monitoring for attacks slides mostly stolen from dave
play

Monitoring For Attacks (Slides mostly stolen from Dave Wagner) 1 - PowerPoint PPT Presentation

May 27, 2023 •363 likes •876 views

Computer Science 161 Fall 2016 Popa and Weaver Monitoring For Attacks (Slides mostly stolen from Dave Wagner) 1 The Security Triad... Computer Science 161 Fall 2016 Popa and Weaver Stolen from: Daniel Schatz @virturity 2 The Next

  1. Computer Science 161 Fall 2016 Popa and Weaver Monitoring For Attacks (Slides mostly stolen from 
 Dave Wagner) 1

  2. The Security Triad... Computer Science 161 Fall 2016 Popa and Weaver Stolen from: 
 Daniel Schatz @virturity 2

  3. The Next Two Lectures... Computer Science 161 Fall 2016 Popa and Weaver • Today: The technology of detecting attacks • Tuesday: The abuse of scalable NIDS • NSA bulk surveillance: XKEYSCORE • Chinese censorship: The "Great Firewall of China" • Chinese attack: The "Great Cannon" 3

  4. Structure of 
 FooCorp Web Services 2. GET /amazeme.exe?profile=xxx 8. 200 OK 
 Output of bin/amazeme Internet FooCorp 
 FooCorp’s 
 Servers border router Front-end web server Remote client bin/amazeme -p xxx

  5. Network Intrusion Detection Computer Science 161 Fall 2016 Popa and Weaver • Approach #1: look at the network tra ffi c • (a “NIDS”: rhymes with “kids”) • Scan HTTP requests • Look for “ /etc/passwd ” and/or “ ../../ ” in requests • Indicates attempts to get files that the web server shouldn't provide 5

  6. Structure of 
 FooCorp Web Services 2. GET /amazeme.exe?profile=xxx 8. 200 OK 
 Output of bin/amazeme Internet Monitor sees a copy 
 FooCorp 
 of incoming/outgoing 
 FooCorp’s 
 Servers HTTP traffic border router Front-end web server NIDS Remote client bin/amazeme -p xxx

  7. Network Intrusion Detection Computer Science 161 Fall 2016 Popa and Weaver • Approach #1: look at the network tra ffi c • (a “NIDS”: rhymes with “kids”) • Scan HTTP requests • Look for “ /etc/passwd ” and/or “ ../../ ” • Pros: • No need to touch or trust end systems • Can “bolt on” security • Cheap: cover many systems w/ single monitor • Cheap: centralized management 7

  8. How They Work: Scalable Network Intrusion Detection Systems Computer Science 161 Fall 2016 Popa and Weaver Tap Do this in OpenFlow: 
 100 Gbps install 
 High Volume Filter Is Not BitTorrent? at LBNL H(SIP, DIP) Load Balancer Linear Scaling: 
 10x the money... NIDS Node 10x the bandwidth! NIDS Node NIDS Node 1u gives 1-5 Gbps 8

  9. Inside the NIDS Computer Science 161 Fall 2016 Popa and Weaver HTTP Request URL = /fubar/ GET HT TP /fu bar/ 1.1.. Host = .... HTTP Request URL = /baz/?id=... GET HTTP /b az/?id= 1f413 1.1... ID = 1f413 Sendmail From = someguy@... 220 mail.domain.target ESMTP Sendmail... To = otherguy@... 9

  10. Network Intrusion Detection (NIDS) Computer Science 161 Fall 2016 Popa and Weaver • NIDS has a table of all active connections, 
 and maintains state for each • e.g., has it seen a partial match of /etc/passwd? • What do you do when you see a new packet not associated with any known connection? • Create a new connection: when NIDS starts it doesn’t know what connections might be existing 10

  11. Evasion Computer Science 161 Fall 2016 Popa and Weaver • What should NIDS do if it sees a RST packet? /etc/p RST • Assume RST will be received? • Assume RST won’t be received? • Other (please specify) NIDS 11

