We are building FAROS, a next-generation DIFT (dynamic information flow tracking) system to increase system transparency to counter advanced persistent threats (APTs). FAROS consists of an xDIFT module inside a virtual machine (VM) and a self-tuning module. The self-tuning module advises xDIFT about the recommended level of tracking based on situational-awareness, which captures the likelihood that the device is in danger. The novelty of our work is two-fold. First, FAROS is effective because it uses context-aware tracking and handles indirect flows (address and control) properly. Second, FAROS is efficient because it employs an on-the-fly self-tuning operation, which uses situational-awareness to adjust the level of detail of the tracked information, thus reducing its performance overhead. Situational-awareness provides an estimate on whether the device is in danger or already compromised by malware.

The objective of this project is to explore new capabilities for active defense in computer systems, an “elusive holy grail” of cyber security. The novel approach of the work is to make consistent and inconsistent deception a first-class operating system design feature, which, if successful, can strike a new and appealing balance of security, performance, and usability. Specifically, we plan to (i) Implement an Linux-based operating system, Chameleon, providing a spectrum of defenses based on deception and inconsistent behavior, (ii) Analyze the effectiveness of the prototype to resist malware while maintaining usability for benign and trusted software. We will evaluate usability through user studies designed and supervised by an experimental cognitive psychologist.