Backtracking System Intrusions at Enterprise Scale

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each data object being processed, allowing us to understand how objects came to exist in their present state. Excitingly, we can also use provenance to trace the actions of system intruders, enabling smarter and faster incident response. In this talk, I will describe our efforts to manage and analyze attack provenance in today's massive distributed environments. First, I will explain how grammar induction techniques can be applied to provenance graphs in order to eliminate redundancy in distributed logs and correlate events across a network. Next, I will share our recent results on combatting the problem of intrusion detection "alert fatigue" through a provenance-based triage technique. I will conclude by discussing some of the opportunities and challenges that are guiding our continued work in this space. By addressing key security and performance issues, this work is paving the way for the further proliferation of secure provenance capabilities.
Adam Bates is an Assistant Professor in the Computer Science Department at the University of Illinois at Urbana-Champaign. He received his PhD from the University of Florida, where he was advised by Professor Kevin Butler in the study of computer security and collaborated regularly with MIT Lincoln Laboratory. Adam has conducted research on a range of security topics including operating system design, network communications, and peripheral devices. He is best known for his work in the area of data provenance, where he investigates the construction and application of secure provenance-aware systems. He has received the NSF CISE Research Initiation Initiative award, NSF CAREER Award, and the ACM SIGSAC Dissertation runner-up.