Building a provenance-based intrusion detection system
Provenance is the representation of a system execution as a directed acyclic graph. Whole-system provenance graphs, representing the execution of an entire system from initialisation to shut down, can be comprised of millions of graph elements. In this talk, I will present my work on the development of a provenance-based intrusion detection system. I will discuss the development of the stack from the kernel-level capture mechanism to the algorithm used to perform intrusion detection. Finally, I will discuss planned future work and areas of potential collaborations.
Thomas Pasquier is a Lecturer at the University of Bristol in the Department of Computer Science and a visiting scholar at the University of Cambridge's Department of Computer Science and Technology. His research interests cover the general area of information flow tracking and its practical applications ranging from security to reproducibility. Thomas is also a member of the Microsoft Cloud Computing Research Centre (http://www.mccrc.org/) where he explores topics at the intersection of law and computer science.