Designing practical security systems via information flow analysis of log data

Liu, Jason

Permalink

https://hdl.handle.net/2142/129924 Copy

Description

Title

Designing practical security systems via information flow analysis of log data

Author(s)

Liu, Jason

Issue Date

2025-07-08

Director of Research (if dissertation) or Advisor (if thesis)

Bates, Adam

Doctoral Committee Chair(s)

Bates, Adam

Committee Member(s)

• Wang, Gang
• Xu, Tianyin
• Traynor, Patrick

Department of Study

Siebel School Comp & Data Sci

Discipline

Computer Science

Degree Granting Institution

University of Illinois Urbana-Champaign

Degree Name

Ph.D.

Degree Level

Dissertation

Keyword(s)

• cybersecurity
• information flow
• data provenance

Abstract

Security systems must fundamentally distinguish permissible behaviors from insecure, forbidden behaviors. At a system-wide level, this is achieved by defining allowable relationships between system subjects, such as users or services, and objects, such as files or sockets. However, security policies benefit greatly from knowledge of application-specific behaviors. For example, applications may define their own subjects, such as users in a web server, that are not visible at the system level. Processes can become compromised due to exploits, allowing attackers to execute code for their own purposes instead of the original program. Attacks may even involve processes that appear to be running the correct program on behalf of the correct user, but are nonetheless undesirable, such as compromises from phishing or other methods of credential theft. Overall, while security is often thought of in terms of application-specific behavior, program logic is not explicitly visible at the system level. In this dissertation, we make the key observation that although program logic is not visible at the system level, it is implicitly expressed through the information and control flows through processes that are visible. Therefore, by analyzing these information and control flows, we can design more accurate security systems that account for program-specific behavior. We explore three systems designed to leverage these flows. We design T-difc, an access control system that can transparently define application-specific policies at the system level without any additional instrumentation of programs. Next, using information and control flow analysis, we measure the variation and relationships between benign and attack program activity to contextualize the performance of state-of-the-art intrusion detection systems and explain why intrusion detection is still unsolved, contrary to their excellent evaluation results. Finally, we refine attack investigations to remove noise by heuristically using behaviors found through information and control flow analysis to ignore irrelevant flows. Our work demonstrates that information and control flow analysis is a viable method to infer program logic for practical security systems.

Graduation Semester

2025-08

Type of Resource

Thesis

Handle URL

https://hdl.handle.net/2142/129924

Copyright and License Information

Copyright 2025 Jason Liu

Owning Collections