  12. Evasion Computer Science 161 Fall 2016 Popa and Weaver • What should NIDS do if it sees this? 
 /%65%74%63/%70%61%73%73%77%64 • Alert – it’s an attack • No alert – it’s all good NIDS • Other (please specify) 12

  13. Evasion Computer Science 161 Fall 2016 Popa and Weaver • Evasion attacks arise when you have “double parsing” 
 • Inconsistency - interpreted di ff erently between the monitor and the end system 
 • Ambiguity - information needed to interpret correctly is missing 13

  14. Evasion Attacks (High-Level View) Computer Science 161 Fall 2016 Popa and Weaver • Some evasions reflect incomplete analysis • In our FooCorp example, hex escapes or “ ..////.//../ ” alias • In principle, can deal with these with implementation care (make sure we fully understand the spec) • Of course, in practice things inevitably fall through the cracks! • Some are due to imperfect observability • For instance, if what NIDS sees doesn’t exactly match what arrives at the destination 14

  15. Network-Based Detection Computer Science 161 Fall 2016 Popa and Weaver • Issues: • Scan for “ /etc/passwd ”? • What about other sensitive files? • Scan for “ ../../ ”? • Sometimes seen in legit. requests (= false positive) What about “ %2e%2e%2f%2e%2e%2f ”? (= evasion) • • Okay, need to do full HTTP parsing What about “ ..///.///..//// ”? • • Okay, need to understand Unix filename semantics too! • What if it’s HTTPS and not HTTP? • Need access to decrypted text / session key – yuck! 15

  16. Host-based Intrusion Detection Computer Science 161 Fall 2016 Popa and Weaver • Approach #2: instrument the web server • Host-based IDS (sometimes called “HIDS”) • Scan ?arguments sent to back-end programs Look for “ /etc/passwd ” and/or “ ../../ ” • 16

  17. Structure of 
 FooCorp Web Services Internet FooCorp 
 FooCorp’s 
 Servers border router Front-end web server HIDS instrumentation added inside here 4. amazeme.exe? 
 profile=xxx Remote client 6. Output of bin/amazeme sent back bin/amazeme -p xxx

  18. Host-based Intrusion Detection Computer Science 161 Fall 2016 Popa and Weaver • Approach #2: instrument the web server • Host-based IDS (sometimes called “HIDS”) • Scan ?arguments sent to back-end programs Look for “ /etc/passwd ” and/or “ ../../ ” • • Pros: • No problems with HTTP complexities like %-escapes • Works for encrypted HTTPS! • Issues: • Have to add code to each (possibly di ff erent) web server • And that e ff ort only helps with detecting web server attacks • Still have to consider Unix filename semantics (“ ..////.// ”) • Still have to consider other sensitive files 18

  19. Log Analysis Computer Science 161 Fall 2016 Popa and Weaver • Approach #3: each night, script runs to analyze log files generated by web servers • Again scan ?arguments sent to back-end programs 19

  20. Structure of 
 FooCorp Web Services Internet FooCorp 
 FooCorp’s 
 Servers border router Run Nightly Analysis 
 Of Logs Here Front-end web server Remote client bin/amazeme -p xxx

  21. Log Analysis Computer Science 161 Fall 2016 Popa and Weaver • Approach #3: each night, script runs to analyze log files generated by web servers • Again scan ?arguments sent to back-end programs • Pros: • Cheap: web servers generally already have such logging facilities built into them • No problems like %-escapes, encrypted HTTPS • Issues: • Again must consider filename tricks, other sensitive files • Can’t block attacks & prevent from happening • Detection delayed, so attack damage may compound • If the attack is a compromise, then malware might be able to alter the logs before they’re analyzed • (Not a problem for directory traversal information leak example) • Also can be mitigated by using a separate log server 21

  22. System Call Monitoring (HIDS) Computer Science 161 Fall 2016 Popa and Weaver • Approach #4: monitor system call activity of backend processes • Look for access to /etc/passwd 22

