system intrusions
play

System Intrusions Professor Adam Bates Fall 2018 Security & - PowerPoint PPT Presentation

Apr 02, 2023 •369 likes •730 views

CS 563 - Advanced Computer Security: System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Survey broad topics in the system intrusions area

  1. CS 563 - Advanced Computer Security: System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

  2. Administrative Learning Objectives : • … • Survey broad topics in the “system intrusions” area Announcements : • Reaction paper was due today (and all classes) • Feedback for reaction papers soon • “Preference Proposal” Homework due 9/24 (next slide) • 33 students left in the course as of yesterday • ~= 1 Paper presentation per student? Reminder : Please put away (backlit) devices at the start of class CS423: Operating Systems Design 2 2

  3. System Intrusions We live in an age of high profile data breaches… Operation Aurora: Google Mail was subject to a sustained nation state attack for the entire year of 2009. Security & Privacy Research at Illinois (SPRAI) 11

  4. System Intrusions We live in an age of high profile data breaches… Target loses 70 million credit card numbers… Security & Privacy Research at Illinois (SPRAI) 12

  5. System Intrusions We live in an age of high profile data breaches… DNC loses 30 thousand emails… Security & Privacy Research at Illinois (SPRAI) 13

  6. System Intrusions We live in an age of high profile data breaches… Security & Privacy Research at Illinois (SPRAI) 14

  7. System Intrusions We live in an age of high profile data breaches… Equifax Data Breach Timeline 2017 Breached Detected Breached Announced apr may jun jul aug sep oct Hackers in Patched Equifax Servers Security & Privacy Research at Illinois (SPRAI) 15

  8. System Intrusions We live in an age of high profile data breaches… Equifax Data Breach Timeline 2017 Breached Detected Breached 3 Months of crucial attack audit logs … Announced huge overheads! Humans are very much in the loop … apr may jun jul aug sep oct 1,000’s of hours of forensic analysis! Hackers in Patched Equifax Servers Security & Privacy Research at Illinois (SPRAI) 16

  9. System Intrusions We live in an age of high profile data breaches… How can we make sense of the available forensic data? Can we understand the attacker in time to prevent them from reaching their goal? Security & Privacy Research at Illinois (SPRAI) 17

  10. Backtracking Intrusions Idea: Parse individual system events into relationship graphs System Execution Bash: exec(“./NGINX”); NGINX: recv(…,“abc.com”); Event Log fread(“index.html”); 1. Bash , Spawns NGINX Dependency Graph 2. NGINX, Receives from abc.com 3. NGINX , Reads File index.html Bash abc.com 4. …....... NGINX index.html [King and Chen, SOSP’03] Security & Privacy Research at Illinois (SPRAI) 18

  11. BackTracker Observes OS-level events • Objects: processes, files, filenames • Traces System Call Events: Process/Process, Process/File, Process/Filename • • Alternatives? Why OS level? Constructs dependency graph offline • • Filters graph for more succinct explanations EventLogger mechanism embedded in virtual hypervisor hosting target system • Security & Privacy Research at Illinois (SPRAI) 19

  12. BackTracker Observes OS-level events • Objects: processes, files, filenames • Traces System Call Events: Process/Process, Process/File, Process/Filename • • Alternatives? Why OS level? Constructs dependency graph offline • • Filters graph for more succinct explanations EventLogger mechanism embedded in virtual hypervisor hosting target system • Is BackTracker a reference monitor? Security & Privacy Research at Illinois (SPRAI) 20

  13. Dependency Types • High-Control Events: Events through which an attacker can directly “accomplish a task” (i.e., security-critical) • Ex: write or read a file, create a process • Low-Control Events: Events through which an attacker might indirectly “accomplish a task” by affecting another process • Ex: modify file metadata, create directory entries • BackTracker primarily supports tracking of high- control events. • Thoughts on this? Security & Privacy Research at Illinois (SPRAI) 21

