cache trigger impersonate enabling context sensitive
play

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient - PowerPoint PPT Presentation

Mar 26, 2024 •331 likes •686 views

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill Motivation PU Internet Get

  1. Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill

  2. Motivation PU Internet Get www.somenews.com ev Motivation Cache, Trigger, Impersonate 2 2

  3. Motivation PU Internet ev Motivation Cache, Trigger, Impersonate 3 3

  4. Motivation PU Internet Get www.exploitkit.com ev Motivation Cache, Trigger, Impersonate 4 4

  5. Motivation PU I have CVE-2015-0318 Win7, IE11 Flash Internet Flash 11.8 Exploit ev Motivation Cache, Trigger, Impersonate 5 5

  6. Current Approaches Internet www.owned.com www.evil.com www.mal.com Internet HTTP Analyzer Get http://www.owned.com Get http://www.evil.com Get http://www.mal.com www.mal.com End users www.evil.com www.owned.com Goals and Current Approaches Cache, Trigger, Impersonate 6 6

  7. Current Approaches Internet www.owned.com Internet HTTP Analyzer Get http://www.owned.com www.mal.com End users www.evil.com www.owned.com 7

  8. Operational Challenges and Constraints ❖ Limit interaction with the client or server. ❖ Must handle the fire hose of data. ❖ Attackers spread exploits across multiple web resources. HTML Javascript CSS Flash ❖ Limited to memory storage. Operational Challenges Cache, Trigger, Impersonate 8 8

  9. Framework ❖ CACHE: ❖ A small time window of traffic. ❖ TRIGGER: ❖ On a potentially exploitable file type. ❖ Flash comprises 75% for popular kits. ❖ IMPERSONATE: ❖ The client and server using the semantic cache and a honeyclient. Operational Challenges Cache, Trigger, Impersonate 9 9

  10. Example PU PU PU www.a.com www.b.com www.maliciouspage.com Internet evilflash.com/evil.swf ev Client IP: 192.168.2.30 Motivation Cache, Trigger, Impersonate 10 10

  11. Example Cont’d evilflash.com/evil.swf Network Client IP: 192.168.2.30 11 11

  12. CACHE Semantic Cache ! HTTP Analyzer ev www.maliciouspage.com evilflash.com/ www.a.com/ www.a.com/ evil.swf page1 page2 Two-level Cache 12 12

  13. TRIGGER Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer H(.) H(.) ev H( ⨁ ) H(.) H(.) H(.) 13 13

  14. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Network Oracle ev Retrieve Client Configuration Impersonate ! evilflash.com/evil.swf Network Client IP: 192.168.2.30 Browser: IE 10 Flash Version: 18.5 OS: Windows 7 14 14

  15. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Chaining Algorithm: Going Back in Time! evilflash.com/evil.swf ev www.a.com/page1 Impersonate ! www.a.com/page2 www.maliciouspage.com 15 15

  16. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Cache PU ev evilflash.com/ evil.swf Internet www.maliciouspage.com Impersonate ! Browser: IE 10 Get www.maliciouspage.com Flash Version: 18.5 OS: Windows 7 ev Alerts 16 16 www.maliciouspa Security Analyst

  17. Evaluation - Campus Metasploit Server Internet Serves: 11 Flash exploits Affects: 3 Flash Versions Dell R410 ShellOS: 5 VMs 128 GBs RAM Chrome, IE, Firefox 8 Core Xeon 2100 CPU Headless Browser: HTMLUnit EndaceDAG Card 25,000 Students Avg 1,000 Concurrent Users Windows 7 14,000 HTTP flows/min Firefox/IE Peak: 35,000 flows/min 3 Flash Versions UNC Campus Clients Evaluation Cache, Trigger, Impersonate 17 17

  18. Evaluation – Results Total: 576,000 Filtered: 99% of Flash Files. 5% Fully Analyzed 11% Interactive 8% Low and Slow 76% Errors * Found on avg 2 malicious sites per day Evaluation Cache, Trigger, Impersonate 18 18

