EECS500 Spring 2018 Department Colloquium

Yonghwi Kwon
Combatting Advanced Persistent Threats via Causality Inference and Input Perturbation
Purdue University
Glennan 313
2:00-3:00 PM
March 7, 2018
Advanced Persistent Threat (APT) is a new class of attack that targets a specific organization and compromises systems over a long time without being detected. Over the years, we have seen notorious examples of APTs including Iranian nuclear centrifuges, data breaches affecting millions of users, and even having political consequences. Investigating APT is challenging because it occurs over an extended period of time and the attack process is highly sophisticated and stealthy. In addition, preventing APTs is particularly difficult due to the ever-expanding attack vectors.
In this talk, I will first present my proposals in dealing with challenges in attack investigation. Specifically, I will present LDX which conducts precise counter-factual causality inference to determine dependencies between system calls (e.g., between input and output system calls) and allows investigators to determine the origin of an attack (e.g., receiving a spam email), the propagation path of the attack, and assess the consequences of the attack. LDX is four times more accurate and two orders of magnitude faster than state-of-the-art taint analysis techniques. Expanding beyond LDX, I will present a practical model based causality inference system, MCI. It achieves precise and accurate causality inference without requiring any modification or instrumentation to end-user systems.
Second, I will show a general protection system against a wide spectrum of attack vectors and methods. Specifically, I will present A2C that prevents a wide range of attacks by randomizing inputs such that any malicious payloads contained in the inputs are corrupted. The protection provided by A2C is both general (e.g., against various attack vectors) and practical (7% runtime overhead). I will conclude the talk by discussing my future visions of enabling precise causality inference on emerging IoT devices and virtualized environment, and AI-based systems.

Yonghwi Kwon is a Ph.D. candidate in the Department of Computer Science at Purdue University advised by Prof. Xiangyu Zhang and Prof. Dongyan Xu. He is broadly interested in solving system security problems via program analysis with a special focus on attack investigation, software exploit prevention, cross-platform binary analysis and reverse-engineering. He has been honored with the ASE Best Paper Award in 2013, ACM SIGSOFT Distinguished Paper Award in 2013, and Maurice H. Halstead Memorial Award in 2017.