  14. Graph Construction Dependency graphs vs. backtraces…. ? Security & Privacy Research at Illinois (SPRAI) 22

  15. Graph Construction Dependency graphs vs. backtraces…. Security & Privacy Research at Illinois (SPRAI) 23

  16. Filtering Even backtraces (i.e., dependency subgraphs) get real big, real fast… Security & Privacy Research at Illinois (SPRAI) 24

  17. Filtering Even backtraces (i.e., dependency subgraphs) get real big, real fast… Filtering Strategies • Blacklist objects or event types • Prune read-only files from graph • Prune helper applications from graph ( how? ) • Calculate the intersection of multiple detection points Security & Privacy Research at Illinois (SPRAI) 25

  18. Filtering Even backtraces (i.e., dependency subgraphs) get real big, real fast… Security & Privacy Research at Illinois (SPRAI) 26

  19. Filtering Even backtraces (i.e., dependency subgraphs) get real big, real fast… Security & Privacy Research at Illinois (SPRAI) 27

  20. Evaluation Multiple real attacks against honeypot ReVirt VM, plus one synthetic attack… Security & Privacy Research at Illinois (SPRAI) 28

  21. Evaluation Multiple real attacks against honeypot ReVirt VM, plus one synthetic attack… Security & Privacy Research at Illinois (SPRAI) 29

  22. Kernel-Supported Cost-Effective Logging • BackTracker — still extraordinarily costly • In Enterprise environment, one backtrace query may take days to return [Liu et al., NDSS’18] • Ma et al. ATC’18 Linux Audit Benchmarks: High Storage Overhead High CPU Overhead Security & Privacy Research at Illinois (SPRAI) 30

  23. Kernel-Supported Cost-Effective Logging • BackTracker — still extraordinarily costly • In Enterprise environment, one backtrace query may take days to return [Liu et al., NDSS’18] • Ma et al. ATC’18 Linux Audit Benchmarks: Security & Privacy Research at Illinois (SPRAI) 31

  24. KCAL KCAL addresses several shortcomings of Linux Audit • Raw logging overhead • In-Kernel execution partitioning • In-Kernel elimination of event redundancy • In-Kernel garbage collection of irrelevant events Security & Privacy Research at Illinois (SPRAI) 32

  25. KCAL Kernel-User IPC • KCAL drops inefficient Netlink channel in favor of faster kernel-user communication. • Uses shared memory instead. • Same trick used in other auditing frameworks like Hi- Fi (ACSAC’12), LPM (Security’15). Security & Privacy Research at Illinois (SPRAI) 33

  26. KCAL Redundancy Filters • King and Chen 2003 observe event redundancy in offline graph construction phase, eliminate it. • KCAL pushes redundancy elimination into capture phase • Achieved through decentralized kernel object cache • Why is it safe to eliminate redundant log events? Security & Privacy Research at Illinois (SPRAI) 34

  27. KCAL Execution Partitioning • King and Chen 2003 allude to dependency explosion problem, solve with time slicing • Dependency Explosion: Each process output assumed to depend on all prior inputs • KCAL includes execution partitioning* module to address this, enables further reduction * c.f. BEEP (NDSS’13) Security & Privacy Research at Illinois (SPRAI) 35

  28. KCAL Execution Partitioning Does EP reduce effectiveness of redundancy filtering? • No. optimization tracks when one unit’s dependency should be applied to addition units. In-Unit Redundancy Cross-Unit Redundancy Security & Privacy Research at Illinois (SPRAI) 36

  29. KCAL Garbage Collection • King and Chen 2003 observe forensically irrelevant files (e.g., read-only) can be filtered. • KCAL pushes garbage collection into capture phase • Achieved through decentralized kernel object cache Temporary files are • Why is it safe to eliminate not relevant to attack redundant log events? forensics Security & Privacy Research at Illinois (SPRAI) 37

  30. KCAL Evaluation Storage Overhead Before After Security & Privacy Research at Illinois (SPRAI) 38

  31. KCAL Evaluation CPU Overhead Before After Security & Privacy Research at Illinois (SPRAI) 39

  32. KCAL Evaluation auditd cpu consumption Because kernel is not always logging, auditd actually sleeps; normally auditd can easily consume 100% of a core’s cycles. Security & Privacy Research at Illinois (SPRAI) 40