  19. Conclusion: Honeyclient to the Wire ❖ Current network-based approaches are too slow to react. ❖ We propose a framework that: ❖ Caches minutes worth of web objects. ❖ Triggers an analysis on exploitable file types. ❖ Impersonates both the client and the server. ❖ Demonstrated utility on a large campus network. Conclusion Cache, Trigger, Impersonate 19 19

  20. Questions? Teryl Taylor Cache, Trigger, Impersonate 20 20

  21. Evaluation – Performance Evaluation Cache, Trigger, Impersonate 21 21

  22. Evaluation – Cache Evaluation Cache, Trigger, Impersonate 22 22

  23. Evaluation – VirusTotal over Time Evaluation Cache, Trigger, Impersonate 23 23

  24. Evaluation – Minutes between Flash-in-Flash Evaluation Cache, Trigger, Impersonate 24 24

  25. Evaluation – Length of Client Cache Evaluation Cache, Trigger, Impersonate 25 25

  26. ➍ Honeyclients ❖ Honeyclient H1 (ShellOS): ❖ Process contains code injection/code reuse payload. ❖ Process memory exceeds tunable threshold – heap spray. ❖ Process terminates or crashes. (Snow et. al, ShellOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks, USENIX Security, 2011.) Honeyclients Cache, Trigger, Impersonate 26 26

  27. ➍ Honeyclients ❖ Honeyclient H2 (Cuckoo Sandbox): ❖ Process uses known anti-detection technique. ❖ Process spawns another process. ❖ Process downloads exe or dll file. ❖ Process accesses registry or system files. (https://cuckoosandbox.org/) Honeyclients Cache, Trigger, Impersonate 27 27

  28. Exploit Kits – Corporate Ownage as a Service Targeted Victims/day: 90,000 Successful Infections: 40% Exploits Served Per Day: 9,000 Ransomware Delivered: 62% • Cisco Talos Group: http://www.talosintel.com/angler-exposed/ • October 2015 Exploit Kits Cache, Trigger, Impersonate 28 28

  29. Impact of File Hashing Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer 29 29

  30. Impact of Piecewise Hashing Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer 30 30

  31. Evaluation – Detection Performance Prototype: Monitors 10,000 lines of Code H1: ShellOS Code Injection/ Reuse. Configuration: Windows 7 IE 8 and 10 Four Core 177 Exploit Kit 8 Flash Versions i7-2600 CPU Traces* 3.40 GHz Monitors 16 GB RAM OS Changes. H2: Cuckoo *www.malware-traffic-analysis.net Evaluation Cache, Trigger, Impersonate 31 31

  32. Evaluation – H1 Results 92% True Positive Rate Evaluation Cache, Trigger, Impersonate 32 32

  33. Evaluation – H2 Results 56% True Positive Rate H1 & H2 Combined: 100% True Positive Rate Evaluation Cache, Trigger, Impersonate 33 33

  34. Evaluation – Comparison – VirusTotal 61 % True Positive Rate Evaluation Cache, Trigger, Impersonate 34 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

972 views • 66 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

1.19k views • 90 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9, 2014 Context Sensitive Solutions Context Sensitive Solutions Project Team TxDOT James Williams Jon Geiselbrecht Shirley Nichols CTRMA Melissa

485 views • 46 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of Edinburgh jrl@inf.ed.ac.uk 26 November

611 views • 24 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach (2010) Produced by FHWA/EPA/CNU/ ITE Recommended Practice, focus on new ideas and needs @CompleteStreets Implementing Context Sensitive Design

1.54k views • 124 slides
Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max Doblas , Ioannis-Vatistas Kostalabros , Miquel Moret and Carles Hernndez Computer Sciences - Runtime Aware Architecture, Barcelona

1.17k views • 30 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitivity in natural language Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of

472 views • 16 slides
Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in natural language Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics University of

360 views • 25 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30 NOV 2018 1 / 15 Overview Introduction 1 Formal definition 2 Context Sensitive Language 3 Examples Closure properties 4 Relation Between

196 views • 15 slides
CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart Lich & DISTRICT 6: Nikki Boden CONTEXT SENSITIVE UTILITIES SUCCESS STORIES Telephone duct is completely inside KYTC Right of Way.

