Backtracking Intrusions Sam King Peter Chen CoVirt Project,
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan Motivation Computer break-ins increasing Computer forensics is important How did they get in
Current Forensic Methods Manual inspection of existing logs System, application logs Not enough information Network log May be encrypted Disk image
Only shows final state Machine level logs No semantic information No way to separate out legitimate actions BackTracker Can we help figure out what was exploited?
Track back to exploited application Record causal dependencies between objects Process File Socket Detection point Fork event Read/write event
bash backdoor Process File Socket Detection point Fork event Read/write event
Implementation Prototype built on Linux 2.4.18 Both stand-alone and virtual machine Hook system call handler
Inspect state of OS directly Guest Apps Guest OS VMM EventLogger Host OS Host Apps Host OS EventLogger
Virtual Machine Implementation Stand-Alone Implementation Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules
Process File Socket Detection point Fork event Read/write event Process File
Socket Detection point Fork event Read/write event BackTracker Limitations Layer-below attack Use low control events or filtered objects to carry out attack Hidden channels
Create large dependency graph Perform a large number of steps Implicate innocent processes Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking
Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking Reduce events and objects by 100x Still effective even when same application exploited many times Filtering
Xuhua Xia. Analysis of Covariance (ANCOVA) ANCOVA combines analysis of variance with regression. When it is used. Its rationale. The relationship between Y and the covariate needs to have the same slope in different groups.
By the end of 1893, 600 banks, 15,000 businesses failed & 3 million people lost their jobs. By the middle of 1894, 25% of the nation's railroads were in the hands of banks, which allowed large firms like J.P. Morgan...
Example - How many grams are in 3.42 kg? Write down the conversion that involves your known unit on bottom and the unit you want to go to on top. 3.42 kg x ______g
Head Vs Heart: Flow of Reasoning Outline 3a. Our new hearts, not our minds, souls or flesh, are the place of true knowing. 3b. Living from the heart does not mean we throw away all the rules and live by...
Guaranteed results. Contacts: Envirospray Industries Incorporated Box 310 Highway 4 Elrose, Saskatchewan S0L 0Z0 Work: (306) 378-2323 Fax: (306) 378-2890 [email protected] Envirospray thanks your for your time and are looking forward to working with you and your company in future...
Challenge to the HBC domination of the fur trade in Canada. Enter the North West Company The North West Company 1783 several companies trading furs merged into the North West Company Although owned by English Canadians, French traders were employed....
Six Kingdoms of Life Summary for Ecology Taxonomy Who came up with Taxonomy? Linneaus What are the levels of classification? Domain Kingdom Phylum Class Order Family Genus Species Six Kingdoms Archaebacteria Eubacteria Protists Fungi Plants Animals Archaebacteria Oldest form of...
Swine Breeds and Characteristics Berkshire England Black w/ 6 white points 4 white feet Any and all white points may be missing Erect ears Chester White White, small bluish spots sometimes found on skin Ears droop Duroc USA Red- light...
Download Presentation
Ready to download the document? Go ahead and hit continue!
!["Fall" into Deductions - IN.gov](https://cdn.slideread.com/thumbnail/quotfallquot-into-deductions-ingov-9khrwh-thumb.jpg ""Fall" into Deductions - IN.gov")
