This post is also available in: עברית (Hebrew)
Researchers from the College of Computing at the Georgia Institute of Technology were awarded $4.2 million from the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) to improve how data is tracked between computers, Internet hosts, and browsers for better cyber security.
Georgia Tech notes that the four-year project, titled “THEIA” after the Greek goddess of shining light, attempts to shed light on exactly where data moves as it is routed from one Internet host to another and whether any malicious code, for example, is attached to data during transfer.
“The project has wide implications for any industry and anyone who needs to send secure information, make sure it is not manipulated during transfer, and that it arrives securely intact — but especially for those banking, shopping or trading online,” says Dr. Wenke Lee, primary investigator and professor in the College of Computing. “If we have the ability to fully track how data is processed until it reaches the intended recipient, then we can better detect and stop advanced persistent threats (APT).”
For example, currently it is not possible for a network intrusion detection system to determine whether data sent from an end-host was modified by a malicious browser extension after a user completed a web form. State-of-the-art information flow tracking today typically applies only to a single layer (such as the program level), or does not utilize the full semantics at all layers (to verify if input was entered by the original user, for example).
According to HomeLand Security News Wire THEIA will track and record information at three layers: user interaction with a program, program processing of data input, and program and network interactions with an operating system. Together, THEIA will monitor secure data flow from user to program, from program to file system storage, and storage to network output, and back again. Such completeness is critical to APT detection.
“Our ultimate goal is to provide complete transparency, or full visibility, into host events and data so that APT activities cannot evade detection,” Lee says. “THEIA represents what could be a significant advance over state-of-the-art approaches, which typically are forced to make arbitrary trade-offs between verifying accuracy and maintaining total computational efficiency.”
THEIA would make no such compromise. THEIA will record the sufficient amount of data at runtime, replay and analyze recorded events in semi-real-time when suspicious alerts are triggered, or analyze data completely offline.