550 views • 19 slides
Review: important OS concepts Time-sharing, context, context-switch Interprocess

Review: important OS concepts Time-sharing, context, context-switch Interprocess

Review: important OS concepts Time-sharing, context, context-switch Interprocess communication Exception control flow Priority and scheduling Cache and memory hierarchy (this lecture) Cache & Memory Hierarchy Recall our

517 views • 23 slides
GeneSpot A portal for interactive gene-centric exploration of The Cancer Genome Atlas Brady

GeneSpot A portal for interactive gene-centric exploration of The Cancer Genome Atlas Brady

GeneSpot A portal for interactive gene-centric exploration of The Cancer Genome Atlas Brady Bernard & Hector Rovira Shmulevich and Zhang TCGA GDAC Motivation For a given gene, for any TCGA tumor type: What is the mutation profile?

650 views • 18 slides
Surfaces, Space, and Hyperspace An exploration of 2, 3, and higher dimensions Richard Wong UT

Surfaces, Space, and Hyperspace An exploration of 2, 3, and higher dimensions Richard Wong UT

Part I Part II Surfaces, Space, and Hyperspace An exploration of 2, 3, and higher dimensions Richard Wong UT Austin SMMG Talk, Feb 2018 Slides can be found at http://www.ma.utexas.edu/users/richard.wong/Notes Richard Wong University of

1.22k views • 82 slides
DM550 / DM857 Introduction to Programming Peter Schneider-Kamp petersk@imada.sdu.dk

DM550 / DM857 Introduction to Programming Peter Schneider-Kamp petersk@imada.sdu.dk

DM550 / DM857 Introduction to Programming Peter Schneider-Kamp petersk@imada.sdu.dk http://imada.sdu.dk/~petersk/DM550/ http://imada.sdu.dk/~petersk/DM857/ JAVA PROJECT 2 June 2009 Organizational Details exam = Python project + Java

730 views • 32 slides
Plan for this class Logistics Welcome to 4003-380 Syllabus & Ground Rules

Plan for this class Logistics Welcome to 4003-380 Syllabus & Ground Rules

Plan for this class Logistics Welcome to 4003-380 Syllabus & Ground Rules Introduction to CS Theory Student Info Forms / Attendance Joe Geigel What is this Course About ------ break --------- Discrete Math Review

334 views • 6 slides
Outlines Topic-aware Social Influence Propagation Models by N Barbieri and et al. , ICDM

Outlines Topic-aware Social Influence Propagation Models by N Barbieri and et al. , ICDM

Outlines Topic-aware Social Influence Propagation Models by N Barbieri and et al. , ICDM 2012 Scalable topic-specific influence analysis on microblogs by Bin Bi and et al., WSDM 2014 Introduction The problem of influence maximization

705 views • 29 slides
TicToc: Time Traveling Optimistic Concurrency Control Xiangyao Yu 1 , Andrew Pavlo 2 , Daniel

TicToc: Time Traveling Optimistic Concurrency Control Xiangyao Yu 1 , Andrew Pavlo 2 , Daniel

TicToc: Time Traveling Optimistic Concurrency Control Xiangyao Yu 1 , Andrew Pavlo 2 , Daniel Sanchez 1 , Srinivas Devadas 1 Massachusetts Institute of Technology 1 Carnegie Mellon University 2 PHYSICAL VS LOGICAL TIME T1 T2 Lock Release Lock

602 views • 18 slides
Introduction Introduction Lecture Outline To Game To Game Theory: Theory: Introduction

Introduction Introduction Lecture Outline To Game To Game Theory: Theory: Introduction

Introduction Introduction Lecture Outline To Game To Game Theory: Theory: Introduction Two-Person Two-Person Properties of Games Games Games Tic-Toe of Perfect Game Trees of Perfect Strategies Information

445 views • 9 slides
Foundations of AI 6. Adversarial Search Search Strategies for Games, Games with Chance, State

Foundations of AI 6. Adversarial Search Search Strategies for Games, Games with Chance, State

Foundations of AI 6. Adversarial Search Search Strategies for Games, Games with Chance, State of the Art Wolfram Burgard & Luc De Raedt & Bernhard Nebel 1 Contents Game Theory Board Games Minimax Search Alpha-Beta

581 views • 37 slides

More recommend