system health and intrusion monitoring system health and
play

System Health and Intrusion Monitoring System Health and Intrusion - PowerPoint PPT Presentation

Sep 04, 2023 •184 likes •462 views

Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network

  1. Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network Associates, Inc. NAI Labs Jeff Rowe Jeff Rowe University of California, Davis University of California, Davis October 2001

  2. Advanced Security Research Abstract IDS Model Abstract IDS Model Detect Historical Detect actions by the effect/manifestation of Behavior attackers the attacker’s actions Attacks / Rules Vulnerabilities Intended/Expected Behavior ID Result Engine Audit Data (e.g., Kernel Audit trails, Network packets, Syslog, …) RAID 2001-2

  3. Advanced Security Research System Health and Intrusion Monitoring (SHIM) System Health and Intrusion Monitoring (SHIM) • Extend existing specification-based detection work • Employ a hierarchy of constraints/specifications – describe healthy/correct operation of a system – capture static behavior, dynamic behavior, time- dependent behavior of different components at different levels of abstraction – detect manifestations of attacks or security errors regardless of the cause • Utilize data at all levels – network, host, OS kernel, application • Reason about the specifications RAID 2001-3

  4. Advanced Security Research Top Level Threats addressed by SHIM Top Level Threats addressed by SHIM • Remote-to-Local, Remote-to-Root • User-to-Root • Insider – exceeding his/her privileges – misusing his/her privileges • Trojan Horses • Denial of Services • Masqueraders & Probing • Privileged processes – setuid root programs, servers/daemons, administrator processes RAID 2001-4

  5. Advanced Security Research Constraint Model Constraint Model Temporal/Interaction Operational Integrity System-wide Resource Usage Data Integrity System Services Access Host Programs and Network Protocols Applications RAID 2001-5

  6. Advanced Security Research Constraint Development Constraint Development Security Functionality & Attack / Policies, Design System Vulnerability Principles Semantics Models Hierarchical Configuration, Higher Level Constraint historical behavior, Constraints Model & system policy Constraints RAID 2001-6

  7. Advanced Security Research Roadmap Roadmap • Technical objective • Approach and Rationale • Useful types of constraints • Program constraints • Protocol constraints • High level constraints • Ongoing and Future Work RAID 2001-7

  8. Advanced Security Research Useful Types of Constraints Useful Types of Constraints • Policy on Users – Files a user can access – Resources a user is allowed to possess • Protocol Specifications -- operational view – Defines allowable transitions – Defines allowable time in a given state • Protocol Specifications -- message content – Mappings delivered by DNS should accurately represent view of authoritative router – IP addresses are not spoofed RAID 2001-8

  9. Advanced Security Research Useful Types of Constraints (cont.) Useful Types of Constraints (cont.) • Protocols -- Invariant and assumptions – IP Routers approximate Kirchoff’s law – Packets are not sniffed by third-party – Packet source must be a non-congested/non-DOSed host • Programs -- valid access constraints – Programs access only certain objects • Programs - Interaction constraints – program interaction should not change the semantic • Data Integrity – e.g., passwords, other authentication information – authorization information, process table RAID 2001-9

  10. Advanced Security Research Access Constraints for Programs Access Constraints for Programs • Can Detect – remote users gain local accesses – local users gain additional privileges – Trojan Horses • Work well for many programs, e.g., passwd, lpr, lprm, lpq, fingerd, at, atq, … • Some program can potentially access many files, e.g., httpd, ftpd – break the execution into pieces (or threadlets) . Define the valid access for each threadlets. – Threadlet defined by transition operations RAID 2001-10

  11. Advanced Security Research Component-Specific Constraints Component-Specific Constraints • Privileged programs – e.g., Ftp daemon • Read files that are world readable • Write files that are owned by the user • Execute only /bin/ls, /bin/gzip, /bin/tar, /bin/compress • Critical Data – E.g., The password file in a Unix system should be in the correct form and each user should have a password. RAID 2001-11

  12. Advanced Security Research General Constraints General Constraints • A privileged process should discard all its privileges and capabilities before it gives control to a user. • The temporary file for a program should be accessible only by the program execution and should be removed when the program exits • An application should read only configuration files owned by the user that it is running as RAID 2001-12

