building trustworthy intrusion detection through virtual
play

Building Trustworthy Intrusion Detection Through Virtual Machine - PowerPoint PPT Presentation

Jan 17, 2023 •262 likes •472 views

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

  1. Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer Science, University of Pisa IAS Conference, 2007 1/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  2. Problem Overall Architecture Evaluation Conclusion Outline Problem 1 Attacks and Evasion of Controls Overall Architecture 2 Virtual Machine Introspection Psyco-Virt Evaluation 3 Security Evaluation Performance Conclusion 4 Results and Future Works 2/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  3. Problem Overall Architecture Attacks and Evasion of Controls Evaluation Conclusion Rootkits Rootkits have become more sophisticated over the years. User-level rootkits: usually, modify system binaries. Kernel-level rootkits: for example, a module inserted into the kernel. Unfortunately, rootkits and IDSes work at the same level. A rootkit can attack or evade the IDS controls. 3/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  4. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Proposed Approach Virtual Machine Introspection: Standford University. Visibility: access VM’s state from a lower level. Robustness: detect intrusions from another VM. 4/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  5. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Semantic Problem How to detect intrusions/attacks inside the VM? Semantic problem: the data accessed through introspection are raw data. We also need to protect the IDS. 5/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  6. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Solution #1 Modify an IDS to work at the hardware level. 6/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  7. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Solution #2 Build a complex introspection library to export an OS view of the VM’s state. 7/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  8. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Our Solution: a Multi-Level Approach Build a simple introspection library to check the kernel. 1 Extend the kernel to monitor the IDSes inside the 2 monitored VM. Use standard IDSes to detect attacks against the VM. 3 8/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  9. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Chain of Trust 9/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  10. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Psyco-Virt Architecture Psyco-Virt merges Host and Network IDSes with VMI. The first prototype is written in C, based on Xen. Introspection VM: monitors all the VMs. Monitored VM: executes the system to be monitored. Control Network: to exchange the alerts and commands among the VMs. 10/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  11. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Introspection VM Introspection VM: monitors all the VMs. The introspector protects kernel integrity. The director: collects the alerts; 1 executes actions in response to an alert: stops a VM. 2 11/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  12. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Monitored VM Monitored VM: executes the system to be monitored. Runs IDSes to detect attacks/intrusions. The collector receives all the alerts from the local IDSes. The kernel checks IDS integrity. 12/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  13. Problem Overall Architecture Virtual Machine Introspection Evaluation Psyco-Virt Conclusion Control Network Control Network: to exchange the alerts and commands among the VMs. 13/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  14. Problem Overall Architecture Security Evaluation Evaluation Performance Conclusion Attacks Detected Currently, Psyco-Virt detects: Attacks to the kernel code also those inserting a malicious module. Udpates to the IDT and syscall table. Updates to the text area of a critical processes. Replacing ps and lsof. Interfaces set into promiscuous mode. 14/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  15. Problem Overall Architecture Security Evaluation Evaluation Performance Conclusion IOzone Read Performance Overhead is less than 10%. 15/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  16. Problem Overall Architecture Security Evaluation Evaluation Performance Conclusion IOzone Write Performance Overhead is less than 10%. 16/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  17. Problem Overall Architecture Security Evaluation Evaluation Performance Conclusion Antisniff Antisniff implemented as a module or through introspection. 17/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  18. Problem Overall Architecture Results and Future Works Evaluation Conclusion Limitations Current limitations of the prototype: No checks on kernel dynamic data, such as stack. Other critical kernel data structures, besides IDT and syscall table, have to be protected. Attacks to the VMM. Attacking the kernel between each execution of the checks. 18/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  19. Problem Overall Architecture Results and Future Works Evaluation Conclusion Results Using unmodified IDSes with virtual machine introspection. Preventing evasion of the controls and attacks to IDSes. Multi-Level approach to form a chain of trust: IDSes. 1 Kernel. 2 VMM. 3 Acceptable overhead. 19/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

  20. Problem Overall Architecture Results and Future Works Evaluation Conclusion Future Works Checking at runtime memory invariants. Using abstract interpretation of kernel code. Tracing a VM, such as using ptrace. Verifying system call parameters. Using introspection as an attestation of the VM. Attesting the software to a remote party. 20/20 Fabrizio Baiardi, Daniele Sgandurra Building Trustworthy Intrusion Detection Through Introspection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos

Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos

Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security

1.02k views • 62 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Research Unit VIII: Network Architectures Computer Science Department, Technische Universitt

Research Unit VIII: Network Architectures Computer Science Department, Technische Universitt

Research Unit VIII: Network Architectures Computer Science Department, Technische Universitt Mnchen SEP Packet Capturing Using the Linux Netfilter Framework Ivan Pronchev pronchev@in.tum.de Research Unit VIII: Network Architectures

546 views • 21 slides
Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN Computer Security Team EGI Technical Forum 2011, Lyon, France Outline Rootkits: Introduction Linux rootkits History Detection and monitoring

423 views • 26 slides
Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis January 20, 2009 CHAPTER 4

Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis January 20, 2009 CHAPTER 4

Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis January 20, 2009 CHAPTER 4 - WIRELESS NETWORK PROGRAMMING 2 Section 4.1 - Structure of information Address representation ifconfig command iwconfig command

825 views • 33 slides
Prompt and Parametric LTL Games Martin Zimmermann RWTH Aachen University September 17th, 2009

Prompt and Parametric LTL Games Martin Zimmermann RWTH Aachen University September 17th, 2009

Prompt and Parametric LTL Games Martin Zimmermann RWTH Aachen University September 17th, 2009 Games Workshop 2009 Udine, Italy Martin Zimmermann RWTH Aachen University Prompt and Parametric LTL Games 1/12 Outline 1. Introduction 2.

278 views • 24 slides
How do I put together a keyword search? #1 The use of parentheses, the asterisk, and

How do I put together a keyword search? #1 The use of parentheses, the asterisk, and

How do I put together a keyword search? #1 The use of parentheses, the asterisk, and the exclamation point. #2 Using Boolean terms #3 Searching! Lets say we are researching the rise of attention to European

347 views • 9 slides
Fea eature Preview: : Use ser-Prompts in DocumentsCorePack for Dynamics 365 User-Prompts:

Fea eature Preview: : Use ser-Prompts in DocumentsCorePack for Dynamics 365 User-Prompts:

Fea eature Preview: : Use ser-Prompts in DocumentsCorePack for Dynamics 365 User-Prompts: Incorporate user-input into generated documents Requirement Solution Use Cases Sol olution on Pop Popula lar Use e Ca Cases ses

313 views • 5 slides
6/12/2018 Teaching New Behaviors: Objectives Important Considerations Participants will be

6/12/2018 Teaching New Behaviors: Objectives Important Considerations Participants will be

6/12/2018 Teaching New Behaviors: Objectives Important Considerations Participants will be able to define the following Instructional programs must be based on assessment measures. These should be used Systematic Instruction:

392 views • 15 slides
Benjamin Weinert Indiana University US LUA November 11 13, 2015 Interest in Di-J/

Benjamin Weinert Indiana University US LUA November 11 13, 2015 Interest in Di-J/

Benjamin Weinert Indiana University US LUA November 11 13, 2015 Interest in Di-J/ Single Parton Scattering (SPS). Color Singlet Model (CSM), Color Octet Model (COM), and SPS Color Evaporation Model (CEM). Importance/effects of

362 views • 15 slides

More recommend