Collecting provenance data for intrusion detection

[tfjmp]

We worked on a project using provenance data to perform intrusion detection HotCloud'17. We want to capture provenance of program under normal circumstances, and while a vulnerability is exploited. The goal is not only to collect the provenance but also to make this processus repeatable. Therefore we need to develop a series of tools and scripts to automatically perform those tasks. The purpose is not to develop a series of complex instructions, but things such as make build_vagrant, make package_vagrant, make publish_vagrant etc. The process should be mostly automatable at the end of the project.

Follows a list of tasks towards that goal. Each contains a link to an issue covering their particular.

1. Create a vagrant box (not a vagrant file) https://github.com/CamFlow/camflow-dev/issues/30
2. Check how it can be uploaded to Atlas https://github.com/CamFlow/camflow-dev/issues/31
3. Automate the process https://github.com/CamFlow/camflow-dev/issues/32

Now we should have an easy to setup environment where we can run our experiments. The next phase consist of:

1. Identify vulnerabilities https://github.com/CamFlow/camflow-dev/issues/33
2. Create a script to reproduce normal behaviour/vulnerability behaviour https://github.com/CamFlow/camflow-dev/issues/34
3. Create a vagrant script that a) boot up the CamFlow image(s); b) capture the provenance we need; c) copy it to the shared file. https://github.com/CamFlow/camflow-dev/issues/35
4. Automate datasets publication https://github.com/CamFlow/camflow-dev/issues/36
5. Automate running all available vulnerabilities https://github.com/CamFlow/camflow-dev/issues/37

Once that is done we can start to worry about making FRAP works.

[tfjmp]

I also create a project https://github.com/orgs/CamFlow/projects/1 to visualise everything at once.

[DongyuLi]

I've repackaged the vagrant box with camflow 0.3.2 installed in the kernel, and it's available for download from atlas (dennisli1/frapbox). The process to automate the process of repacking box with packer is skipped to directly dive into reproducing vulnerabilities (1, 2: done. 3: skipped) As camflow 0.3.3 will be soon released, steps 1 and 2 will be repeated and a new vagrant box will be released.

I've identified two vulnerabilities, reproduced them, and written scripts to automate the simulation process. There have been some difficulties with rebooting the VMs with the current version of camflow. I will test and debug the issue with next version of camflow after the box is repackaged. (steps 1, 2, 3: partially finished; steps 4, 5: will be done after success on reproducing and automating processes for capturing provenance data on all vulnerabilities identified).

[tfjmp]

Do you think you could get #32 done for the week of the 17th?

[DongyuLi]

I will take a look and do it with vulnerabilities concurrently.

---

From: Thomas Pasquier notifications@github.com Sent: Friday, July 7, 2017 5:42 PM To: CamFlow/camflow-dev Cc: DongyuLi; Comment Subject: Re: [CamFlow/camflow-dev] Collecting provenance data for intrusion detection (#38)

Do you think you could get #32https://github.com/CamFlow/camflow-dev/issues/32 done for the week of the 17th?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/CamFlow/camflow-dev/issues/38#issuecomment-313747682, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHCGuwhlTq-0XPgNknAIK3o9iSCVsjswks5sLm4bgaJpZM4NpKjd.