应网络与交换技术国家重点实验室苏森教授的邀请,西北大学陈焰教授将于11月13日来北京邮电大学做学术报告。欢迎校内广大师生踊跃参与。
主题:APTShield: A Real-Time Situation-Aware Detection System for Remote Access Trojan in the APT Attacks
主讲人:陈焰 教授(IEEE Fellow)
主持人:邹仕洪 副教授
时间:2017年11月13日(周一)下午14:00-15:30
地点:新科研楼610
摘要:
Advanced Persistent Threats (APTs) could cause significant damage to targeted entities such as governments and corporations, and are attracting increasing attention from both scientific community and industry. Previous malware detection methods are not fine-grained or robust enough for the problem of APT detection. In this paper, we thwart against an APT campaign by targeting one of its core components, remote access trojan (RAT). To this end, we proposed APTShield, a real-time, finegrained and situation-aware detection system to detect a RAT by automatically recognizing its runtime behavior and identifying its discriminating characteristics.
A RAT typically provides a set of tens of functionalities, and our study shows that each functionality only has limited ways of implementation at the system call level across different RATs. That is, execution traces corresponding to the same functionality of different RATs usually contain certain common and essential “malicious sections” that suffice to semantically define the functionality. We developed sequence alignment algorithms to automatically extract such common “malicious sections” from multiple per-functionality traces for each functionality and derived behavior graphs as a detector for the functionality. In addition, a RAT usually exhibits discriminative features than benign programs in order to achieve persistence and stealthiness. We developed greedy algorithms to learn those features to improve RAT detection accuracy. Finally, we performed a comprehensive evaluation of APTShield in terms of its detection capability, performance, and its robustness to various evasion attacks. The results show that APTShield was able to recognize the malicious activities being conducted by various RAT samples from multiple sources and achieve real-time detection with high detection accuracy and zero false positives. APTShield’s inherent characteristics of situation awareness render it a potential powerful tool to assist human security analysts in spotting suspicious processes in large volumes of audit log data and automatically generating fine-grained semantic information before further analysis and validation.
主讲人简介:
陈焰, 2003年获加州大学伯克利分校计算机科学博士学位后,加入美国西北大学电子工程与计算机科学系,直至教授,主要研究方向为Internet网络安全和网络管理/测量。2005年获得美国能源部青年成就奖(Early CAREER Award),2007年获得美国国防部(Air Force of Scientific Research)青年学者奖(Young Investigator Award),2004和2005年分别获得Microsoft可信计算奖(Trustworthy Computing Awards)。2010-2011 年被清华大学信息学院邀请为桑坦德海外访问学者. 任浙大计算机学院特聘教授,创立浙大-西北联合互联网安全技术实验室和浙江省移动终端安全实验室并任主任。2016年被评选为国际电气电子工程协会会士(IEEE Fellow).
Google Scholar显示,论文总引用过万次,H-index指数为47。有2项美国专利 (另提交了6项)。论文Generic and Automatic Address Configuration for Data Center Networks 入选SIGCOMM 2010最佳论文候选,应邀直接在ACM/IEEE ToN上出版. 获2015年IEEE Communication and Networking (CNS)最佳论文奖。 在ACM/IEEE Transaction on Networking (ToN)、IEEE Transactions on Mobile Computing (TMC)等顶级期刊和SIGCOMM、IEEE Symposium on Security and Privacy(Oakland)、USENIX NSDI、NDSS 等顶级会议上发表了100余篇论文。担任 ACM/IEEE ToN的副主编及等多个著名国际会议的技术程序委员会主席,并担任ACM CCS 2011的总主席.自2004年起多次受邀在美国自然科学基金委信息科学与工程处担任评委, 并多次受邀担任美国能源部(DOE)和美国空军科研部(DOD) SBIR计划及STTR计划的评委。
研究项目获美国自然科学基金委等机构多次资助, 并与Motorola, NEC, 华为等多家公司有项目合作并获资助。涉及项目经费总额超过1200万美元。2013年受邀为中国互联网企业安全工作组学术委员会成员, 2014年受邀为中国XCTF攻防竞赛指导委员会成员。
