survivor a fine grained intrusion response and recovery
play

Survivor: A Fine-Grained Intrusion Response and Recovery Approach - PowerPoint PPT Presentation

Nov 22, 2023 •245 likes •820 views

Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems ACSAC, December 13th, 2019 1 HP Labs, United Kingdom (ronny.chevalier@hp.com, david.plaquin@hp.com, cid@hp.com) 2 CIDRE Team,

  1. Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems ACSAC, December 13th, 2019 1 HP Labs, United Kingdom (ronny.chevalier@hp.com, david.plaquin@hp.com, cid@hp.com) 2 CIDRE Team, CentraleSupélec/Inria/CNRS/IRISA, France (ronny.chevalier@centralesupelec.fr, guillaume.hiet@centralesupelec.fr) Ronny Chevalier 1,2 David Plaquin 1 Chris Dalton 1 Guillaume Hiet 2

  2. Agenda Problem Statement Approach and Prototype Evaluation Conclusion 1

  3. Preventive Security is not Sufficient Examples of preventive security mechanisms • Access control • Cryptography • Firewalls 2

  4. Preventive Security is not Sufficient Examples of preventive security mechanisms • Access control • Cryptography • Firewalls Attackers will eventually bypass our security policy • (Unknown) vulnerability • System not updated • Misconfiguration 2

  5. Preventive Security is not Sufficient Examples of preventive security mechanisms • Access control • Cryptography • Firewalls Attackers will eventually bypass our security policy • (Unknown) vulnerability • System not updated • Misconfiguration Operating systems should not only prevent but detect and survive intrusions 2

  6. Commodity Operating Systems Can Detect but Cannot Survive Intrusions e.g., Antivirus software share many aspects of host-based IDSs 2 2Morin and Mé, “Intrusion detection and virology: an analysis of differences, similarities and complementariness”. 3 Intrusion Detection Systems 1 exist in commodity OSs 1Anderson, Computer Security Threat Monitoring and Surveillance ; Denning, “An Intrusion-Detection Model”.

  7. Commodity Operating Systems Can Detect but Cannot Survive Intrusions e.g., Antivirus software share many aspects of host-based IDSs 2 What can we do after a system has been compromised? Eventually we want to patch the system 2Morin and Mé, “Intrusion detection and virology: an analysis of differences, similarities and complementariness”. 3 Intrusion Detection Systems 1 exist in commodity OSs 1Anderson, Computer Security Threat Monitoring and Surveillance ; Denning, “An Intrusion-Detection Model”.

  8. Commodity Operating Systems Can Detect but Cannot Survive Intrusions e.g., Antivirus software share many aspects of host-based IDSs 2 What can we do after a system has been compromised? Eventually we want to patch the system What should we do while waiting for the patches? Deliver service despite the attacker’s presence 2Morin and Mé, “Intrusion detection and virology: an analysis of differences, similarities and complementariness”. 3 Intrusion Detection Systems 1 exist in commodity OSs 1Anderson, Computer Security Threat Monitoring and Surveillance ; Denning, “An Intrusion-Detection Model”.

  9. • Limitations: the system is still vulnerable and can be reinfected • Limitations: coarse-grained responses and few host-based solutions Related Work: Survivability, Recovery, and Response Intrusion Survivability 3 • Trade-off between the availability and the security risk Intrusion Recovery 4 • Restore the system in a safe state when an intrusion is detected Intrusion Response 5 • Limit the impact of an intrusion on the system 4 • Limitations: lack of focus on commodity OSs 3Knight and Strunk, “Achieving Critical System Survivability Through Software Architectures”; Ellison et al., Survivable Network Systems: An emerging discipline .

  10. • Limitations: coarse-grained responses and few host-based solutions Related Work: Survivability, Recovery, and Response Intrusion Survivability 3 • Trade-off between the availability and the security risk Intrusion Recovery 4 • Restore the system in a safe state when an intrusion is detected Intrusion Response 5 • Limit the impact of an intrusion on the system 4Goel et al., “The Taser Intrusion Recovery System”; Xiong, Jia, and Liu, “SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System”. 4 • Limitations: lack of focus on commodity OSs • Limitations: the system is still vulnerable and can be reinfected 3Knight and Strunk, “Achieving Critical System Survivability Through Software Architectures”; Ellison et al., Survivable Network Systems: An emerging discipline .

  11. Related Work: Survivability, Recovery, and Response Intrusion Survivability 3 • Trade-off between the availability and the security risk Intrusion Recovery 4 • Restore the system in a safe state when an intrusion is detected Intrusion Response 5 • Limit the impact of an intrusion on the system 4Goel et al., “The Taser Intrusion Recovery System”; Xiong, Jia, and Liu, “SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System”. 5Balepin et al., “Using Specification-Based Intrusion Detection for Automated Response”; Shameli-Sendi, Cheriet, and Hamou-Lhadj, “Taxonomy of Intrusion Risk Assessment and Response System”. 4 • Limitations: lack of focus on commodity OSs • Limitations: the system is still vulnerable and can be reinfected • Limitations: coarse-grained responses and few host-based solutions 3Knight and Strunk, “Achieving Critical System Survivability Through Software Architectures”; Ellison et al., Survivable Network Systems: An emerging discipline .

