Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim - - PowerPoint PPT Presentation

fine grained tracking of grid infections
SMART_READER_LITE
LIVE PREVIEW

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim - - PowerPoint PPT Presentation

Jan 27, 2024 445 likes •651 views

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar LUMS Fine-Grained Tracking of Grid Infections p. 1/18 Introduction Grid semantics Not middleware-specific Distributed

slide-1
SLIDE 1

Fine-Grained Tracking

  • f Grid Infections

Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar LUMS

Fine-Grained Tracking of Grid Infections – p. 1/18

slide-2
SLIDE 2

Introduction

Grid semantics Not middleware-specific Distributed system “Application community” Infection Security, Reliability, Quality-of-Service Constraints Fine-grained monitoring Grid-wide correlation Timely analysis

Fine-Grained Tracking of Grid Infections – p. 2/18

slide-3
SLIDE 3

Motivation

Attractive attack platform Access to large set of resources Automatic privilege escalation Single sign-on Significant consequences Integrity loss of valuable data Exposed services Open ports for callbacks

Fine-Grained Tracking of Grid Infections – p. 3/18

slide-4
SLIDE 4

Application Community

Threat Digest Threat Anomalies Anomalies Digest Threat Grid Node Grid Node Grid Node Grid Node Digest Grid Node Grid Node Grid Node Grid Node Anomalies Risk Monitor Grid Node

Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed

Fine-Grained Tracking of Grid Infections – p. 4/18

slide-5
SLIDE 5

Central Monitoring

Collect Grid-wide anomalies Raw stream saturates network 35 clients, 10Mb/s (Oliner et al, RAID 2010) Only event types No arguments Must scale to hundreds of nodes

Fine-Grained Tracking of Grid Infections – p. 5/18

slide-6
SLIDE 6

Local Monitoring

Framed as set operations Application activity Set of events Normal behavior Union of events during training Anomalous behavior Difference set (by subtracting normal) Correlating node activity Intersection of anomaly sets

Fine-Grained Tracking of Grid Infections – p. 6/18

slide-7
SLIDE 7

Approach

Decompose sets into epochs Compress epoch activity Collect data provenance Map anomalies to provenance

Fine-Grained Tracking of Grid Infections – p. 7/18

slide-8
SLIDE 8

Epoch Compression

Anomaly Bloom

Filter

Grid Node Risk Monitor Digest

Application Auditing

System Calls User Kernel

Log

Detector Anomaly

Set representation Allows use of Bloom filters Fold filter ⌈log(f + b)⌉ times Increase update frequency by f Decrease bandwidth used by b More false positives

Fine-Grained Tracking of Grid Infections – p. 8/18

slide-9
SLIDE 9

Correlating Activity

Combine Bloom filters Counting filter Event on τ nodes Corresponding buckets are ≥ τ Construct vaccination Bloom filter bit 1 ⇐ ⇒ counting filter bucket ≥ τ

Fine-Grained Tracking of Grid Infections – p. 9/18

slide-10
SLIDE 10

Data Provenance

Process File 1 Read File 2 Read close()

  • pen()
  • pen()

close() File 3 Write Process execution Time close()

  • pen()

File 3 File 1 File 2 Owner

Record few arguments Process creation, File versions File access, modification

Fine-Grained Tracking of Grid Infections – p. 10/18

slide-11
SLIDE 11

Anomaly Tracking

Synthetic attack Unexpected write

  • f dump.log

!"#$

%&"'"()*+,-

.'/0"

1'"2&34*5&

.'/0" 6',7"&&89'"#0" !"#$

&:&72-;<*"="

.'/0" 6',7"&&89'"#0" !"#$ !"#$ !"#$

$%>1*+,-

.'/0"

/"=1+,'"*"=" #11+/7#0/,(*/(/ ?@ABCDEA*FGF3DH4@I;;J*12 &$K,0DEK*"=" ?L?9MN;<*FGF3<F;O<MII*12 &:&72-;<*"="8 7,(P-*/(/ 0#'-"0&*0=0 K,/(7*"="

6',7"&&89'"#0" Fine-Grained Tracking of Grid Infections – p. 11/18

slide-12
SLIDE 12

Evaluation Platform

Microsoft Windows XP (SP3) BOINC 6.10.43 volunteer Grid application Process Monitor 2.7 tool Open Bloom Filter library Synthetic infection Internet Explorer vulnerability Windows CreateRemoteThread() MailBoy 2004 injected

Fine-Grained Tracking of Grid Infections – p. 12/18

slide-13
SLIDE 13

Workload

24 hours 20 minutes 1.5 million events Raw log: 216 MB / Grid node Anomaly detection with 11-tuples MailBoy 2004 as spam relay 20 threads 30 second timeout 1,700 email addresses

Fine-Grained Tracking of Grid Infections – p. 13/18

slide-14
SLIDE 14

Storage

0.1 1 10 100 1000 10000 100000 1e+06 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 Storage Space Used (KB) Number of Events Disk Storage 4000-bit Bloom filter 2000-bit Bloom filter

Fine-Grained Tracking of Grid Infections – p. 14/18

slide-15
SLIDE 15

Normal Operation

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 1.6e+06 False Positives Normalized by Anomalous Sequences Total Number of Events 500-bit Bloom filter 1000-bit Bloom filter 2000-bit Bloom filter 4000-bit Bloom filter

Fine-Grained Tracking of Grid Infections – p. 15/18

slide-16
SLIDE 16

Malware Injected

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 200000 400000 600000 800000 1e+006 1.2e+006 1.4e+006 1.6e+006 1.8e+006 False Positives Normalized by Anomalous Sequences Total Number of Events 500-bit Bloom filter 1000-bit Bloom filter 2000-bit Bloom filter 4000-bit Bloom filter

Fine-Grained Tracking of Grid Infections – p. 16/18

slide-17
SLIDE 17

Provenance Database

500 1000 1500 2000 2500 200 400 600 800 1000 1200 1400 1600 Number of Unique Identifiers Time (minutes) File Identifiers in Normal Data File Identifiers in Attack Data Process Identifiers in Normal and Attack Data

Fine-Grained Tracking of Grid Infections – p. 17/18

slide-18
SLIDE 18

Conclusion

Apparent tension Fine-grained anomaly detection Grid-wide monitoring Solution Audit provenance on Grid nodes Compress event stream Map anomalies to provenance Acknowledgement NSF Grant OCI-0722068

Fine-Grained Tracking of Grid Infections – p. 18/18