Modern detection systems use sensor data available in the deployment environment to probabilistically identify attacks. These systems are trained on historical data to create a model of anomalous or normal behavior. However, this accepted approach to detection is limited to training on only features that can be collected at detection time. Hence, they fail to leverage the often vast amount of ancillary information available from past forensic analysis and post-mortem data. Thus, detection systems do not train (and thus do not learn from) features that are unavailable or too costly to collect at run-time. In this talk, I consider an alternate detection model that integrates forensic ``privileged" information---features reliably available at training time, but not at run-time---to improve accuracy and resilience of detection systems. Several forensic-enabled learning models are explored and a preliminary but detailed case study is presented. I conclude by discussing the future of detection that is informed by forensic data.
PATRICK McDANIEL is a Distinguished Professor in the School of Electrical Engineering and Computer Science and Director of the Institute for Networking and Security Research at the Pennsylvania State University. Professor McDaniel is a Fellow of the IEEE and ACM and program manager and lead scientist for the Army Research Laboratory's Cyber-Security Collaborative Research Alliance. Patrick's research centrally focuses on a wide range of topics in security and technical public policy. Prior to joining Penn State in 2004, he was a senior research staff member at AT&T Labs-Research.