hexpads a platform to detect stealth attacks
play

HexPADS: a platform to detect stealth attacks Mathias Payer - PowerPoint PPT Presentation

Nov 30, 2022 •123 likes •317 views

HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University http://hexhive.github.io Deployed defenses focus on memory corruption (c) AP Photo/RIA Novosti, Alexei Druzhinin, Government Press Service (c)

  1. HexPADS: a platform to detect “stealth” attacks Mathias Payer (@gannimo), Purdue University http://hexhive.github.io

  2. Deployed defenses focus on memory corruption (c) AP Photo/RIA Novosti, Alexei Druzhinin, Government Press Service

  3. (c) National Nuclear Security Administration, 1953

  4. Consider program state and behavior

  5. HexPADS Design

  6. HexPADS Design ● Host-based Intrusion/Attack Detection System PMU ● Measure fine-grained process-level CPU runtime behavior Operating system provides basic – runtime characteristics OS Performance Monitoring Unit (PMU) – allows counting/sampling of detailed and fine-grained events ATTACK PROC PROC PROC PADS ● Detect attacks based on signatures/anomalies ● Take evasive action/counter measure

  7. Default Metrics (always collected) ● Number of executed instructions ● Number of last level cache accesses ● Number of last level cache misses ● Minor/major page faults ● Execution time (c) Intel

  8. Additional Metrics ● Anything in /proc – Opened files, network ports, and IPC – Loaded libraries – Memory maps ● Any measurable PMU event – Memory/cache hierarchy events – Instruction mix and behavior – Execution profile and branch records ● System calls

  9. Implementation ● Modular implementation ● Collect metrics for all processes ● Keep configurable history ● Run detection modules every iteration http://github.com/HexHive/HexPads

  10. Evaluation

  11. SPEC CPU2006 No measurable overhead 450 400 350 300 Runtime in seconds 250 200 Idle 150 PADS 100 50 0

  12. Rowhammer ● Cause DRAM bit flips by accessing adjacent cells – High amount of cache misses: > 500,000/s – High cache miss rate: > 70% – Low page fault rate: < 1% ● Possible extension: use sampling – Detect and correlate actual accesses – Detect “nearby” accesses

  13. Cache-based side/covert channels ● Communicate through access timing – Same pattern as rowhammer – Additional challenge: which process is bad? ● Possible extension: longer history – Consider development over time

  14. Cross-VM ASL INtrospection (CAIN)* ● CAIN attacks leak ASLR base addresses in co-located VMs – High amount of page faults/allocated pages/cache misses/per instr. – Followed by inactivity ● Possible extension: study access patterns – Push detection to VMM level – Check page similarity – Evaluate page access patterns CAIN: Silently Breaking ASLR in the Cloud. Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross. In WOOT '15

  15. Upcoming Challenges ● Move collection to VMM to allow per-machine correlation ● Extend and develop new detection modules ● Synthesize detection modules by applying machine learning PMU CPU OS ATTACK PROC PROC PROC PADS

  16. Conclusion

  17. Conclusion ● HexPADS is a modular IDS/ADS framework ● Process-based collection of runtime/performance information ● High precision and negligible overhead through PMU ● Ongoing work: – More detection modules – Machine learning – Push framework to VMM level ● Go clone the project at https://github.com/HexHive/HexPADS

  18. Thank you! Questions? Mathias Payer (@gannimo), Purdue University http://hexhive.github.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
Who Am I?

Who Am I?

2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah

681 views • 46 slides
ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&amp;ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&amp;ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&amp;ESAR 2018- Rennes | CEA Leti | KERROUMI Sanaa | 08/11/18 SOMMAIRE IoT node Related works Problem statement Proposed methodology Results Take out and

752 views • 36 slides
INSIDE THE PLATFORM Who are we Classic platforms Classic platform Modern platform Modern

INSIDE THE PLATFORM Who are we Classic platforms Classic platform Modern platform Modern

THE HIDDEN DANGERS INSIDE THE PLATFORM Who are we Classic platforms Classic platform Modern platform Modern platform Modern platform Modern platform Attackers motivation Attackers motivation Stealth Persistence Low level

453 views • 34 slides
PhishHook: A tool to detect and prevent phishing attacks Michael Stepp steppm@cs.arizona.edu

PhishHook: A tool to detect and prevent phishing attacks Michael Stepp steppm@cs.arizona.edu

PhishHook: A tool to detect and prevent phishing attacks Michael Stepp steppm@cs.arizona.edu University of Arizona [1] DIMACS 2005 Introduction Common phishing attacks Defense strategies PhishHook, which implements one of these strategies

399 views • 25 slides
Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill, Scott Ruoti, Kent Seamons, Daniel Zappala Internet Research Lab &amp; Internet Security Research Lab Brigham Young University Certificate validation

484 views • 14 slides
TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party

TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party

TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party Applications Faysal Hossain Shezan, Kaiming Cheng, Zhen Zhang, Yinzhi Cao, Yuan Tian Permission-based Access Control Android Chrome IFTTT 2

842 views • 82 slides
TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party

TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party

TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party Applications Faysal Hossain Shezan and Kaiming Cheng (University of Virginia); Zhen Zhang and Yinzhi Cao (Johns Hopkins University); Yuan Tian (University

598 views • 24 slides
Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST diogo.monica@ist.utl.pt Thursday, August 29, 13 Summary Motivation Problem statement Stealth C&amp;C using browsers Final remarks

606 views • 32 slides
Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer Origins of mitochondria o Prokaryotic cells including bacteria o Eukaryotic cells Slide 2 Stealth Peptides Mitochondria Function

256 views • 15 slides
The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA mario.natali@gmail.com ARI ARI Perugia EME Conference 2016, Venice Impedimentum pro occasione arripere Mario Armando Natali , I0NAA The stealt he stealth h dish

607 views • 19 slides
TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

The 15th International Conference on Availability, Reliability and Security (ARES 2020) August 25 to August 28, 2020 in Dublin, Ireland ID-86 workshop paper (IoT-SECFOR) TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT

583 views • 13 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor, KAGRA Keiko Kokeyama, Takahiro Yamamoto, Taka-aki Yokozawa, Chihiro Kozakai, Yuta Fujikawa, Shoichi Oshino, Tatsuki Washimi, Alex Urban, Siddharth

400 views • 14 slides
Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21, 2006 firstname[dot]lastname[AT]francetelecom[dot]com Who Are We? Network security geeks (?) in R&amp;D labs Working for France Telecom -

610 views • 35 slides
Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Detecting Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello (University of Bologna) Mediating Italy in a Global 1 Project overview 1. What is DETECt ? 2. Who is DETECt ? 3. Why DETECt ? 4. DETECt

521 views • 18 slides
Accessing Data in the Cloud Using SAS to read data from Amazon Simple Storage Service (S3)

Accessing Data in the Cloud Using SAS to read data from Amazon Simple Storage Service (S3)

Accessing Data in the Cloud Using SAS to read data from Amazon Simple Storage Service (S3) seleritysas.com What is Amazon Simple Storage Service (S3)? An object store, not a file system Write once, read many (WORM) Eventually

343 views • 12 slides
SB&amp;WRC Project Facility Presentation Sheet: Brighton Waste House Pilot Site April 2019 1.

SB&amp;WRC Project Facility Presentation Sheet: Brighton Waste House Pilot Site April 2019 1.

B SB&amp;WRC Project Facility Presentation Sheet: Brighton Waste House Pilot Site April 2019 1. Presentation of the facility Figure 1: The Waste House (pilot site for prototype 2) in Brighton. Figure 2: Left: Typical wall section before it was

244 views • 9 slides
Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics

Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics

Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics University of Amsterdam Wednesday, February 5, 2014 Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 1 / 17

723 views • 17 slides
Concepts and Materials Needs for Condition-Monitoring Sensors J. E. (Jim) Hardy Leader, Sensor

Concepts and Materials Needs for Condition-Monitoring Sensors J. E. (Jim) Hardy Leader, Sensor

Concepts and Materials Needs for Condition-Monitoring Sensors J. E. (Jim) Hardy Leader, Sensor and Instrument Research Group Oak Ridge National Laboratory 17 th Annual Conference on Fossil Energy Materials April 24, 2003 Outline of

433 views • 24 slides
Manage your analyses workflows with the drake R package Grenoble R Users Group Xavier Laviron

Manage your analyses workflows with the drake R package Grenoble R Users Group Xavier Laviron

Manage your analyses workflows with the drake R package Grenoble R Users Group Xavier Laviron December 6, 2018 A data analysts job 1/23 A data analysts job 2/23 A data analysts job 3/23 A data analysts job 4/23 A data

321 views • 31 slides
Self-supervised Learning of Interpretable Keypoints from Unlabelled Videos

Self-supervised Learning of Interpretable Keypoints from Unlabelled Videos

Self-supervised Learning of Interpretable Keypoints from Unlabelled Videos www.robots.ox.ac.uk/~vgg/research/ Oral presentation, CVPR 2020 unsupervised_pose/ Tomas Jakab Ankush Gupta VGG, University of Oxford DeepMind, London Hakan Bilen

259 views • 14 slides
October 14, 2017, Vienna, Austria Contents of the presentation I. Introduction II.

October 14, 2017, Vienna, Austria Contents of the presentation I. Introduction II.

Legal and Regulatory Framework and Situation for Physical Protection of Nuclear /Radioactive materials in Ethiopia October 14, 2017, Vienna, Austria Contents of the presentation I. Introduction II. Organizational Structure of the

625 views • 25 slides
The Specialist Committee on Stability in Waves Final Report and Recommendations to the 25th ITT C

The Specialist Committee on Stability in Waves Final Report and Recommendations to the 25th ITT C

Proceedings of 25th ITTC Volume II 605 The Specialist Committee on Stability in Waves Final Report and Recommendations to the 25th ITT C 1. INTRODUCTION Professor D. Vassalos (until 2006), Ship Stability Research Centre, UK The

578 views • 36 slides

More recommend