Building Infrastructure Support for Organizational Security: An Approach to Network Monitoring, Threat Detection, and Incident Response

Lei, Yunsen

Etd

Building Infrastructure Support for Organizational Security: An Approach to Network Monitoring, Threat Detection, and Incident Response

Public Deposited

This dissertation addresses the challenge of escalating cyber threats organizations face by introducing novel systems designed to support key aspects of an organization's overall security posture. First, we examine networking monitoring to enhance an organization's visibility and control. We proposed a system that leverages network agents on user endpoints to manage the host's flow-forwarding path. This approach allows for the implementation of flexible monitoring strategies adapted to various organizational requirements. Additionally, a collaborative network flow reporting mechanism is integrated, augmenting the robustness of monitoring by identifying evasive or false flow information from endpoints. The second aspect of the dissertation delves into threat prevention within web applications. An innovative isolation-based methodology utilizing containers is proposed, creating Single-Use Servers for individual user interactions within web applications. This architecture not only clarifies user activity but also effectively mitigates confused deputy attacks. Further, we developed a context-aware system call filtering approach, offering nuanced and accurate modeling of web applications at the system level, thus enhancing threat detection and modeling. Finally, the dissertation addresses the challenge of vulnerability localization, a key factor in accelerating incident response. We developed a log trace pruning and visualization system for web applications, enabling swift and targeted incident analysis. We further characterize the vulnerability localization through a set of supporting subtasks, each represented through a prototype interface. To assess the user interaction complexity of these interfaces, we employed the Keystroke-level Model (KLM), providing a quantitative evaluation of the system's usability and efficiency.

Creator