Backtracking Intrusions

Slides:



Advertisements
Similar presentations
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Advertisements

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
To run the program: To run the program: You need the OS: You need the OS:
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Backtracking Intrusions. Introduction Rapidly increasing frequency of computer intrusions Common routines for system administrators (1)Understand how.
Security monitoring boxes Andrew McNab University of Manchester.
Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.
1 J. Keller, R. Naues: A Collaborative Virtual Computer Security Lab Amsterdam,Dec 4, 2006 Amsterdam, DEC 4, 2006 Jörg Keller FernUniversität in Hagen,
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Speculative Execution in a Distributed File System Ed Nightingale Peter Chen Jason Flinn University of Michigan.
1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
6/13/20161 Operating Systems Design (CS 423) Elsa L Gunter 2112 SC, UIUC Based on slides by Roy Campbell, Sam King,
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security (part 1) CPS210 Spring Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Network Exploitation Tool
Operating Systems Design (CS 423)
Click to edit Master subtitle style
Outline Introduction Characteristics of intrusion detection systems
EASE – New Features Cover example with photo as background
THE STEPS TO MANAGE THE GRID
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Evaluating a Real-time Anomaly-based IDS
Offline Auditing for Privacy
CompTIA Security+ Study Guide (SY0-401)
Backtracking Intrusions
Chapter 2. Malware Analysis in VMs
Hidden Processes: The Implication for Intrusion Detection
Xutong Chen and Yan Chen
Exploring the UNIX File System and File Security
By Dunlap, King, Cinar, Basrai, Chen
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chapter 2: The Linux System Part 2
Operating System Support for Virtual Machines
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
SECURITY IN THE LINUX OPERATING SYSTEM
Bethesda Cybersecurity Club
Honeypots.
Intrusion.
Presentation transcript:

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan

Motivation Computer break-ins increasing Computer forensics is important How did they get in

Current Forensic Methods Manual inspection of existing logs System, application logs Not enough information Network log May be encrypted Disk image Only shows final state Machine level logs No semantic information No way to separate out legitimate actions

BackTracker Can we help figure out what was exploited? Track back to exploited application Record causal dependencies between objects

Process File Socket Detection point Fork event Read/write event

Presentation Outline BackTracker design Evaluation Limitations Conclusions

BackTracker runs, shows intrusion detected occurs BackTracker runs, shows source of intrusion Online component, log objects and events Offline component to generate graphs

BackTracker Objects Process File Filename

Dependency-Forming Events Process / Process fork, clone, vfork Process / File read, write, mmap, exec Process / Filename open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes Filter “low-control” events proc /bin/bash bash /lib/libc backdoor

Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes Filter “low-control” events proc id bash pipe backdoor

Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes Filter “low-control” events proc login_a login_b utmp bash backdoor

Filtering “Low-Control” Events proc login utmp backdoor bash

Filtering “Low-Control” Events proc login backdoor sshd bash utmp bash

Process File Socket Detection point Fork event Read/write event

Implementation Prototype built on Linux 2.4.18 Both stand-alone and virtual machine Hook system call handler Inspect state of OS directly Guest Apps Guest OS Host Apps VMM EventLogger Host OS Host OS EventLogger Virtual Machine Implementation Stand-Alone Implementation

Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

Process File Socket Detection point Fork event Read/write event

Process File Socket Detection point Fork event Read/write event

BackTracker Limitations Layer-below attack Use “low control” events or filtered objects to carry out attack Hidden channels Create large dependency graph Perform a large number of steps Implicate innocent processes

Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking Reduce events and objects by 100x Still effective even when same application exploited many times Filtering Further reduce events and objects

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.