omegalog high fidelity attack investigation via
play

OmegaLog: High-Fidelity Attack Investigation via Transparent - PowerPoint PPT Presentation

Aug 20, 2022 •364 likes •767 views

OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul Hassan , Mohammad A. Noureddine, Pubali Datta, Adam Bates Network and Distributed System Security Symposium (NDSS) 2020 26 February 2020 . 1 State

  1. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul Hassan , Mohammad A. Noureddine, Pubali Datta, Adam Bates Network and Distributed System Security Symposium (NDSS) 2020 26 February 2020 . 1

  2. State of Data Breaches According to a survey by RSA 73% of cyber analysts have inadequate levels of capability to detect/respond 2 to attack [1] [1] Infographic from: https://link.medium.com/5Omijdiyg4 [2] Survey and image from: https://www.rsa.com/content/dam/en/infographic/rsa-poverty-index-2016-update.pdf 2

  3. Threat Investigation • Audit logs • Maintain a history of events that occur during system execution • System-Level Logs (e.g., Linux Audit) record events at the system call granularity System-level Log Process 1234 created from firefox.exe …… Process 1234 reads from IP y.y.y.y Process 1234 writes file ~\Downloads\A.pdf …… Process 1234 reads from IP z.z.z.z Process 1234 writes file ~\Downloads\Mal.exe …… 3

  4. Data Provenance Z.Z.Z.Z • To simplify investigation, we can parse system logs into data provenance graphs Firefox ○ Vertex : File, Socket, Process, etc. ○ Edge : Causal event (i.e., syscall) ~\Downloads\Mal.exe • Find root cause of the attack symptom ■ Backward Tracing Mal.exe • Find the ramification of the attack ■ Forward Tracing X.X.X.X 4

  5. Case Study: SQL Injection Attack • A simple WordPress website hosted on a web server Input Requests Httpd Instance PostgreSQL Database Httpd Instance HAProxy • In addition to system logs, the different components (load balancer, server, database) also log application events . • Attacker performed SQL injection to steal credentials and used Wordpress file plugin to change website content. 5

  6. Investigation using Application Logs • Investigator knows that “accounts” table was accessed by attack • Grep PostgreSQL query logs to find out which query read the “accounts” table content. • It returned the following query from the PostgreSQL logs: PostgreSQL … SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; … • Query indicates SQL injection attack 6

  7. Investigation using Application Logs • However, admin is unable to proceed further in the investigation using application event logs alone. • HAProxy and Apache logs contain important evidence related to SQL injection attack • Cannot associate with PostgreSQL log • Do not capture workflow dependencies between applications • Grep will not work on these logs because SQL query was not in URL 7

  8. Investigation using Application Logs • However, admin is unable to proceed HAProxy … further in the investigation using haproxy[30291]: x.x.x.x:45292 [TIME REMOVED] app- http-in~app-bd/httpd-2 10/0/30/69/109 200 2750 POST /wordpress/ wp-admin/admin-ajax.php 200 application event logs alone. … ??? • HAProxy and Apache logs contain Apache Httpd important evidence related to SQL … y.y.y.y POST /wordpress/wp-admin/admin- ajax.php 200 - http://shopping.com/wordpress/ injection attack wp-admin/ admin.php?page=file-manager_setting … • Cannot associate with PostgreSQL log ??? PostgreSQL • Do not capture workflow dependencies between … applications SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; • Grep will not work on these logs because SQL … query was not in URL 8

  9. Investigation using System Logs • To proceed investigation, now admin uses a system-level provenance graph • It allows admin to trace dependencies across applications. • Malicious query read database file: / usr/local/db/datafile.db • Admin issues backward tracing query from that file • Return provenance graph 9

  10. Investigation using System Logs False Dependencies v v • Dependency Explosion: One v output event depends on all the preceding input events on the HAProxy same process v v Two Challenges: • There is only one root- cause (web request) of sql 1) Dependency Explosion injection attack index.html Apache Httpd 2) Semantic Gap user.php • Semantic Gap: Lacks v semantic information v present in application logs /usr/local/db/datafile.db PostgreSQL 10

  11. OmegaLog A provenance tracker that transparently solves both the dependency explosion and semantic gap problems 11

  12. OmegaLog • Solves dependency explosion problem by identifying event-handling loop through the application log sequences • Each iteration of event-handling loop is considered one semantically independent execution unit (BEEP NDSS’13)… • But unlike BEEP, no instrumentation or training is required! • Tackles semantic gap problem by grafting application event logs onto the system-level provenance graphs 12

  13. Do applications log inside the event-handling loop? • 15 applications with no logging: • Light-weight apps • GUI apps 13

  14. Consist of 3 Phases: Static Binary Runtime OmegaLog Analysis Phase Phase Workflow Investigation Phase 14

  15. Static Binary Analysis Phase 1. Identify log message printing functions App • Separate normal file writes from log file writes Binary e.g., logMsg(…); ap_log_error(…); • Used heuristics to find them • Well-known logging libraries (log4c) functions • Functions writing to /var/log/ 15

