Backtracking Intrusions Sam King Peter Chen CoVirt Project,

Backtracking Intrusions Sam King Peter Chen CoVirt Project,

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan Motivation Computer break-ins increasing Computer forensics is important How did they get in

Current Forensic Methods Manual inspection of existing logs System, application logs Not enough information Network log May be encrypted Disk image

Only shows final state Machine level logs No semantic information No way to separate out legitimate actions BackTracker Can we help figure out what was exploited?

Track back to exploited application Record causal dependencies between objects Process File Socket Detection point Fork event Read/write event

Presentation Outline BackTracker design Evaluation Limitations Conclusions BackTracker intrusion occurs

intrusion detected BackTracker runs, shows source of intrusion Online component, log objects and events Offline component to generate graphs

BackTracker Objects Process File Filename Dependency-Forming Events Process / Process fork, clone, vfork

Process / File read, write, mmap, exec Process / Filename open, creat, link, unlink, mkdir, rmdir, stat, chmod, Prioritizing Dependency Graphs

Hide read-only files Eliminate helper processes Filter lowcontrol events proc /bin/bash bash

backdoor /lib/libc Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes

Filter lowcontrol events proc id bash pipe backdoor Prioritizing Dependency

Graphs Hide read-only files Eliminate helper processes Filter lowcontrol events proc login_a

utmp bash backdoor login_b Filtering Low-Control Events

proc login utmp bash backdoor Filtering Low-Control

Events proc login sshd utmp bash

bash backdoor Process File Socket Detection point Fork event Read/write event

Implementation Prototype built on Linux 2.4.18 Both stand-alone and virtual machine Hook system call handler

Inspect state of OS directly Guest Apps Guest OS VMM EventLogger Host OS Host Apps Host OS EventLogger

Virtual Machine Implementation Stand-Alone Implementation Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

Process File Socket Detection point Fork event Read/write event Process File

Socket Detection point Fork event Read/write event BackTracker Limitations Layer-below attack Use low control events or filtered objects to carry out attack Hidden channels

Create large dependency graph Perform a large number of steps Implicate innocent processes Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking Reduce events and objects by 100x Still effective even when same application exploited many times Filtering

Further reduce events and objects

Recently Viewed Presentations

  • Two Primary Purposes for ANCOVA  Adjust the means

    Two Primary Purposes for ANCOVA Adjust the means

    Xuhua Xia. Analysis of Covariance (ANCOVA) ANCOVA combines analysis of variance with regression. When it is used. Its rationale. The relationship between Y and the covariate needs to have the same slope in different groups.
  • The expansion of Industry

    The expansion of Industry

    By the end of 1893, 600 banks, 15,000 businesses failed & 3 million people lost their jobs. By the middle of 1894, 25% of the nation's railroads were in the hands of banks, which allowed large firms like J.P. Morgan...
  • Metric Prefixes - wyliephysics.weebly.com

    Metric Prefixes - wyliephysics.weebly.com

    Example - How many grams are in 3.42 kg? Write down the conversion that involves your known unit on bottom and the unit you want to go to on top. 3.42 kg x ______g
  • CS Rote's resume

    CS Rote's resume

    Head Vs Heart: Flow of Reasoning Outline 3a. Our new hearts, not our minds, souls or flesh, are the place of true knowing. 3b. Living from the heart does not mean we throw away all the rules and live by...
  • Envirospray Industries Inc.

    Envirospray Industries Inc.

    Guaranteed results. Contacts: Envirospray Industries Incorporated Box 310 Highway 4 Elrose, Saskatchewan S0L 0Z0 Work: (306) 378-2323 Fax: (306) 378-2890 [email protected] Envirospray thanks your for your time and are looking forward to working with you and your company in future...
  • The Fur Trade in Canada - Weebly

    The Fur Trade in Canada - Weebly

    Challenge to the HBC domination of the fur trade in Canada. Enter the North West Company The North West Company 1783 several companies trading furs merged into the North West Company Although owned by English Canadians, French traders were employed....
  • Six Kingdoms of Life

    Six Kingdoms of Life

    Six Kingdoms of Life Summary for Ecology Taxonomy Who came up with Taxonomy? Linneaus What are the levels of classification? Domain Kingdom Phylum Class Order Family Genus Species Six Kingdoms Archaebacteria Eubacteria Protists Fungi Plants Animals Archaebacteria Oldest form of...
  • Swine

    Swine

    Swine Breeds and Characteristics Berkshire England Black w/ 6 white points 4 white feet Any and all white points may be missing Erect ears Chester White White, small bluish spots sometimes found on skin Ears droop Duroc USA Red- light...