  13. Advanced Security Research Prototype SHIM Host Monitor Prototype SHIM Host Monitor SHIM Analyzer Modules Constraints / Specifications SHIM SHIM Monitor Monitor SHIM Compiler Other Control sources Agile Kernel Auditor SHIM Analyzer Module Linux or Solaris Kernel RAID 2001-13

  14. Advanced Security Research Protocol Constraints Protocol Constraints • Address Resolution Protocol (ARP) – For mapping between the Ethernet layer and the IP layer – Hosts on the network query all machines for their Ethernet-to- IP assignments before sending to a new IP address. Hosts typically keep a local list of mappings ( the ARP cache ) to avoid repetitive queries • ARP Cache Poisoning – Unsolicited Response – Bogus Request – Bogus Response – Both a spurious Request and a spurious Response RAID 2001-14

  15. Advanced Security Research An ARP Specification An ARP Specification ARP Request ARP Request ARP Response i reply_wait cached ARP cache timeout RAID 2001-15

  16. Advanced Security Research Unsolicited ARP Response Unsolicited ARP Response ARP REPLY to victim blanc.cs.ucdavis.edu IS-AT 08:00:20:23:71:52 • ARP reply will be accepted by a victim machine, even though it hasn’t sent a request. • Sending a arbitrary IP to Ethernet mapping will poison the victim’s ARP cache. • Sending an unsolicited response to the broadcast Ethernet address poisons the cache of all machines (Solaris, Windows, Linux). RAID 2001-16

  17. Advanced Security Research Bogus ARP Request Bogus ARP Request ARP REQUEST WHO-HAS olympus.cs.ucdavis.edu TELL blanc.cs.ucdavis.edu at 08:00:20:23:71:52 • ARP implementations cache entries based upon broadcast requests. • Even if the host isn’t involved in any resolution their cache will update with the information contained in third-party requests. • Sending out an request with bogus sender information poisons everyone’s cache. RAID 2001-17

  18. Advanced Security Research An ARP Specification An ARP Specification Bogus ARP Unsolicited ARP alarm Response Response Malformed ARP Request Request ARP Request ARP Response i reply_wait cached ARP cache timeout RAID 2001-18

  19. Advanced Security Research ARP Monitor Implementation ARP Monitor Implementation • Built on the snort open-source IDS platform - Uses the snort preprocessor plug-in feature - No measurable difference in baseline IDS performance due to the low volume of ARP traffic. • Single ARP correctness specification catches all five ARP vulnerabilities RAID 2001-19

  20. Advanced Security Research A DHCP Specification A DHCP Specification • Dynamic Host Configuration Protocol (DHCP) – provides centralized management of client workstation configuration parameters – Distributed servers cooperatively allocate client parameters, even across sub-networks. • DHCP typically configures – IP address allocation – Gateway router address – DNS servers RAID 2001-20

  21. Advanced Security Research DHCP Messages DHCP Messages From Server Message Use • DHCPOFFER Server to client in response to DHCPDISCOVER with offer of configuration parameters. • DHCPACK Server to client with configuration parameters, including committed network address. • DHCPNAK Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired From Clients Message Use • DHCPDISCOVER Client broadcast to locate available servers. • DHCPREQUEST Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. • DHCPDECLINE Client to server indicating network address is already in use. • DHCPRELEASE Client to server relinquishing network address and cancelling remaining lease. • DHCPINFORM Client to server, asking only for local configuration parameters; client already has externally configured network address. RAID 2001-21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Public Abstract Structural Health-Monitoring System for Develop a self-sustained Integrated

Public Abstract Structural Health-Monitoring System for Develop a self-sustained Integrated

Integration of Self-Sustained Wireless Public Abstract Structural Health-Monitoring System for Develop a self-sustained Integrated Structural Health Highway Bridges Monitoring (ISHM) system with remote sensing capability by Holds

385 views • 6 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
A Sensor Fusion Wearable Health-Monitoring System with Haptic Feedback F. Sanfilippo 1 and K. Y.