  12. Related Work: Survivability, Recovery, and Response Intrusion Survivability 3 • Trade-off between the availability and the security risk Intrusion Recovery 4 • Restore the system in a safe state when an intrusion is detected Intrusion Response 5 • Limit the impact of an intrusion on the system Existing approaches do not allow commodity OSs to survive intrusions while maintaining the availability of the services 4Goel et al., “The Taser Intrusion Recovery System”; Xiong, Jia, and Liu, “SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System”. 5Balepin et al., “Using Specification-Based Intrusion Detection for Automated Response”; Shameli-Sendi, Cheriet, and Hamou-Lhadj, “Taxonomy of Intrusion Risk Assessment and Response System”. 4 • Limitations: lack of focus on commodity OSs • Limitations: the system is still vulnerable and can be reinfected • Limitations: coarse-grained responses and few host-based solutions 3Knight and Strunk, “Achieving Critical System Survivability Through Software Architectures”; Ellison et al., Survivable Network Systems: An emerging discipline .

  13. Problem Addressed availability and security risk ? Prevent Detect Survive 5 How to design an OS so that it can survive ongoing intrusions by making a trade-off between

  14. Agenda Problem Statement Approach and Prototype Evaluation Conclusion 6

  15. Running Example Service: Gitea, a Git Self-Hosting Server Open source clone of Github (git repositories, bug tracking,...) Intrusion: Ransomware It compromises data availability 7

  16. Approach Overview Illustrative Example Running Example Gitea infected with some ransomware When Detected • Recovery: We restore the service and the encrypted files to a previous state • Apply restrictions: We remove the ability to write on the file system Positive Impact Degraded Mode 8 If the ransomware reinfects the service → cannot compromise the files Users can no longer push to repositories → trade-off between availability and security risk

  17. Approach Overview Checkpoint & Log Store Store Checkpoint Log Checkpoint Monitor Logs States Detection During the normal operation of the system Intrusion Filesystem Network Devices Apache Gitea Operating System 9 Service n

  18. Approach Overview Checkpoint & Log Store Store Checkpoint Log Checkpoint Monitor Logs States Detection During the normal operation of the system Intrusion Filesystem Network Devices Apache Gitea Operating System 9 Service n

  19. Approach Overview 1. Periodic checkpointing Store Store Checkpoint Log Checkpoint Monitor Logs States Checkpoint & Log During the normal operation of the system Detection Intrusion Filesystem Network Devices Apache Gitea Operating System 9 Service n

  20. Approach Overview 1. Periodic checkpointing Store Store Checkpoint Log Checkpoint Monitor Logs States 2. Log file write accesses Checkpoint & Log During the normal operation of the system Detection Intrusion Filesystem Network Devices Apache Gitea Operating System 9 Service n

  21. Approach Overview States Use Use files Restore restrictions Apply service Restore Alert Monitor Logs / How our approach allows the system to survive intrusions after their detection? Policies Recovery & Response Detection Intrusion Filesystem Network Devices Apache Gitea Operating System 10 Service n

  22. Approach Overview States Use Use files Restore restrictions Apply service Restore Alert Monitor Logs / How our approach allows the system to survive intrusions after their detection? Policies Recovery & Response Detection Intrusion Filesystem Network Devices Apache Gitea Operating System 10 Service n

  23. Approach Overview Logs / Use Use files Restore restrictions Apply service Restore Alert Monitor States Policies How our approach allows the system to survive intrusions after their detection? 1. Restore infected objects Recovery & Response Detection Intrusion Filesystem Network Devices Apache Gitea Operating System 10 Service n

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1 Overview Motivation Requirements for Fine-Grained Geocast Location Model for Fine-Grained Geographic Addressing Summary Related Work

752 views • 18 slides
Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015 Terminology Coarse-grained Concurrency synchronisation between threads via locks ; Fine-grained

973 views • 72 slides
Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More Fine-Grained Classes Actually , I ran home extremely quickly yesterday The closed classes Example of POS tagging The Penn Treebank Part-of-Speech

747 views • 54 slides
Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: p g Students can see their own grades Students can see grades of all students in courses they registered for

548 views • 34 slides
Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP, University of Surrey, UK http://sketchx.ai Why fine-grained? Dog Dog Dog I am not just a dog Why fine-grained? Husky

615 views • 24 slides
Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Learning Kernel-matrix-based Representation for Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information Technology University of Wollongong, Australia 11-Dec-2019 Introduction Fine-grained image recognition

1.56k views • 58 slides
TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei Technologies d3e3e3@gmail.com November 2011 TRILL WG 1 Fine Grained Labeling A way to

