NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential - - PowerPoint PPT Presentation

NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service

Ashish Gehani and Gershon Kedem Duke University Computer Science

Introduction

• Internet survivability design ≠

Security of single node

• Growth of Internet !

More attacks

• Valuable resources online !

More sophisticated attacks

• Forensics increasingly required
• Incidental evidence insufficient !

Proactive surveillance

Motivation

• Automated intrusion response
• Common occurrence

– Partial signature match – Mild anomalous activity

• Avoid high false positive rate !

No alarm

• Precautionary measures:

– Protect system – Repair preparation – Increased auditing

Goals

• Preserve evidence before attack
• Store evidence safely
• No network dependence
• Capture multiple timeframes
• Flexible choice of evidence
• Repeatable analysis of gathered data

Architecture - Managing Data

• Implemented in noscam_db
• Use SQL database backend

– Handles concurrency, sorting, indexing

• Commit baseline during initialization
• Batch copy of records to immutable form
• Recover audit trail by

copy from immutable form to database

Architecture - Audit Generation

• Implemented in noscam_audit
• Proactively invokes other utilities
• Configurable with respect to:

– Frequency of sampling – Priority level at which to activate – Whether to copy to immutable form – Whether to store deltas – Labeling for query organization

Architecture - Forensic Querying

• Implemented in noscam_run
• Simulate command execution
• Allow time of execution to be specified

Architecture - Overview

Implementation - Platform

• CD writer required
• Built on Redhat Linux 7.3
• Borland JDK 1.3
• MySQL
• No special features used !

Earlier versions should work

• No cdrecord ! No Windows

Implementation - ID Interface

• Uses a ‘priority’ file
• Contains a single integer
• Pro: Simplicity
• Con: Collapses n dimensions to 1
• Change in value !

noscam_audit starts/stops threads

Implementation - Threading

• noscam_audit creates a thread per

command–parameters pair

• Holds a synchronization lock per thread
• Thread’s outer loop waits on this lock

– Start/stop thread when priority changes

• Inner loop periodically invokes command
• Constant size thread pool drops overhead

Implementation - Scope

• Flexible
• Examples:

– Running processes with parameters – Creation, access, modification times, cryptographic hashes, contents of files – Routing table entries – Open files / network connections – Disk usage – Traces of routes to hosts – Port / vulnerability scans of hosts – Inserted kernel modules – Firewall rules

Implementation – Querying

• Audit trail listing

– Input:

• Date, Begin Time, End Time

– Output – List of events in format:

• Record ID, Date, Time, Command, Parameters
• Simulated Execution

– Input:

• Record ID

– Output:

• Date, Time, Command, Parameters, Standard Output/Error
• Transparently executes

– Output = Baseline + Delta

Implementation – Immutables

• Database insertion keyed monotonically
• noscam_db tracks last commit to CD-R
• Periodically:

– Selects all new records – Sub-selects those with immutable field set – Compresses results – Writes to CD-R in new ‘session’

• Recovery:

– Read all files from all sessions of all CD-R’s – Decompress all files – Insert into new NOSCAM database

Implementation – Storage Needs

Growth of Noscam Database

500 1000 1500 2000 2500 3000 3500 4000 4500 1 2 3 4 5 6 7 8 9 10 11 12 Time (in 10 min units) Size (in KB) Uncompressed Compressed

• 2 hours data in 4 MB
• 4 MB ! Compression ! 1.3 MB
• 6 weeks data on single 700 MB CD-R

Implementation – Audit Config

# Format: <Frequency> <Priority> <Immutable> <Category> <Delta> <Command> <Options> 60 5 cpu 1 lastcomm 60 3 1 cpu ps auxw 600 1 net 1 last 14400 1 file stat /etc/passwd 600 7 file ls

• l /tmp

14400 1 file 1 strings /bin/login 120 3 1 net netstat

• a -A inet

14400 9 file md5sum /root/.ssh2/authorization 300 3 net route 600 5 net arp 3600 5 cpu dmesg 3600 5 cpu 1 ksyms 3600 5 cpu 1 sysctl

• a

300 5 cpu 1 lsof

• U

600 4 1 file lsof 14400 6 hw 1 lspci 14400 6 hw 1 lsusb 14400 4 hw 1 lsdev 14400 4 cpu 1 lsmod 14400 6 cpu 1 procinfo 14400 6 cpu 1 rpm

• qa

14400 4 hw 1 cdrecord

• scanbus

300 4 net 1 findsmb 300 4 file 1 mount 14400 7 net 1 ifconfig 3600 6 net 1 iwconfig 300 4 file 1 df 3600 4 file 1 du

• hs /tmp

900 4 net 1 ipchains

• L

14400 6 file find / -name core

Future Work

• Tool to automate:

– Runtime sampling rate – Priority matching with intrusion detector

• Will monitor:

– Runtime environment load, variation – Extent of:

• Signature matching
• Anomalous activity detection
• Alters ‘Frequency’ and ‘Priority’ fields

Related Work – Forensics

• Data copier – dd
• Free/slack space reader - graverobber
• Keyword index/search – glimpse
• Integrity checker – md5sum, tripwire

Related Work - Auditing

• Large set of actions, limited temporally

(Unlike NIST Spec)

• Prevents audit trail modification

(Unlike Crypto Hash Chains)

• Proactive invocation of system utilities

(Unlike Syslog)

• No dependence on network

(Unlike Syslog and RAS)