Thursday, March 9, 2006
4:15 pm
B17 Upson Hall

Computer Science
Spring 2006

Sam King
University of Michigan


Analyzing Intrusions Using Operating System Level Information Flow


Computers continue to get broken into, so intrusion analysis is a part of most system administrators' job description.  System administrators must answer two main questions when analyzing intrusions: "how did the attacker gain access to my system?", and "what did the attacker do after they broke in?.  Current tools for analyzing intrusions fall short because they have insufficient information to fully track the intrusion and because they cannot separate the actions of attackers from the actions of legitimate users.

This talk will focus on how system administrators can use information flow graphs to help analyze intrusions.  BackTracker is used to help answer the question "how did the attacker gain access to my system?". BackTracker starts with a suspicious object (e.g., malicious process, trojaned executable file) and follows the attack back in time, using causal OS events, to highlight the sequence of events and objects that lead to the suspicious state.  Showing an information flow graph of these causally-connected events and objects provides a system-wide view of the attack and significantly reduces the amount of data an administrator must examine in order to determine which application was originally exploited.  ForwardTracker helps answer the question "what did the attacker do after they broke in?".  ForwardTracker starts from the application which was exploited and tracks causal events forward in time to display the information flow graph of events and objects that result from the intrusion.  Finally, Bi-directional Distributed BackTracker (BDB) continues the backward and forward information flow graphs across the network to highlight the set of computers on a local network which are likely to have been compromised by the attacker.

Bio: Sam King is a PhD student in the CSE Division of the Department of Electrical Engineering and Computer Science at the University of Michigan at Ann Arbor and will be graduating in the summer of 2006. His research interests include experimental software systems, computer security, and operating systems.  His dissertation work focuses on computer forensics, and he has also explored various other topics while at Michigan including advanced malware defenses, intrusion detection, and debugging operating systems using time-traveling virtual machines.  Before arriving at Michigan, he received a BS from UCLA and an MS from Stanford University.  He also worked for two years as a software developer for an embedded systems company in Santa Clara, CA.  He is married (his wife's name is also Sam) and has a son, Eli.