Provenance Tracking with Attack Graphs Using SysFlow (closed: max capacity)

Instructor : Trent Jaeger | Capacity : 30 | Length : 3 hours | Time : 1300 - 1600

Instructor: Trent Jaeger


Prof. Trent Jaeger (Penn State) and his co-instructors, Dr. Fred Araujo and Dr. Teryl Taylor (IBM Research), explore problems in systems and software security. Prof. Jaeger has over 25 years of experience in industrial and academic research, and has made many contributions to Linux kernel security. Dr. Araujo and Dr. Taylor are Research Scientists at IBM Research, where they co-lead the team’s efforts on cloud-native security. They are active contributors to open source and maintainers of the SysFlow and CNCF Falco projects.

Difficulty: Intermediate


In this workshop, students will learn skills to detect complex, stealthy attacks by leveraging attack graphs built from known threats. We will provide students with hands-on experience of analyzing possible attacks using system provenance augmented by attack graphs using the SysFlow system. We will first introduce the students to SysFlow provenance tracking and analysis of attacks on hosts. We will then provide students with the experience of diagnosing more complex attacks using attack graphs to annotate provenance state with critical runtime information in SysFlow. Lastly, students will then learn how to analyze interprocess SysFlow provenance using attack graphs to detect stealthier attacks that span multiple processes.

Required Materials: Laptops and Laptop Chargers

Go to Training Registration