  16. Static Binary Analysis Phase 2. Find call sites to those functions and concretize log message string (LMS) passed App Binary as argument • Use symbolic execution Static Analysis “Opened file “%s”” “Accepted connection with id %d” 16

  17. Static Binary Analysis Phase 2. Find call sites to those functions and concretize log message string (LMS) passed App Binary as argument • Use symbolic execution Static Analysis “Opened file “%s”” “Accepted connection with id %d” 3. Build regex from concretized log message strings for runtime matching “Opened file “.*”” “Accepted connection with id [0-9]+” 17

  18. Static Binary Analysis Phase 4. Perform control flow analysis App Generate a set of all valid log message control flow • Binary paths that can occur during execution Control Code Snippet flow paths Static Analysis log(“Server started”); // log1 log1 while(...) { log1 log(“Accepted Connection”); // log2 log2 ... /*Handle request here*/ LMS log(“Closed Connection”); // log3 log3 Paths DB } log4 log(“Server stopped”); // log4 log4 Log message control flow paths will guide OmegaLog to identify event- handling loop and partition execution of application into execution units 18

  19. Runtime Phase • We collect whole-system logs using Linux Audit space User- App Process Module App kernel Binary Linux LKM Audit • A custom Linux Kernel Module (LKM) Static • Intercepts write system calls System Analysis Enhanced Log LMS • Catch application log messages LMS • Add PID/TID to log message Paths DB • Allow us to combine log message with corresponding system-level log entry. 19

  20. Runtime Phase • We collect whole-system logs using Linux Audit space User- App Process Module App kernel Binary Linux LKM • A custom Linux Kernel Module (LKM) Audit • Intercepts write system calls Static System Analysis Enhanced Log LMS • Catch application log messages LMS • Add PID/TID to log message Universal Paths DB Provenance Log • Allow us to combine log message with corresponding system-level log entry. • Unify system logs and runtime log messages into universal provenance log 20

  21. Investigation Phase • Given a symptom of an attack, OmegaLog uses space User- App Process App • Log message control flow paths database kernel Binary Linux LKM Audit • Universal provenance log Static • Log parser partitions the system log into units System Analysis Enhanced Log LMS • By matching application log messages in universal provenance log with log message string control flow paths LMS Universal Paths DB • Generates execution partition graph Provenance Log Log Parser Symptom 21

  22. Investigation Phase • Given a symptom of an attack, OmegaLog uses space User- App Process App • Log message control flow paths database kernel Binary Linux LKM Audit • Universal provenance log Static • Log parser partitions the system log into units System Analysis Enhanced Log LMS • By matching application log messages in universal provenance log with log message string control flow paths LMS Universal Paths DB • Generates execution partition graph Provenance Log • Then add application log messages vertices to Log Parser Symptom execution-partitioned provenance graph • Final output: universal provenance graph Universal Provenance Graphs 22

  23. Back to our case study 23

  24. Provenance graph Application Logs v v HAProxy v … haproxy[30291]: x.x.x.x:45292 [TIME REMOVED] app- http-in~app-bd/httpd-2 10/0/30/69/109 200 2750 HAProxy POST /wordpress/ wp-admin/admin-ajax.php 200 … v v ??? Apache Httpd … y.y.y.y POST /wordpress/wp-admin/admin- index.html ajax.php 200 - http://shopping.com/wordpress/ Apache Httpd wp-admin/ admin.php?page=file-manager_setting … user.php ??? v v PostgreSQL … SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; /usr/local/db/datafile.db PostgreSQL … 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY EVALUATION AND TECHNICAL ASSISTANCE Lorna Moser, Ph.D. ACT TA Center Center for Excellence in Community Mental Health, UNC Department of Psychiatry

691 views • 46 slides
1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

INSTITUTIONEN FR SYSTEMTEKNIK LULE TEKNISKA UNIVERSITET High-Fidelity Prototyping and Flash SMD157 Human-Computer Interaction Fall 2005 1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

689 views • 10 slides
High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin

High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin

High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin Postdoctoral Fellow, Carnegie Mellon University 2 Our Team CMU Citrine Informatics Julia Computing MIT QuantumScape External

78 views • 6 slides
High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June

High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June

High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June 8-15 1 What is High Fidelity Imaging? Getting the Correct Image limited only by noise. The best dynamic ranges (brightness

595 views • 33 slides
AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AI AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng Xiao 2 , Zhichun Li 3 , Kangkook Jee 3 , Fengyuan Xu 4 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton University 2 Case Western Reserve

800 views • 34 slides
RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y. Ji, S. Lee, E. Downing, et.al. CCS17 Presented by: Mohammad A. Noureddine CS563 Fall 2018 No Shortage of Recent Breaches! 1 Investigating

804 views • 28 slides
Reproducible Network Research With High-Fidelity Emula<on Nikhil