  23. Structure of 
 FooCorp Web Services Internet FooCorp 
 FooCorp’s 
 Servers border router Real-time monitoring of system calls accessing files Front-end web server Remote client 5. bin/amazeme -p xxx

  24. System Call Monitoring (HIDS) Computer Science 161 Fall 2016 Popa and Weaver • Approach #4: monitor system call activity of backend processes • Look for access to /etc/passwd • Pros: • No issues with any HTTP complexities • May avoid issues with filename tricks • Attack only leads to an “alert” if attack succeeded • Sensitive file was indeed accessed • Issues: • Maybe other processes make legit accesses to the sensitive files (false positives) • Maybe we’d like to detect attempts even if they fail? • “situational awareness” 24

  25. Detection Accuracy Computer Science 161 Fall 2016 Popa and Weaver • Two types of detector errors: • False positive (FP): alerting about a problem when in fact there was no problem • False negative (FN): failing to alert about a problem when in fact there was a problem • Detector accuracy is often assessed in terms of rates at which these occur: • Define Ι to be the event of an instance of intrusive behavior occurring (something we want to detect) • Define Α to be the event of detector generating alarm • Define: • False positive rate = P[ Α |¬ Ι ] • False negative rate = P[¬ Α | Ι ] 25

  26. Perfect Detection Computer Science 161 Fall 2016 Popa and Weaver • Is it possible to build a detector for our example with a false negative rate of 0%? • Algorithm to detect bad URLs with 0% FN rate: void my_detector_that_never_misses(char *URL) 
 { 
 printf("yep, it's an attack!\n"); 
 } • In fact, it works for detecting any bad activity with no false negatives! Woo-hoo! • Wow, so what about a detector for bad URLs that has NO FALSE POSITIVES?! • printf("nope, not an attack\n"); 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1

Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1

Computer Science 161 Fall 2016 Popa and Weaver Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1 Theme of This Lecture: Why Twitter & Reddit Sucked Last Week Computer Science 161 Fall 2016

597 views • 46 slides
Network #4: Transport Layer Security (Most Slides stolen from Dave Wagner) 1 Theme of

Network #4: Transport Layer Security (Most Slides stolen from Dave Wagner) 1 Theme of

Computer Science 161 Fall 2016 Popa and Weaver Network #4: Transport Layer Security (Most Slides stolen from Dave Wagner) 1 Theme of This Lecture Computer Science 161 Fall 2016 Popa and Weaver 2 But Trust Can Be Delegated

704 views • 55 slides
Network #2: DNS (Most slides stolen from Dave Wagner) 1 Meme of the Day Computer

Network #2: DNS (Most slides stolen from Dave Wagner) 1 Meme of the Day Computer

Computer Science 161 Fall 2016 Popa and Weaver Network #2: DNS (Most slides stolen from Dave Wagner) 1 Meme of the Day Computer Science 161 Fall 2016 Popa and Weaver 2 Addressing on the Layers On The Internet Computer Science

663 views • 52 slides
Disclaimer Many of these slides are mine But, some are stolen from various places on the

Disclaimer Many of these slides are mine But, some are stolen from various places on the

8/24/10 Arduino Hands-On CS5968 / ART4455 Disclaimer Many of these slides are mine But, some are stolen from various places on the web todbot.com Bionic Arduino and Spooky Arduino class notes from Tod E.Kurt ladyada.net

588 views • 31 slides
Disclaimer Many of these slides are mine But, some are stolen from various places on the

Disclaimer Many of these slides are mine But, some are stolen from various places on the

9/1/10 Disclaimer Many of these slides are mine But, some are stolen from various places on the web todbot.com Bionic Arduino and Spooky Arduino class notes from Tod E.Kurt ladyada.net Arduino tutorials by Limor Fried

732 views • 13 slides
Disclaimer Many of these slides are mine But, some are stolen from various places on the

Disclaimer Many of these slides are mine But, some are stolen from various places on the

