PhD Defense by Yang Ji

Event Details
  • Date/Time:
    • Monday August 12, 2019 - Tuesday August 13, 2019
      1:00 pm - 2:59 pm
  • Location: Coda C0903 Ansley
  • Phone:
  • URL:
  • Email:
  • Fee(s):
  • Extras:
No contact information submitted.

Summary Sentence: Efficient and Refinable Attack Investigation

Full Summary: No summary paragraph submitted.

Title: Efficient and Refinable Attack Investigation


Yang Ji

Ph.D. candidate in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology


Date: Monday, August 12, 2019

Time: 13:00 - 15:00 (EST)

Location: Coda C0903 Ansley




Dr. Wenke Lee (Advisor), School of Computer Science, Georgia Institute of Technology

Dr. David Devecsery (Co-advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alessandro Orso, School of Computer Science, Georgia Institute of Technology

Dr. Dongyan Xu, Department of Computer Science, Purdue University

Dr. Angelos Keromytis, School of Electrical and Computer Engineering, Georgia Institute of Technology



As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system- call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. 


In this thesis, I present my research focusing on addressing this issue. First, I present a Refinable Attack INvestigation system (RAIN) based on a record-replay technology that records system-call events during runtime and performs instruction-level dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, RAIN conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Second, I present a data flow tagging and tracking mechanism, called RTAG, which further enables practical cross-host attack investigations. RTAG allows lazy synchronization between independent and parallel DIFT instances of different hosts, and enables detection of most classes of data-flow related vulnerability.

Additional Information

In Campus Calendar

Graduate Studies

Invited Audience
Public, Graduate students, Undergraduate students
Phd Defense
  • Created By: Tatianna Richardson
  • Workflow Status: Draft
  • Created On: Jul 31, 2019 - 10:08am
  • Last Updated: Jul 31, 2019 - 10:08am