Tutorial: System Monitoring for Security

ABSTRACT: Intrusive multi-step attacks, such as Advanced Persistent Threat (APT) attacks, have plagued many well-protected businesses with significant financial losses. These advanced attacks are sophisticated and stealthy, and can remain undetected for years as individual attack steps may not be suspicious enough. To counter these advanced attacks, a recent trend is to leverage ubiquitous system monitoring for collecting the attack provenance for a long period of time and perform attack investigation for identifying risky system behaviors. In this tutorial, I first provide an introduction to popular techniques and tools of collecting system monitoring data, such as auditd, Sysinternals/ETW, and sysdig. I then describe how dependency analysis can be applied on the system monitoring data for attack investigation, and how to perform data reduction techniques to scale up the analysis to monitor more hosts. I will also present another technique that mines the patterns of the low-level system behaviors collected by system monitoring (e.g., a process reads a file) and uses these patterns to identify high-level software behaviors that security analysts are interested in (e.g., file compressions and ssh login). Finally, we discuss the current challenges of analyzing system monitoring data for security problems, concluding with future research directions.

Dr. Xusheng Xiao is an assistant professor of Electrical Engineering and Computer Science at Case Western Reserve University. He received his Ph. D. degree in Computer Science at North Carolina State University in 2014. He was a visiting student in Computer Science department of the University of Illinois at Urbana-Champaign in 2013-2014. His research interests are in software engineering and computer security, with the focus on making software applications and computer systems more reliable and secure via program analysis, software testing, text analysis, and system monitoring. His research has been presented at top-tier venues such as ICSE, FSE, ISSTA, ASE, USENIX Security, CCS, and VLDB. His work in software testing received ICSE SRC Best Project Representing an Innovative Use of Microsoft Technology at ACM SRC Grand Final 2012. His work in mobile security was selected as one of the top ten finalists for CSAW Best Applied Security Paper Award 2015, and produced a static analysis tool that was deployed in TouchDevelop of Microsoft Research. He was a researcher at the computer security department of NEC Labs America, and the security intelligence solution built by his team won first place in the Town Life and Society Innovation Category at CEATEC Award.