1/25/12 ARDUINO PROGRAMMING 2 CS5789 / ART3490 Disclaimer Many of these slides are mine But, some are stolen from various places on the web todbot.com Bionic Arduino and Spooky Arduino class notes from Tod E.Kurt ladyada.net

742 views • 37 slides
Disclaimer Many of these slides are mine But, some are stolen from various places on the

Disclaimer Many of these slides are mine But, some are stolen from various places on the

8/24/10 Disclaimer Many of these slides are mine But, some are stolen from various places on the web todbot.com Bionic Arduino and Spooky Arduino class notes from Tod E.Kurt ladyada.net Arduino tutorials by Limor Fried

398 views • 11 slides
Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Outline of Talk Background Augmented CPU Open real-time systems Reservations Rez and HLS Stolen time Rez-C and Rez-FB John Regehr John A. Stankovic Design University of Virginia Performance More stolen time

164 views • 3 slides
Disclaimer Many of these slides are mine But, some are stolen from various places on the web

Disclaimer Many of these slides are mine But, some are stolen from various places on the web

10/6/09 Arduino Hands-On CS5968 / FA3800 Disclaimer Many of these slides are mine But, some are stolen from various places on the web todbot.com Bionic Arduino and Spooky Arduino class notes from Tod E.Kurt ladyada.net Arduino

816 views • 54 slides
CPSC 221: Data Structures Graph Theory Alan J. Hu (Many slides gratefully stolen from Steve

CPSC 221: Data Structures Graph Theory Alan J. Hu (Many slides gratefully stolen from Steve

CPSC 221: Data Structures Graph Theory Alan J. Hu (Many slides gratefully stolen from Steve Wolfman) Learning Goals After this unit, you should be able to: Describe the properties and possible applications of various kinds of graphs

1.36k views • 124 slides
The Problem with a lot of slides stolen from 4074: Adv. Anim. & Rendering Alexei Efros ,

The Problem with a lot of slides stolen from 4074: Adv. Anim. & Rendering Alexei Efros ,

High Dynamic Range Images The Problem with a lot of slides stolen from 4074: Adv. Anim. & Rendering Alexei Efros , Paul Debevec Tim Weyrich, 2010 and Yuanzhen Li, Problem: Dynamic Range Image 1 The real world is pixel (312, 284) =

200 views • 6 slides
Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC

Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC

Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC CISSP Kevinmhenry@msn.com Asset Protection Monitoring Agenda: Security Testing Investigating Systems Attacks and Monitoring Incidents

813 views • 35 slides
Regularized Least Squares Charlie Frogner 1 MIT 2012 1 Slides mostly stolen from Ryan Rifkin

Regularized Least Squares Charlie Frogner 1 MIT 2012 1 Slides mostly stolen from Ryan Rifkin

Regularized Least Squares Charlie Frogner 1 MIT 2012 1 Slides mostly stolen from Ryan Rifkin (Google). C. Frogner Regularized Least Squares Summary In RLS, the Tikhonov minimization problem boils down to solving a linear system (and this is

709 views • 39 slides
Regularized Least Squares Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin

Regularized Least Squares Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin

Regularized Least Squares Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin (Google). C. Frogner Regularized Least Squares Summary In RLS, the Tikhonov minimization problem boils down to solving a linear system (and this is

518 views • 39 slides
Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel UC San Diego

Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel UC San Diego

Bitcoin: Monetizing Stolen Cycles Presented by: Natalie Pollard and Derek Roetzel UC San Diego George Mason University International Computer Institute Paper by: Danny Yuxing Huang, Hitesh Dharmdasani, Vacha Dave, Chris Grier, Damon McCoy,

242 views • 23 slides
Support Vector Machines Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin

Support Vector Machines Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin

Support Vector Machines Charlie Frogner 1 MIT 2011 1 Slides mostly stolen from Ryan Rifkin (Google). C. Frogner Support Vector Machines Plan Regularization derivation of SVMs. Analyzing the SVM problem: optimization, duality. Geometric

493 views • 47 slides
Implications of Precise Nancy Moureau is an Speaker Bureau educator, legal consultant and

