Files
Abstract
Today, organizations' security posture and personal computers suffer from numerous insufficiencies caused by security defense tools that cannot keep up with the ever-changing nature of threats. Most of these problems arise from products designed to match known signatures like traditional antivirus software products. Such systems focus on a subset of programs on a computer. Repeated exploitation of out-of-date software in major cyber-attacks is an example of why current tools are not adequately protecting users.
This dissertation proposes a methodology to design observable and generalizable security monitoring paradigms that scale to today’s cyber-landscape challenges. Such systems avoid discrimination when choosing what components to monitor in a computing ecosystem, thus treating all the components alike.
We split the solutions along two main foci: observability of computing systems and generalizability of the solutions. Observability ensures that the ecosystem’s components can be observed through a common pathway. Generalizable solutions utilize a common pathway to garner information about all components within a system and build models that solve different problems. In DroidForensics, we propose a better observable execution monitoring framework for mobile operating systems and demonstrate that it can effectively collect logs from Android devices and are sufficient for forensic analysis of real-world attacks. We present FastPP, capable of log ingestion at a rate high enough to handle an enterprise network on a single core. We show that FastPP can be utilized toward efficient log transfer and preparation for further analysis. We design GrAALF to process hundreds of gigabytes of forensic logs efficiently. GrAALF enables backward-forward tracking of events and observations in the system. We evaluate GrAALF on multiple long traces to show its effectiveness.
We further present two use cases of generalized non-discriminatory models built by gathering behavioral information from an observable common pathway. FMS uses system logs to track program update releases at scale. FMS is the first system that tracks updates from all programs in an enterprise without the need for any third-party information. Also, FMS provides enterprise administrators with a view of the risk each computer imposes on their enterprise by delaying the installation of software updates. ChatterHub uses a smart-home’s outgoing encrypted network traffic to track the activities of devices inside a home. ChatterHub shows generalizable solutions can be effective even where there are encapsulating layers around the individual components. We show ChatterHub can detect activities of smart devices with more than 85% F1 score in real-world setups.
This dissertation proposes a methodology to design observable and generalizable security monitoring paradigms that scale to today’s cyber-landscape challenges. Such systems avoid discrimination when choosing what components to monitor in a computing ecosystem, thus treating all the components alike.
We split the solutions along two main foci: observability of computing systems and generalizability of the solutions. Observability ensures that the ecosystem’s components can be observed through a common pathway. Generalizable solutions utilize a common pathway to garner information about all components within a system and build models that solve different problems. In DroidForensics, we propose a better observable execution monitoring framework for mobile operating systems and demonstrate that it can effectively collect logs from Android devices and are sufficient for forensic analysis of real-world attacks. We present FastPP, capable of log ingestion at a rate high enough to handle an enterprise network on a single core. We show that FastPP can be utilized toward efficient log transfer and preparation for further analysis. We design GrAALF to process hundreds of gigabytes of forensic logs efficiently. GrAALF enables backward-forward tracking of events and observations in the system. We evaluate GrAALF on multiple long traces to show its effectiveness.
We further present two use cases of generalized non-discriminatory models built by gathering behavioral information from an observable common pathway. FMS uses system logs to track program update releases at scale. FMS is the first system that tracks updates from all programs in an enterprise without the need for any third-party information. Also, FMS provides enterprise administrators with a view of the risk each computer imposes on their enterprise by delaying the installation of software updates. ChatterHub uses a smart-home’s outgoing encrypted network traffic to track the activities of devices inside a home. ChatterHub shows generalizable solutions can be effective even where there are encapsulating layers around the individual components. We show ChatterHub can detect activities of smart devices with more than 85% F1 score in real-world setups.