Reproducible Network Research With High-Fidelity Emula<on Nikhil

Reproducible Network Research With High-Fidelity Emula<on Nikhil Handigol + , Brandon Heller + , Bob Lantz * , Vimal Jeyakumar + , Nick McKeown + + Stanford

813 views • 65 slides
Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation

Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation

Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation Geraldine M. Berkvam, MSN, RN, FNP, PHN Department of Nursing and Health Sciences California State University, East Bay, Hayward, CA, USA

351 views • 19 slides
AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications Myungjin Lee , Ramana Rao Kompella, Sumeet Singh Purdue University, Cisco Systems Wind of changes Asynchronous Javascript Migration

503 views • 22 slides
High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically

High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically

High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically Deformable Objects Mauro Rodriguez 1 , Shahaboddin Beig 1 , Zhen Xu 2 , and Eric Johnsen 1 1 Department of Mechanical Engineering, University of

422 views • 26 slides
HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A.

HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A.

HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A. Martins Juan J. Alonso James J. Reuther Department of Aeronautics and Astronautics Stanford University AIAA Structures, Structural Dynamics and

580 views • 28 slides
Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations

Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations

Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations in condensed matter and detector development Antonino Pietropaolo 06-05-2004 OUTLINE Physical context Kinematical constraints

282 views • 24 slides
High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results

High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results

Reaction of Basaltic Materials under High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results Brandon Radoman-Shaw (CWRU) bgs21@case.edu Ralph Harvey (CWRU) Gustavo C. C. C. Costa (NASA-GRC) Leah Nakley

169 views • 15 slides
Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam

Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam

NAXOS 2018 Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam Janajreh Idowu Adeyemi Dept. Of Mechanical & Materials Engineering Khalifa University of Science & Technology, Masdar Campus Abu Dhabi,

714 views • 25 slides
AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R.

AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R.

AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R. A. Martins Juan J. Alonso James Reuther Department of Aeronautics and Astronautics Stanford University CEAS Conference on Multidisciplinary

731 views • 26 slides
5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on

5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on

5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on Developmental Disabilities Rutgers, The State University of New Jersey In Partnership with the Offices of Special Education New Jersey Department of

227 views • 20 slides
write less. do more. who am I? DataMapper what is jquery? unobtrusive h1 { color: #999; }

write less. do more. who am I? DataMapper what is jquery? unobtrusive h1 { color: #999; }

write less. do more. who am I? DataMapper what is jquery? unobtrusive h1 { color: #999; } css h1 { color: #999; } h1 { color: #999; } UJS With jQuery $(h1).click(function() { $(this).fadeIn(); }); Why do we like CSS?

2.58k views • 193 slides
Demystifying Drupal AJAX Callback Commands http://nyccamp.org/node/287 NYC CAMP 2015 #NYCcamp

Demystifying Drupal AJAX Callback Commands http://nyccamp.org/node/287 NYC CAMP 2015 #NYCcamp

Demystifying Drupal AJAX Callback Commands http://nyccamp.org/node/287 NYC CAMP 2015 #NYCcamp Goals of this Session Explain what AJAX callback commands are Demonstrate how to use AJAX callback commands Outline how to create AJAX callback

815 views • 57 slides
Javascript GParamSpec *pspec; /* Party code attribute */ pspec = g_param_spec_uint64

Javascript GParamSpec *pspec; /* Party code attribute */ pspec = g_param_spec_uint64

static void _f_do_barnacle_install_properties(GObjectClass *gobject_class) { Javascript GParamSpec *pspec; /* Party code attribute */ pspec = g_param_spec_uint64 (F_DO_BARNACLE_CODE, web development... and more "Barnacle code.",

1.08k views • 59 slides
The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting made easy Why JS Libraries? DOM scripting made easy Cross browser work done for you Why JS Libraries? DOM scripting made easy Cross

1.46k views • 92 slides
Introduction to Document Object Model Every thing in browsing window is Object DOM is

Introduction to Document Object Model Every thing in browsing window is Object DOM is

Introduction to Document Object Model Every thing in browsing window is Object DOM is an API for valid HTML and well formed XML documents EXtensible Markup Language XML is a markup language much like HTML XML was designed

682 views • 27 slides
Introduction to www.icefaces.org ICESOFT TECHNOLOGIES INC. Introduction to ICEfaces What

Introduction to www.icefaces.org ICESOFT TECHNOLOGIES INC. Introduction to ICEfaces What

Introduction to www.icefaces.org ICESOFT TECHNOLOGIES INC. Introduction to ICEfaces What is ICEfaces? An Internet technology that will allow you to easily build rich highly interactive web applications An AJAX Framework A

723 views • 39 slides
Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms

Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms

Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms Built on Mature Core Technologies Solid Object-Oriented Architecture Feature-packed Workplace JSP for Templates, Structured XML for

331 views • 10 slides
AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls

AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls

AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls from web pages using JavaScript call HTTP data Motivation The traditional request-response cycle in web applications is synchronous. With

552 views • 20 slides

More recommend