MARPLE

Mitigating APT Damage by Reasoning with Provenance in Large Enterprise Networks

The goal of this proposal is to explore and create a suite of technologies called MARPLE that can radically harden enterprise security by large scale automation of the task of detecting sophisticated cyber threats as a first step to remediating and preventing subsequent cyber exploits.

Enterprises today, largely use perimeter-based controls for their defense. These tools, typically, come from different vendors, are fragmented and provide a narrow view of the activities in one part of the enterprise infrastructure. In doing so, they ignore three crucial observations: (a) first, the activities in an enterprise are not all independent of one another but are some times causally related (b) second, normal day to day operations of enterprise activities are done in relatively small and stable interaction neighborhoods (c) third, in contrast, cyber threats often cross such neighborhoods. So, while the tools in use today, generate a multitude of event alert streams, logs and audit records that contain potentially actionable intelligence, the inability to consolidate and correlate these events and data automatically at line speeds and present them to the security analyst in a semantically-meaningful manner robs security analysts and administrators of a valuable tool to defend enterprise networks.

To this end, MARPLE combines ideas from four disparate areas to explore a radical and game-changing approach to cyber security, namely, Causality Tracking from Distributed Systems, Heterogeneous Information Networks (HINs) from Data Mining and Knowledge Discovery, Efficient Implementations of Large Graphs and Graph Analytics and Policy Learning and Enforcement.