  33. KCAL Evaluation Kernel Memory Consumption Manageable per-process cache size G r a c e f u l degradation as cache size decreases Security & Privacy Research at Illinois (SPRAI) 41

  34. System Intrusions: Looking Forward • Where to look for literature: “Big 4” security conferences (IEEE S&P a.k.a. Oakland, USENIX Security, CCS, NDSS), reputable second tier conferences (i.e., RAID). • Hot Topics in System Intrusion (not exhaustive): • Attack PROV: Efficiency (e.g., Hybrid Tainting), Fidelity (e.g., Execution Partitioning), Security (e.g., Provenance Monitor) • Software Security: Attacks (e.g., any Binary Exploitation stuff), Defenses (e.g., CFI, Privilege Separation, TCB Minimization) • Intrusion Detection • Vulnerability Discovery (e.g., Fuzzing, Concolic Testing) • Network-Based Monitoring and Defense Security & Privacy Research at Illinois (SPRAI) 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company

What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company

What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company or agency study Engineering, environmental, etc. Phase 2: Routing Phase 3: Land acquisition (condemnation) Phase 4: Construction 2

765 views • 39 slides
Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Ph.D. Thesis Defense December 17th, 2019 1 HP Labs (ronny.chevalier@hp.com) 2 CIDRE Team, CentraleSuplec/Inria/CNRS/IRISA

1.66k views • 140 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michal Hauspie CRIStAL, CNRS UMR 9189 quipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . .

643 views • 40 slides
MT PERCY GOLD DEPOSIT THE ROLE AND SIGNIFICANCE OF PORPHYRY INTRUSIONS IN THE GOLD MINERALISATION

MT PERCY GOLD DEPOSIT THE ROLE AND SIGNIFICANCE OF PORPHYRY INTRUSIONS IN THE GOLD MINERALISATION

MT PERCY GOLD DEPOSIT THE ROLE AND SIGNIFICANCE OF PORPHYRY INTRUSIONS IN THE GOLD MINERALISATION PROCESS Daniel Sully Research supervisor: Steffen Hagemann Co-supervisor: Paul Duuring 1. Gold Industry Fourth Largest Commodity Sector in WA

503 views • 17 slides
Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai

Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai

Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai Zeldovich MIT CSAIL Attackers routinely compromise distributed systems Recovery is manual and time-consuming Example: SourceForge.net attack

426 views • 27 slides
Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org Advanced Topics in Computer

1.35k views • 99 slides
A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic

A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic

A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic Topic area: Computer and Network Intrusion Detection Subject: A technique for stochastic modeling of goal-directed computer network intruders

433 views • 31 slides
Agenda 9.00 - 9.15: APNIC Presentation 9.15 10.30: Danny McPherson 10.30 -11.00:

Agenda 9.00 - 9.15: APNIC Presentation 9.15 10.30: Danny McPherson 10.30 -11.00:

Network Security: The Principles of Threats, Attacks and Intrusions APRICOT Tutorial Perth Australia 28 February, 2006 Danny McPherson, Arbor Networks Ray Hunt, Associate Professor University of Canterbury, New Zealand 1 Agenda 9.00 -

959 views • 52 slides
Improve sleep/decrease nightmares

Improve sleep/decrease nightmares

Improve sleep/decrease nightmares Medications? Reduce Acute Stress Symptoms - Decrease startle (a) response/intrusions/irritability/ anxiety while driving (b) (c) Drive a car

186 views • 7 slides
Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Silberschatz and

714 views • 35 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

981 views • 39 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

588 views • 20 slides
Module 3: Operating-System Structures System Components Operating-System Services

Module 3: Operating-System Structures System Components Operating-System Services

' $ Module 3: Operating-System Structures System Components Operating-System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation & %

589 views • 13 slides
System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort

System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort

System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort and no sense of voluntary control. p.20 Operations of System 1 Detect that one object is more distant than another. Orient to the source

686 views • 46 slides
Growth, Poverty Reduction and Inequality in Bangladesh feasible pathways to zero-poverty by

Growth, Poverty Reduction and Inequality in Bangladesh feasible pathways to zero-poverty by

Growth, Poverty Reduction and Inequality in Bangladesh feasible pathways to zero-poverty by 2030 Willem van der Geest & Massoud Karshenas Transforming economies for better jobs WIDER Development Conference, 11-13 September 2019,

256 views • 21 slides
A First Course on Kinetics and Reaction Engineering Class 36 on Unit 34 Where Were Going

A First Course on Kinetics and Reaction Engineering Class 36 on Unit 34 Where Were Going

A First Course on Kinetics and Reaction Engineering Class 36 on Unit 34 Where Were Going Part I - Chemical Reactions Part II - Chemical Reaction Kinetics Part III - Chemical Reaction Engineering A. Ideal Reactors B.

373 views • 18 slides
INDUSTRY FORUM Version 5 Model Participation Rules Model Operating Requirements Melbourne, 19

INDUSTRY FORUM Version 5 Model Participation Rules Model Operating Requirements Melbourne, 19

20/09/2018 Australian Registrars National Electronic Conveyancing Council INDUSTRY FORUM Version 5 Model Participation Rules Model Operating Requirements Melbourne, 19 September 2018 1 20/09/2018 Welcome Jim Laouris Registrar-General

505 views • 11 slides
Large Scheme: A Personal View John Cowan <cowan@ccil.org> Scheme 2014 Recap of R7RS-small

Large Scheme: A Personal View John Cowan <cowan@ccil.org> Scheme 2014 Recap of R7RS-small

Large Scheme: A Personal View John Cowan <cowan@ccil.org> Scheme 2014 Recap of R7RS-small Based on R5RS, but with many R6RS changes Case-sensitive, like many implementations String and character escapes Datum and block

316 views • 19 slides
Outline CSEP 590A Summer 2006 Biological roles for RNA What is secondary structure? Lecture

Outline CSEP 590A Summer 2006 Biological roles for RNA What is secondary structure? Lecture

Outline CSEP 590A Summer 2006 Biological roles for RNA What is secondary structure? Lecture 8 How is it represented? RNA Secondary Structure Prediction Why is it important? Examples Approaches RNA Structure RNA Pairing Watson-Crick

380 views • 12 slides
Lecture 7: RNA folding Chapter 6 Problem 6.51 in Jones and Pevzner and the Turner model Fall

Lecture 7: RNA folding Chapter 6 Problem 6.51 in Jones and Pevzner and the Turner model Fall

Lecture 7: RNA folding Chapter 6 Problem 6.51 in Jones and Pevzner and the Turner model Fall 2019 September 19, 2019 RNA Basics RNA bases A,C,G,U Canonical Base Pairs A-U G-C G-U wobble pairing Bases can only pair

467 views • 24 slides
Neural Machine Translation Spring 2020 2020-03-12 Adapted from slides from Danqi Chen, Karthik

Neural Machine Translation Spring 2020 2020-03-12 Adapted from slides from Danqi Chen, Karthik

SFU NatLangLab CMPT 825: Natural Language Processing Neural Machine Translation Spring 2020 2020-03-12 Adapted from slides from Danqi Chen, Karthik Narasimhan, and Jetic Gu. (with some content from slides from Abigail See, Graham Neubig) Course

1.41k views • 87 slides
Automating API Style Guides HELLO! I am Phil Sturgeon I love to talk about APIs, 2 crashing

Automating API Style Guides HELLO! I am Phil Sturgeon I love to talk about APIs, 2 crashing

Automating API Style Guides HELLO! I am Phil Sturgeon I love to talk about APIs, 2 crashing bikes, and saving the planet. You can find me at @philsturgeon 3 Inconsistency Isnt Great 1. rando_Naming-conventions 2. Different data

687 views • 36 slides

More recommend