Tagging and Tracking of Multi-level Host Events for Transparent Computing

Abstract

Advanced persistent threats (APTs) are characterized by their abilities to render existing security mechanisms ineffective; for example, APT activities can blend in with normal user and program activities to blindside intrusion detection systems. APTs can evade security protection because existing mechanisms lack the sufficient visibility into user, program and operating system activities to ascertain the authenticity of an activity and the provenance of its data. For example, it is not possible for a network intrusion detection system to determine that data sent from an end-host has been modified by a malicious browser extension after a user had entered the data on a web form. On the other hand, if we have full tracking of how data is processed by the browser, intuitively, we can detect such an APT activity.

In this talk, I will present THEIA, a system for tagging and tracking of multi-level host events and data for security analysis such as APT detection. THEIA is a system based on full-system record and replay and fine-grained dynamic information-flow analysis. THEIA is able to track data provenance from user input to program internal representation, and to filesystem storage and network output, and likewise, from network or filesystem to program internals, and to user interface. THEIA achieves both high accuracy and high efficiency by recording just the sufficient amount of data at runtime, instead of coupling computation-heavy tag analyses to the system’s execution, and by performing thorough analysis while replaying the recorded events. We evaluated THEIA in the context of the Transparent Computing program and observed that it achieves high accuracy while encountering low runtime overhead.