Application Communities

Slides:

Advertisements

Similar presentations

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:

Chapter 3 (Part 1) Network Security

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Norman SecureSurf Protect your users when surfing the Internet.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Software Security Testing Vinay Srinivasan cell:

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Application Recognition Sam Larsen Determina. Process Control One method to improve computer security is through process control  Whitelist: user specifies.

Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Cryptography and Network Security Sixth Edition by William Stallings.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Welcome.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Maintaining and Updating Windows Server 2008 Lesson 8.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Some Great Open Source Intrusion Detection Systems (IDSs)

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Database and Cloud Security

Tool Support for Testing

Botnets A collection of compromised machines

TMG Client Protection 6NPS – Session 7.

Critical Security Controls

Chapter 7: Identifying Advanced Attacks

Cross-Site Scripting Travis Deyarmin.

Overview Firefox exploit Instrumentation: Finding values

Web Application Firewall Bypassing – an approach for pentesters

SQL Injection Attacks Many web servers have backing databases

Secure Software Development: Theory and Practice

Botnets A collection of compromised machines

Chap 10 Malicious Software.

Lecture 2 - SQL Injection

Chap 10 Malicious Software.

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

CS5123 Software Validation and Quality Assurance

Outline System architecture Current work Experiments Next Steps

Presentation transcript:

Application Communities April 2004 Site Visit

Benefits from an Application Community Increased Accuracy A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. Amortized Risk A problem in a few will lead to a solution for the rest A community can afford to sacrifice a few members. Shared Burden A community can use expensive monitoring techniques by distributing the burden across the members

Attack Landscape Execution of Malicious Code Denial of Service Privilege Escalation Cross Site Scripting Weak or Missing Permissions Information Leak

Attack Landscape % of vulnerabilities Execution of Malicious Code Denial of Service Source: CVE, Microsoft Security Bulletins, 2003-2004

Attack Landscape Client Server

Attack Landscape Execution of Malicious Code Denial of Service Privilege Escalation Cross Site Scripting Weak or Missing Permissions Information Leak

Conceptual Flow a Community System Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Detect Fix Analyze

1. Execution of Malicious Code 1.1 Memory Based Injection of malicious code Reuse of existing code for malicious purposes 1.2 Script Based Unintended use of an expansive script interface Exploit a buggy script interpreter 1.3 Executable Based Insert a new binary and get it executed Replace an existing binary with a malicious one

1.1 Memory Based Attacks Attack Types Before Application Communities Format String vulnerabilities, Buffer Overflow, Integer Underflow/Overflow, Return to libc. Before Application Communities If detected: cannot continue execution.  Denial of Service Otherwise: Full impact of the attack With Application Communities Malicious code Execution  Detection by MF  constraint identification  constraint enforcement  eliminate the problem

1.2 Script Based Attacks Attack types Before Application Communities IE VB, JavaScript and ActiveX attacks, malformed image attacks, malicious word attachments, malicious e-mail attachments Before Application Communities No clear solution (mainly signatures or lockdown) With Application Communities Detection of an attack  constraint identification  constraint enforcement  eliminate problem

1.3 Executable Based Attacks Types of attacks Malware executables, adware, viruses and rootkits Before application communities Signatures: blacklists get overwhelmed by variations Lockdown: whitelists are hard to manage With application communities Handles day-zero or custom variations of malware Easily manageable lockdown with whitelists that accept updates and upgrades

2 Denial of Service Attack Types Before Application Communities Crash or hang programs. Get programs into invalid states Before Application Communities No clear solution (mainly signatures) With Application Communities Detection of an attack (program crash or hang)  constraint identification  constraint enforcement  eliminate problem

Attack Handling Capabilities DaiKonstraints Program Genealogy 1. Execution of Malicious Code 1.1 Memory Based  1.2 Script Based 1.3 Executable Based 2. Denial of Service

Introduction to DaiKonstraints

Application Behavior Monitoring, Anomaly Detection and Enforcement Monitor Application Execution Collect constraints Merge constraints from the community Detect an Attack Informed by Memory Firewall or Crash Other detectors Identify the Violations that lead to Compromise Constraints directly available or Need to track the propagation over multiple attacks Create fixes Identify constraint(s) to check and a remediation Test the fixes on a few machines to gain confidence Deploy the best fix and Enforce the Constraint Keep monitoring to detect any false positives

Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Central Management System Daikon LiveShield

Application Behavior Monitoring, Anomaly Detection and Enforcement Daikon Application Managed Program Execution Monitor LiveShield Deployment Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix

Application Behavior Monitoring, Anomaly Detection and Enforcement Daikon Application Managed Program Execution Monitor LiveShield Deployment Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Monitor Learn Collect Create Enforce Detect Fix Deploy Analyze Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix

Community Benefits Increased Accuracy Amortized Risk Shared Burden Varied behavior reduce the risk of false positives Observance of multiple attacks increase the accuracy of the fixes Amortized Risk The fixes are first tested on a few machines Learn from any problems Only deployed widely if no adverse effect Shared Burden Partial instrumentation of individual applications. Community aggregation provides the full picture.

Introduction to Program Genealogy

Looking for Family Resemblance Compare the DNA instead of portraits or faces Apply to both Malware families Updates and upgrades of legitimate software

Gray to Black or White A blacklist and whitelist file hash database enforces what applications are allowed to run For an unknown application (graylist) Is allowed to run under monitoring Execution profile is created Community monitoring Find a similar execution profile in the database Add the application hash to blacklist or whitelist Add the profile to the database

Gray to Black or White Application Daikon Daikon Daikon Daikon Community Member Application Daikon Daikon Daikon Daikon Behavioral Traces Daikon Daikon Daikon Blacklist/ Whitelist Monitor Managed Program Execution Central Management System Trace DB Blacklist Whitelist DB Behavior Matching

Gray to Black or White Impact Deploy Detect Fix Monitor Enforce Refine Daikon Application Managed Program Execution Monitor Behavioral Traces Blacklist/ Whitelist Trace DB Behavior Matching Blacklist Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix

Community Benefits Increased Accuracy Amortized Risk Shared Burden Multiple users provide a better application trace profile Amortized Risk Cannot tell if an unknown application is good or bad without running it When it is clear that the application is bad, the machine already may be compromised However, saves the rest of the community Shared Burden Only a few early-users need to profile an unknown application.