A Sensor Fusion Wearable Health-Monitoring System with Haptic Feedback F. Sanfilippo 1 and K. Y.

Introduction System Architecture Simulation Results, Conclusion and Future Work References A Sensor Fusion Wearable Health-Monitoring System with Haptic Feedback F. Sanfilippo 1 and K. Y. Pettersen 2 1Department of Maritime Technology and

739 views • 18 slides
MONITORING CAREGIVER HEALTH: MONITORING CAREGIVER HEALTH: SURVEILLANCE FROM THE BEHAVIORAL RISK

MONITORING CAREGIVER HEALTH: MONITORING CAREGIVER HEALTH: SURVEILLANCE FROM THE BEHAVIORAL RISK

MONITORING CAREGIVER HEALTH: MONITORING CAREGIVER HEALTH: SURVEILLANCE FROM THE BEHAVIORAL RISK FACTOR SURVEILLANCE SYSTEM Elena M. Andresen, PhD & Erin DeFries Bouldin, MPH U i University Of Florida it Of Fl id October, 2010

416 views • 22 slides
Ohio Department of Health: Public Health Response Monitoring situation Health alerts (HAN)

Ohio Department of Health: Public Health Response Monitoring situation Health alerts (HAN)

Ohio Department of Health: Public Health Response Monitoring situation Health alerts (HAN) Directors Journal Entry Press Release Ohio Disease Reporting System (ODRS) 2019-nCoV Module Evaluating patients under

190 views • 16 slides
KOREAN AERO-VEHICLE STRUCTURAL HEALTH MONITORING SYSTEM C. Y. Park 1* , J.-H. Kim 1 , S.-M. Jun 1

KOREAN AERO-VEHICLE STRUCTURAL HEALTH MONITORING SYSTEM C. Y. Park 1* , J.-H. Kim 1 , S.-M. Jun 1

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS KOREAN AERO-VEHICLE STRUCTURAL HEALTH MONITORING SYSTEM C. Y. Park 1* , J.-H. Kim 1 , S.-M. Jun 1 1 The 7 th R&D Institute-2, Agency for Defense Development, Daejeon, Korea *

239 views • 5 slides
Is Equity an Attainable Health System Goal? Grantmakers In Health Annual Meeting on Health

Is Equity an Attainable Health System Goal? Grantmakers In Health Annual Meeting on Health

Is Equity an Attainable Health System Goal? Grantmakers In Health Annual Meeting on Health Philanthropy Baltimore, Maryland March 7, 2012 Alan Weil Executive Director National Academy for State Health Policy 2 Health Care Costs 3 Health

828 views • 58 slides
INTEGRATION OF HEALTH MONITORING SYSTEM FOR COMPOSITE ROTORS P. Kostka 1 * , K. Holeczek 2 , A.

INTEGRATION OF HEALTH MONITORING SYSTEM FOR COMPOSITE ROTORS P. Kostka 1 * , K. Holeczek 2 , A.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS INTEGRATION OF HEALTH MONITORING SYSTEM FOR COMPOSITE ROTORS P. Kostka 1 * , K. Holeczek 2 , A. Filippatos 2 , W. Hufenbach 1 1 Institute of Lightweight Engineering and Polymer Technology,

74 views • 5 slides
Motivations Monitoring (the eigenstructure of) a (linear) system: On sensors positioning

Motivations Monitoring (the eigenstructure of) a (linear) system: On sensors positioning

Motivations Monitoring (the eigenstructure of) a (linear) system: On sensors positioning identification, damage detection and localization. for Structural Health Monitoring For given monitoring requirements: How to achieve optimum

677 views • 4 slides
Health System Matrix: Providing a perspective into the provincial health system In the majority

Health System Matrix: Providing a perspective into the provincial health system In the majority

Health System Matrix: Providing a perspective into the provincial health system In the majority of conditions, the First Nations prevalence rate was stable or improved between 2008/09 and 2014/15 No Difference with Other Stable Rates Gap

677 views • 13 slides
of Work ACHIs Scope of Work Health Policy & System Integration Health Health Access to

of Work ACHIs Scope of Work Health Policy & System Integration Health Health Access to