469 views • 8 slides
Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey Collaborators: Nikhil Naik, Ryan Farrell, Otkrist Gupta, Pei Guo, Ramesh Raskar Fine-Grained Visual Classification - Image classification with target

760 views • 35 slides
On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang, Ting Yu, Ninghui Li Jorge Lobo, Elisa Bertino Keith Irwin, Ji-Won Byun Outline Introduction Correctness Criteria A Fine-Grained Access

1.21k views • 51 slides
Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and presentation by: Abhinav Pathak, Y. Charlie Hu, Ming Zhang Paramvir Bahl, Yi-Min Wang Damian Rodziewicz Fine-Grained Power Modeling for Smartphones

701 views • 33 slides
Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: Students can see their own grades Students can see their own grades Students can see grades of all students in courses they registered for

338 views • 17 slides
Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Ph.D. Thesis Defense December 17th, 2019 1 HP Labs (ronny.chevalier@hp.com) 2 CIDRE Team, CentraleSuplec/Inria/CNRS/IRISA

1.66k views • 140 slides
Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012 1 Outline Types of parallelism Algorithm description Why fine grained parallelism? Concurrency is hard no, its different

419 views • 19 slides
Mesos A Platform for Fine-Grained Resource Sharing in the

Mesos A Platform for Fine-Grained Resource Sharing in the

Mesos A Platform for Fine-Grained Resource Sharing in the Data Center Benjamin Hindman, Andy Konwinski, Matei Zaharia , Ali Ghodsi, Anthony Joseph,

438 views • 32 slides
Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion Scalar and array renaming 1 Fine-Grained Parallelism Theorem 2.8. A sequential loop can be converted to a parallel loop if the loop carries no

606 views • 41 slides
Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar LUMS Fine-Grained Tracking of Grid Infections p. 1/18 Introduction Grid semantics Not middleware-specific Distributed

644 views • 18 slides
Recommendations for Prevention, Treatment & Recovery Operations during COVID-19 Center for

Recommendations for Prevention, Treatment & Recovery Operations during COVID-19 Center for

Recommendations for Prevention, Treatment & Recovery Operations during COVID-19 Center for Drug Policy & Enforcement Washington/Baltimore HIDTA COVID-19 Substance Use Task Force Opening Remarks Tom Carr Executive Director of the Center

329 views • 14 slides
PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks Chieh-Yih Wan, Andrew Campbell,

PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks Chieh-Yih Wan, Andrew Campbell,

PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks Chieh-Yih Wan, Andrew Campbell, Lakshman Krishnamurthy WSNA02 (JSAC05) Adopted from the in Adopted from the in- -class presentation by class presentation by Thanos

586 views • 39 slides
Innovative Ways to Fund Harm Reduction Services New Mexico Laine M. Snow, MSW HIV Service

Innovative Ways to Fund Harm Reduction Services New Mexico Laine M. Snow, MSW HIV Service

Innovative Ways to Fund Harm Reduction Services New Mexico Laine M. Snow, MSW HIV Service Program Manager New Mexico Department of Health Hepatitis and Harm Reduction Program 1190 S. St. Francis Drive, Suite S1300, Santa Fe, NM 87505

601 views • 15 slides
COVID-19 Economic Recovery Capital Region Public Sector Impacts CDRPC Planning and Zoning Webinar

COVID-19 Economic Recovery Capital Region Public Sector Impacts CDRPC Planning and Zoning Webinar

COVID-19 Economic Recovery Capital Region Public Sector Impacts CDRPC Planning and Zoning Webinar Laura Schultz Director of Fiscal Analysis and Senior Economist May 14, 2020 DISCLAIMER DISCLAIM IMER New York State on PAUSE was enacted

512 views • 19 slides
Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at

Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at

Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google Joseph Bonneau, Elie Bursztein (elieb@google.com), Ilan Caron, Rob Jackson, Michael Williamson Anti-fraud and abuse research group Secret

548 views • 26 slides
Microsoft Hyper-V Backup & Recovery 15+ Years 100+ Countries 60,000+ Businesses Vembu BDR

Microsoft Hyper-V Backup & Recovery 15+ Years 100+ Countries 60,000+ Businesses Vembu BDR

Vembu BDR Suite Webinar on Best Practices & Considerations for Microsoft Hyper-V Backup & Recovery 15+ Years 100+ Countries 60,000+ Businesses Vembu BDR Suite Vembu BDR Suite is a portfolio of products designed to backup multiple

461 views • 20 slides
Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,*

Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,*

Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,* Marten van Dijk,* Ari Juels* *RSA Laboratories University of Washington Talk Goals Novel authentication concept is not implausible. Future

299 views • 12 slides
Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from

Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from

Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from Database Management Systems by Ramakrishnan and Gehrke ACID Properties A tomicity: Either all actions in the Xact occur, or none occur. C

871 views • 28 slides

More recommend