CLUE
The CLUE project develops an infrastructure to detect and diagnose system anomalies in enterprise systems. These anomalies include stealthy malware and other types of hidden system anomalies. CLUE provides a diverse set of tools to find and understand such anomalies with minimal disruption to the target system.
Available Work
- PDNS: a malware detection agent based on program DNS behaviors (paper)
- TBQL: a domain-specific language for system-behavioral queries (stream-processing paper, progressive-processing paper)
- IntroSec: a low-overhead security audit logging tool for Windows (paper)
- PerfGuard: a binary instrumentation tool for self-triggered performance diagnosis (paper)
- IntroPerf: a deep performance diagnosis tool using system event logs (paper)
Ongoing Work
- Lineage
publications
SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection
In Security 2018 (award paper) [ pdf :: slides :: bibtex ]
In Security 2018 (award paper) [ pdf :: slides :: bibtex ]
PerfGuard: Binary-Centric Application Performance Monitoring in Production Environments
In FSE 2016 [ pdf :: slides :: bibtex ]
In FSE 2016 [ pdf :: slides :: bibtex ]
Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows
In ACSAC 2015 [ pdf :: slides :: bibtex ]
In ACSAC 2015 [ pdf :: slides :: bibtex ]
IntroPerf: Transparent Context-Sensitive Multi-Layer Performance Inference using System Stack Traces
In SIGMETRICS 2014 [ pdf :: slides :: bibtex ]
In SIGMETRICS 2014 [ pdf :: slides :: bibtex ]