Backtracking Intrusions Sam King Peter Chen CoVirt Project,

Backtracking Intrusions Sam King Peter Chen CoVirt Project,

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan Motivation Computer break-ins increasing Computer forensics is important How did they get in

Current Forensic Methods Manual inspection of existing logs System, application logs Not enough information Network log May be encrypted Disk image

Only shows final state Machine level logs No semantic information No way to separate out legitimate actions BackTracker Can we help figure out what was exploited?

Track back to exploited application Record causal dependencies between objects Process File Socket Detection point Fork event Read/write event

Presentation Outline BackTracker design Evaluation Limitations Conclusions BackTracker intrusion occurs

intrusion detected BackTracker runs, shows source of intrusion Online component, log objects and events Offline component to generate graphs

BackTracker Objects Process File Filename Dependency-Forming Events Process / Process fork, clone, vfork

Process / File read, write, mmap, exec Process / Filename open, creat, link, unlink, mkdir, rmdir, stat, chmod, Prioritizing Dependency Graphs

Hide read-only files Eliminate helper processes Filter lowcontrol events proc /bin/bash bash

backdoor /lib/libc Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes

Filter lowcontrol events proc id bash pipe backdoor Prioritizing Dependency

Graphs Hide read-only files Eliminate helper processes Filter lowcontrol events proc login_a

utmp bash backdoor login_b Filtering Low-Control Events

proc login utmp bash backdoor Filtering Low-Control

Events proc login sshd utmp bash

bash backdoor Process File Socket Detection point Fork event Read/write event

Implementation Prototype built on Linux 2.4.18 Both stand-alone and virtual machine Hook system call handler

Inspect state of OS directly Guest Apps Guest OS VMM EventLogger Host OS Host Apps Host OS EventLogger

Virtual Machine Implementation Stand-Alone Implementation Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

Process File Socket Detection point Fork event Read/write event Process File

Socket Detection point Fork event Read/write event BackTracker Limitations Layer-below attack Use low control events or filtered objects to carry out attack Hidden channels

Create large dependency graph Perform a large number of steps Implicate innocent processes Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking Reduce events and objects by 100x Still effective even when same application exploited many times Filtering

Further reduce events and objects

Recently Viewed Presentations

  • Visit to IIM-Bangalore

    Visit to IIM-Bangalore

    Visit to IIM-Bangalore. In March, IEEE-SA Corporate Advisory Group went to India. Harish Mysore, with the IEEE India Office, helped organize a presentation at Indian Institute of Management—Bangalore.
  • Mental Health Courts in Kentucky

    Mental Health Courts in Kentucky

    Mental Health Court Defined. The Regional Mental Health Court is an alternative sentencing court pilot program authorized by the KY SCT. MH CT combines case management, judicial oversight, treatment, mental health assessments and drug testing and includes, but is not...
  • D. SC. Papanek Gábor: Versenyképesség 2008-2010-ben

    D. SC. Papanek Gábor: Versenyképesség 2008-2010-ben

    dr. Papanek Gábor D.Sc.: Magyarország versenyképessége 2008-2010-ben Előadás 2008 április 2-án Egerben A versenyképesség fogalma, mérési módja Nemzetgazdaságunk versenyképessége A versenyképességet befolyásoló tényezők A ledolgozott munkaórák száma és növelésük lehetősége Az innovációk terjedése és a terjedés gyorsításának esélyei Az intézményi...
  • Economic Development Plan

    Economic Development Plan

    Define "net potential demand" for housing near light rail transit rather than gross demand for broadly defined transit household categories. Segment demand by affordability level, household type and tenure . Key Market Findings: Supply .
  • Aromatherapy: Pleasantly Effective in the Hospice Setting

    Aromatherapy: Pleasantly Effective in the Hospice Setting

    Pleasant odors produce slow, deep breathing by decreasing respiratory frequency and increasing tidal volume, inducing the relaxation response. Foul odors have the opposite effect, increasing respiration.
  • Europe Physical Geography  4 major landforms dominate  Northwest

    Europe Physical Geography 4 major landforms dominate Northwest

    Gulf Stream-North Atlantic current brings warm water to Western Europe Climate Zones Marine West Coast (Maritime) - British Isles and many coastal areas of Western Europe Mediterranean - much of Southern Europe Humid Continental - interior of the continent Climate...
  • Port Hope Elkton-PigeonBay Port Bad Axe Caseville Huron

    Port Hope Elkton-PigeonBay Port Bad Axe Caseville Huron

    Student Achievement Model Purpose: Improve student achievement Method: Build capacity in local districts by maximizing leadership potential of Teacher Leaders SAM is an RtI Model Strong core programs Early intervention Research-based practices Data-based decision making A continuum of instructional support...
  • Praise the Lord from the earth

    Praise the Lord from the earth

    Praise the Lord. Psalm 148. 1 Praise the Lord!Praise the Lord from the heavens; praise him in the heights!2 Praise him, all his angels; praise him, all his host!. 3 Praise him, sun and moon; praise him, all you shining...