[provenance-challenge] Workshop on Provenance-based Security and Transparent Computing at ProvenanceWeek 2016

[James Cheney]

	 Provenance-based Security and Transparent Computing
    A workshop inspired by the DARPA Transparent Computing program
	       https://sites.google.com/site/pbstc2016/
	Part of Provenance Week, June 6, 2016, Washington DC.
	     http://www2.mitre.org/public/provenance2016/

Transparent Computing is a DARPA research program aimed at using
provenance to improve the security of computer systems. Specifically,
the program aims to use pervasive provenance tracking for data and
threads of execution to understand causality in both individual
systems and networks of systems. As a practical use case and concrete
way to demonstrate effectiveness, the program aims to use that
causality to identify and combat advanced persistent threats (APTs)
against such systems. APTs are often undetectable by policy-based
monitoring or current event log analysis techniques for two key
reasons: they act slowly (over months at a time) to gain and persist
access to target system resources; and they are careful not to violate
either system security policies or user work patterns that would
betray their presence.

This workshop aims to provide a forum for discussing recent
developments in the Transparent Computing project and their
relationship to the broader field of provenance and security research.

== Background ==

Today, enterprise system and network behaviors are typically "opaque":
stakeholders lack the ability to assert causal linkages in running
code, except in very simple cases. At best, event logs and audit
trails can offer some partial information on temporally and spatially
localized events as seen from the viewpoint of individual
applications. Thus current techniques give operators little
system-wide situational awareness, nor any viewpoint informed by a
long-term perspective. A system- (or network-) wide, longer term view
of meaningful activities is important because certain emerging classes
of threats, such as APTs, adopt courses of action that are temporally
dispersed and mimic benign, normal system activity: from any
temporally or spatially local view, their individual actions do not
appear suspicious. Such a wide, longer-term perspective can identify
unwanted behavior patterns and their points of origin in system time
and space.

One way to discover such broad patterns is to map out global,
long-term causality in systems and networks by constructing provenance
graphs for system data and control flow. However, successful and
timely construction and analysis of such provenance graphs faces
several challenges. The first of these is scalability: the ability to
handle large volumes of local causality data at high bandwidth (many
GBytes per hour over periods of weeks to months), as generated by
sensors in systems and networks under observation. The second
challenge is how to generate rich provenance graphs that assemble
local, short-term causality evidence into global, long-horizon causal
networks. The third key challenge is abstracting these graphs into
smaller, more intuitive structures, and reasoning over such structures
at system operational rates to characterize system activity. The
fourth key challenge is to distinguish APT activity from normal
background activity.


== Topics of Interest ==

We invite short talks on a number of themes relevant to the challenges
described above. We encourage talks from the broader provenance
community as well as talks from participants in the DARPA Transparent
Computing program. The following is a partial list of themes that
would fall into the scope of our workshop:

- An overview of the Transparent Computing program

- Overviews of active projects in the portion of the Transparent
Computing program relevant to constructing and analyzing provenance
graphs

- Data models for tracking computing system and network entities,
their provenance, and their relationships to other entities

- Approaches to handling high-bandwidth, large-volume system event and
entity data, and practical construction of provenance graphs at these
data rates and volumes

- Algorithms for constructing provenance graphs from such system
monitoring data

- Models for efficiently abstracting low-level system monitoring data
into intuitive patterns of behavior that support reasoning about
threats vs. benign system activities

- Methods for efficiently deducing provenance of such higher-level
behavior patterns from provenance of their low-level precursors

- Approaches to identifying malicious vs. benign behavior patterns by
leveraging this provenance information

Authors are strongly encouraged, where appropriate, to make an
explicit link between requirements and application needs.

== Workshop Format ==

Our workshop will be structured as follows.

- An invited keynote talk describing current and emerging challenges
in this area and approaches that address them

- A number of short (from 5- to 15-minute) “Lightning talks” grouped
by the themes outlined above

- Open discussion about promising directions to address the 4 key
challenges described above


Accepted abstracts will be posted on the Web. There will be no formal
proceedings.

== Timetable ==

- May 11, 2016: Deadline for submission
- May 15, 2016: Workshop programme published
- May 20, 2016: Registration closes
-  June 6, 2016: Workshop

== Submission Procedure ==

Please submit plain text abstracts of about half of one page to the
program committee chair at jcheney at inf.ed.ac.uk . Multiple submissions
for different experiences and/or requirements are welcome.

== Organizing Committee ==

    James Cheney (chair), University of Edinburgh
    David W. Archer, Galois, Inc.
    Ashish Gehani, SRI International
    Yingbo Song, BAE Systems

== About ProvenanceWeek ==

ProvenanceWeek 2016, June 6-9, 2016, is being hosted by The MITRE
Corporation in McLean, Virginia, USA, a short metro ride from
Washington D.C. The workshops IPAW and TAPP will be co-located during
the week. The workshop "Provenance Based Security and Transparent
Computing" will take place on the afternoon of June 6. Entry to the
workshop is free but we need to know who is coming (note that
registrations close on May 20!). All registered attendees will be
listed on the workshop Web site. Registration is through the
Provenance Week registration page. Participants are cordially invited
to register for subsequent Provenance Week events.

http://www2.mitre.org/public/provenance2016/registration.html


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.