ACHI Scope of Work ACHIs Scope of Work Health Policy & System Integration Health Health Access to Promotion & Care Needed Disease Finance Quality Care Prevention Health System Financing in Transition 1910 Flexner Report

828 views • 13 slides
Health Behaviors Coach A New Job Description for a New Health Care System A Proposal from The

Health Behaviors Coach A New Job Description for a New Health Care System A Proposal from The

Health Behaviors Coach A New Job Description for a New Health Care System A Proposal from The Montana Medical Association November 9, 2015 THE HEALTH CARE SYSTEM IS CHANGING Financing for the Health Care System is changing away from fee for

242 views • 12 slides
I mproving Community Health and Working to Contain Costs Foote Health System Health &

I mproving Community Health and Working to Contain Costs Foote Health System Health &

I mproving Community Health and Working to Contain Costs Foote Health System Health & Productivity Management Its Your Life Services Healthy Lifestyle Out Of Reach? Amy Schultz, MD, MPH March 12, 2008 OUR MISSION We lead our

457 views • 44 slides
Towards Smart Health Monitoring System for Elderly People Achraf Ben Ahmed, Yumiko Kimezawa,

Towards Smart Health Monitoring System for Elderly People Achraf Ben Ahmed, Yumiko Kimezawa,

The 4th International Conference on Awareness Science and Technology August 21-24, 2012, Korea University, Seoul, Korea Towards Smart Health Monitoring System for Elderly People Achraf Ben Ahmed, Yumiko Kimezawa, Abderazek Ben Abdallah

997 views • 42 slides
Building a Foundation for Gre reater Health Access Health Care System Challenges A New Era in

Building a Foundation for Gre reater Health Access Health Care System Challenges A New Era in

Building a Foundation for Gre reater Health Access Health Care System Challenges A New Era in Health & Health Care Campaign Vision All Americans have access to high-quality, patient-centered care in a health care system where nurses

343 views • 19 slides
HEALTH SYSTEM REFORM AND THE DEMAND FOR HEALTH CARE Lecture 8 It has long been claimed that health

HEALTH SYSTEM REFORM AND THE DEMAND FOR HEALTH CARE Lecture 8 It has long been claimed that health

12/11/2012 HEALTH SYSTEM REFORM AND THE DEMAND FOR HEALTH CARE Lecture 8 It has long been claimed that health spending has to be brought under control Health policy in Europe over the last two decades has been increasingly bedevilled by the

545 views • 7 slides
IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger than most networks can transmit in one packet Each network type defines maximum transmission unit (MTU) maximum number of bytes that can be

1.01k views • 23 slides
ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g.

ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g.

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 1+2 The Basics / Static Routing ISO/OSI Layer Model (1979-1983) Applications, e.g. HTTP, FTP, 7 Application Layer

804 views • 55 slides
Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2.

Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2.

Xarxes de Computadors Computer Networks Computer Networks - Xarxes de Computadors Outline Course Syllabus Unit 1: Introduction Unit 2. IP Networks Unit 3. Point to Point Protocols -TCP Unit 4. LANs Unit 5. Data Transmission 1 Lloren

1.13k views • 87 slides
The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and

The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and

The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and interconnection between countless local networks. In principle the internet accepts information from any source and makes best e fg orts to deliver

505 views • 25 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger The

868 views • 21 slides
9 Data Link Layer Data Link Layer LAN Address (more) Why both MAC and IP address? Answer:

9 Data Link Layer Data Link Layer LAN Address (more) Why both MAC and IP address? Answer:

Data Link Layer Data Link Layer Taking Turns MAC protocols Taking Turns MAC protocols Token passing: Polling: T control token passed master node from one node to next invites slave nodes data sequentially. to

448 views • 7 slides
Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G. NguyenThiHuong and Seon Wook Kim Microarchitecture and Compiler Laboratory School of Electrical Engineering Korea University Motivation

416 views • 19 slides
ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Course Organization Top-Down! Starting with Applications / App programming Then Transport Layer (TCP/UDP) Then Network Layer (IP)

695 views • 31 slides

More recommend