상세정보
Export to Refworks부가기능
Effective and Efficient Forensic Analysis via System Monitoring
상세 프로파일
| 자료유형 | 학위논문 |
|---|---|
| 서명/저자사항 | Effective and Efficient Forensic Analysis via System Monitoring. |
| 개인저자 | Gao, Peng. |
| 단체저자명 | Princeton University. Electrical Engineering. |
| 발행사항 | [S.l.]: Princeton University., 2019. |
| 발행사항 | Ann Arbor: ProQuest Dissertations & Theses, 2019. |
| 형태사항 | 167 p. |
| 기본자료 저록 | Dissertations Abstracts International 81-03A. Dissertation Abstract International |
| ISBN | 9781085634700 |
| 학위논문주기 | Thesis (Ph.D.)--Princeton University, 2019. |
| 일반주기 |
Source: Dissertations Abstracts International, Volume: 81-03, Section: A.
Advisor: Mittal, Prateek |
| 이용제한사항 | This item must not be sold to any third party vendors. |
| 요약 | Advanced Persistent Threat (APT) attacks and data breaches are sophisticated and stealthy, plaguing many well-protected businesses (e.g., Target, Yahoo, Home Depot, eBay, Equifax, Marriott, etc.) with significant losses. To counter these advanced attacks, approaches based on ubiquitous system monitoring have emerged as an important solution for monitoring system activities from enterprise hosts and performing forensic analysis. System monitoring audits system calls at the kernel level to collect information about system activities, providing a global view of interactions among applications and system resources. Collection of system monitoring data enables security analysts to identify the root causes and the ramifications of attacks (i.e., attack investigation) and to detect the abnormal behaviors of attacks (i.e., attack detection). However, the daunting amount of system monitoring data and the complexity of advanced attacks pose significant challenges for designing solutions for effective and efficient forensic analysis.In this thesis, we propose novel approaches for effective and efficient forensic analysis (attack investigation and attack detection) via system monitoring. First, we propose AIQL, a system that enables efficient post-mortem attack investigation via querying the historical system monitoring data. Second, we propose SAQL, a system that enables real-time abnormal system behavior detection via querying the stream of system monitoring data. Both AIQL and SAQL provide (1) domain-specific languages that uniquely integrate critical primitives for easily incorporating the domain knowledge of security experts to express a wide range of attack behaviors, and (2) query execution engines that employ novel optimizations based on the domain-specific characteristics of the system monitoring data and the semantics of the query for efficient query execution. Finally, we propose SysRep, a system that facilitates automatic attack investigation via (1) propagating reputation from seed sources (can be trusted or suspicious) along system dependency paths to infer the reputation of POI (point of interest) entities (e.g., files, network sockets), and (2) automatically reconstructing the attack sequence from POI entities. Together, AIQL, SAQL, and SysRep work seamlessly for effective and efficient forensic analysis of APT attacks. |
| 일반주제명 | Computer science. Forensic anthropology. |
| 언어 | 영어 |
| 바로가기 | 
: 이 자료의 원문은 한국교육학술정보원에서 제공합니다. |
