CS Researchers' Paper on APT Defense Won NDSS'16 Distinguished Paper Award

03-08-2016
Writer(s): Staff Reports

Researchers from the Purdue Computer Science Department won the Distinguished Paper Award at the Network and Distributed System Security Symposium 2016 (NDSS'16), a top-tier cybersecurity conference held in San Diego last month (Feb. 21 - 24).

The paper, "ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting", was co-authored by Ph.D. student, Shiqing Ma with his advisors, Professors Xiangyu Zhang and Dongyan Xu. It was one of only four papers sharing the award from the 60 papers accepted from 389 submissions.

The paper presents the authors' new provenance tracing system, ProTracer, which collects lineage of system data at the operating system (OS) level, and enables system administrators and attack investigators to understand the root cause of an advanced persistent threat (APT) attack, which may have occurred long ago, or determine the ramifications of the APT attack for possible recovery. Traditional provenance tracing approaches suffer from many problems including but not limited to high run-time overhead, high storage overhead, and the "dependency explosion" problem for log analytics.

ProTracer re-designs the OS-level audit tracing architecture, leverages cutting-edge program analysis methods, and employs a novel online event processing mechanism. Particularly, by performing system-level and in an alternating fashion, ProTracer overcomes the limitations of logging and tainting techniques (when applied alone) while leveraging their respective advantages.

The team's current research in APT attack prevention, detection, forensics, and recovery has been supported in part by the Defense Advanced Research Projects Agency (DARPA), National Science Foundation (NSF), Office of Naval Research (ONR), and Cisco Systems. In particular, they are part of DARPA's Transparent Computing Program, which aims at making system/network component operations and interactions more transparent for better defense against advanced, stealthy cyberattacks such as APTs.