technique that analyzes provenance graphs extracted from audit logs. Next, I will demonstrate how we can protect these audit logs from adversarial tampering through the introduction of high-throughput tamper-evident logging mechanisms; notably, our secure logging solution can assure the integrity of log events before they even reach the disk! I will conclude by discussing some of the opportunities and challenges that are guiding our continued work in this space. By addressing key performance and security issues, this work is paving the way for the further proliferation of advanced threat hunting capabilities.

Bio:

Adam Bates is an Assistant Professor in the Computer Science Department at the University of Illinois at Urbana-Champaign. He received his PhD from the University of Florida, where he was advised by Professor Kevin Butler in the study of computer security and collaborated regularly with MIT Lincoln Laboratory. Adam has conducted research on a range of security topics including operating system design, network communications, and peripheral devices. He is best known for his work in the area of data provenance, where he investigates the construction and application of secure threat detection and investigation tools. He is a recipient of the NSF CISE Research Initiation Initiative award, NSF CAREER Award, and was the 2017 ACM SIGSAC Dissertation Award runner-up.

Join the meeting in Sococo, VH 102, or Zoom.

Join Zoom Meeting: https://tufts.zoom.us/j/98610939077

PASSWORD: See colloquia email

Dial by your location: +1 646 558 8656 US (New York)

Meeting ID: 986 1093 9077

PASSCODE: See colloquia email