Implications of Precise Nancy Moureau is an Speaker Bureau educator, legal consultant and

Nancy Moureau, BSN, RN, CRNI, CPUI, 4/29/2012 VA-BC About the Speaker Implications of Precise Nancy Moureau is an Speaker Bureau educator, legal consultant and for: clinician with 30 years of PICC Tip Location: The New 3m

298 views • 5 slides
Arithmetic Circuits of the Noisy-Or Models Jirka Vomlel and Petr Savick y Academy of Sciences

Arithmetic Circuits of the Noisy-Or Models Jirka Vomlel and Petr Savick y Academy of Sciences

Arithmetic Circuits of the Noisy-Or Models Jirka Vomlel and Petr Savick y Academy of Sciences of the Czech Republic PGM08, Hirtshals, Denmark y (AV J. Vomlel and P. Savick CR) ACs of BN2O PGM08, Hirtshals, Denmark 1 / 21

1.21k views • 65 slides
Supraventricular Arrhythmias Bread And Butter Or Toast And Jam Derek V Exner , MD, MPH, FRCPC,

Supraventricular Arrhythmias Bread And Butter Or Toast And Jam Derek V Exner , MD, MPH, FRCPC,

Supraventricular Arrhythmias Bread And Butter Or Toast And Jam Derek V Exner , MD, MPH, FRCPC, FACC, FHRS Professor, Libin Cardiovascular Institute of Alberta ACC Rockies 2012 Overview Back to the basics Unraveling the lexicon Bread and

513 views • 34 slides
DELTAPATH: PRECISE AND SCALABLE CALLING CONTEXT ENCODING Qiang Zeng*, Junghwan Rhee , Hui Zhang,

DELTAPATH: PRECISE AND SCALABLE CALLING CONTEXT ENCODING Qiang Zeng*, Junghwan Rhee , Hui Zhang,

DELTAPATH: PRECISE AND SCALABLE CALLING CONTEXT ENCODING Qiang Zeng*, Junghwan Rhee , Hui Zhang, Nipun Arora, Guofei Jiang, Peng Liu* NEC Laboratories America *Penn State University www.nec-labs.com Calling Context Calling Context is a

317 views • 21 slides
NOTES ON QUASI-CATEGORIES ANDR E JOYAL Contents 1. Introduction 2 2. Elementary aspects

NOTES ON QUASI-CATEGORIES ANDR E JOYAL Contents 1. Introduction 2 2. Elementary aspects

NOTES ON QUASI-CATEGORIES ANDR E JOYAL Contents 1. Introduction 2 2. Elementary aspects 2 3. The model structure 6 4. Equivalence with simplicial categories 9 5. Left and right coverings 10 6. Join and slice 12 7. Left and

1.12k views • 84 slides
October 2017 and RELION too Accelerating Discoveries Using a supercomputer powered by the Tesla

October 2017 and RELION too Accelerating Discoveries Using a supercomputer powered by the Tesla

Molecular Dynamics (MD) on GPUs October 2017 and RELION too Accelerating Discoveries Using a supercomputer powered by the Tesla Platform with over 3,000 Tesla accelerators, University of Illinois scientists performed the first all-atom

1.47k views • 127 slides
Responsibility Functions for Explaining Deviations in Decision Behaviour - CHANGES+ Colloquium -

Responsibility Functions for Explaining Deviations in Decision Behaviour - CHANGES+ Colloquium -

Responsibility Functions for Explaining Deviations in Decision Behaviour - CHANGES+ Colloquium - Sarah Hiller | Anna-Katharina Kothe April 2020 Outline Introduction Responsibility Decision Scenario Application Discussion Sarah Hiller |

366 views • 21 slides
GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose

GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose

GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose CEA Universit Paris-Saclay 1 Deeply virtual Compton scattering (DVCS) D. Mueller et al , Fortsch. Phys. 42 (1994) X.D. Ji , PRL 78

588 views • 31 slides

More recommend