Design/implementation of Policy and Specification Languages
Language-based techniques have formed the basis of much of our research in security. Of particular interest have been
- Policy languages for expressing security policies at different levels
- Domain-specific languages for specification based and anomaly-based intrusion detection,
- Sound and efficient implementation of these languages.
Our research has developed policy languages and efficient enforcement techniques in the context of untrusted (and potentially malicious) code containment [9, 10, 17, 20], as well as in the context of detecting attacks on benign software [7, 14]. We have also developed new behavior specification languages and efficient runtime monitoring techniques for host-based and network intrusion detection [19, 21, 25, 26, 24].
An important focus of our security policy research is that of coming up with policy languages and/or security policies that are easy to specify, and can compactly represent the relevant security concerns. Closely related to this effort is our research on synthesizing or inferring security policies [10, 11] by observing system behavior, and/or by utilizing other sources of information.
Related Publications
- [1] A New Tag-Based Approach for Real-Time Detection of Advanced Cyber Attacks
PhD Dissertation (Stony Brook University) January, 2022.- [2] On the Effectiveness of Cyber-Attack Campaign Investigation with Reduced Audit Logs
Undergraduate (Honors) Thesis (Stony Brook University) January, 2021.- [3] Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics
- , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2020.
(A 2-minute demo and the conference presentation are also available.). - [4] HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows
- , , , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2019. - [5] SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
- , , , , , , and
USENIX Security Symposium (USENIX Security) August, 2017. (Talk). - [6] WebSheets: Web Applications for Non-Programmers
- and
New Security Paradigms Workshop (NSPW) September, 2015. - [7] An Efficient Black-box Technique for Defeating Web Application Attacks
ISOC Network and Distributed Systems Symposium (NDSS) February, 2009.- [8] Fast Packet Classification for Snort
- , and
USENIX Large Installation System Administration Conference (LISA) November, 2008. - [9] Expanding Malware Defense by Securing Software Installations
- , , and
Detection of Intrusions, Malware and Vulnerability Analysis (DIMVA) July, 2008. - [10] Practical Proactive Integrity Preservation: A Basis for Malware Defense
- , , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2008. - [11] Inferring Higher Level Policies from Firewall Rules
- , and
USENIX Large Installation System Administration Conference (LISA) November, 2007. - [12] A Framework for Building Privacy-Conscious Composite Web Services
- , , and
IEEE International Conference on Web Services (ICWS) September, 2006. (Application Services and Industry Track). - [13] On Supporting Active User Feedback in P3P
- , and
Secure Knowledge Management Workshop (SKM) September, 2006. - [14] Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
- , and
USENIX Security Symposium (USENIX Security) August, 2006. (An earlier version appeared as Technical Report SECLAB-05-06, November 2005. Also supercedes Technical Report SECLAB-05-05 A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities, August 2005, and Technical Report SECLAB-05-04 Practical dynamic taint analysis for countering input validation attacks on web applications, May 2005, [PDF]). - [15] An Approach for Realizing Privacy-Preserving Web-Based Services (Poster)
- , , and
14th International World Wide Web Conference (WWW) May, 2005. - [16] A Secure Composition Framework for Trustworthy Personal Information Assistants
- , , and
IEEE International Conference on Integration of Knowledge Intensive Multi-Agent Systems (KIMAS) April, 2005. - [17] Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications
- , , , and
ACM Symposium on Operating Systems Principles (SOSP) October, 2003. - [18] An approach for Secure Software Installation
- , , , and
USENIX Large Installation System Administration Conference (LISA) November, 2002. - [19] Specification-based anomaly detection: a new approach for detecting network intrusions
- , , , , , and
ACM Conference on Computer and Communications Security (CCS) October, 2002. - [20] Empowering mobile code using expressive security policies
- , and
New Security Paradigms Workshop (NSPW) September, 2002. - [21] Experiences with Specification Based Intrusion Detection System
- and
Recent Advances in Intrusion Detection (RAID) October, 2001. - [22] Model-Carrying Code (MCC): A New Paradigm for Mobile-Code Security
- , , and
New Security Paradigms Workshop (NSPW) September, 2001. - [23] Model-Based Analysis of Configuration Vulnerabilities
- and
ACM CCS Workshop on Intrusion Detection Systems (WIDS) October, 2000. - [24] Building Survivable Systems: An Integrated Approach based on Intrusion Detection and Damage Containment
- , , , , and
DISCEX (DISCEX) February, 2000. - [25] A High-Performance Network Intrusion Detection System
- , , and
ACM Conference on Computer and Communications Security (CCS) November, 1999. - [26] Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications
- and
USENIX Security Symposium (USENIX Security) August, 1999. - [27] On Preventing Intrusions by Process Behavior Monitoring
- , and
USENIX Intrusion Detection Workshop () April, 1999.