--[ Provenance Tracking With Attack Graphs Using SysFlow

$ getent passwd tjaeger
├─ name: Trent Jaeger
└── org: Penn State University

Prof. Trent Jaeger (Penn State) and his co-instructors, Dr. Fred Araujo and Dr. Teryl Taylor (IBM Research), explore problems in systems and software security. Prof. Jaeger has over 25 years of experience in industrial and academic research, and has made many contributions to Linux kernel security. Dr. Araujo and Dr. Taylor are Research Scientists at IBM Research, where they co-lead the team's efforts on cloud-native security. They are active contributors to open source and maintainers of the SysFlow and CNCF Falco projects.


In this workshop, students will learn skills to detect complex, stealthy attacks by leveraging attack graphs built from known threats. We will provide students with hands-on experience of analyzing possible attacks using system provenance augmented by attack graphs using the SysFlow system. We will first introduce the students to SysFlow provenance tracking and analysis of attacks on hosts. We will then provide students with the experience of diagnosing more complex attacks using attack graphs to annotate provenance state with critical runtime information in SysFlow. Lastly, students will then learn how to analyze interprocess SysFlow provenance using attack graphs to detect stealthier attacks that span multiple processes.