Community Awareness Initial Results

Slides:

Advertisements

Similar presentations

1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.

Advertisements

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Session 13 Active Server Pages (ASP) Matakuliah: M0114/Web Based Programming Tahun: 2005 Versi: 5.

CS 345 Computer System Overview

SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.

Recap. The Memory Hierarchy Increasing distance from the processor in access time L1$ L2$ Main Memory Secondary Memory Processor (Relative) size of the.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Chapter 1 and 2 Computer System and Operating System Overview

 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.

1 Using A Multiscale Approach to Characterize Workload Dynamics Characterize Workload Dynamics Tao Li June 4, 2005 Dept. of Electrical.

Nu Project Management Office A web based tool to Manage Projects.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Filtering Out Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd.

Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.

Computer Viruses and Worms By: Monika Gupta Monika Gupta.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Unit 1: Introduction to ASP.NET.

Architecture Models. Readings r Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 m Note: All figures from this book.

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.

The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.

Virtual Application Profiler (VAPP) Problem – Increasing hardware complexity – Programmers need to understand interactions between architecture and their.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

A Measurement Based Memory Performance Evaluation of Streaming Media Servers Garba Isa Yau and Abdul Waheed Department of Computer Engineering King Fahd.

Acknowledgement: These slides are adapted from slides provided in Thißen & Spaniol's course Distributed Systems and Middleware, RWTH Aachen Processes Distributed.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using WMProxy advanced job submission.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Michael Ernst, page 1 Application Communities: Next steps MIT & Determina October 2006.

Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

ASP.NET Architecture Mike Taulty Developer & Platform Group Microsoft Ltd

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

OVERVIEW Virus & Worm overview Virus & Worm Difference CodeRed Worm Impact Detection Prevention.

Botnets A collection of compromised machines

Practical using C++ WMProxy API advanced job submission

Application Communities

Web Application Security

Lecture 1-Part 2: Operating-System Structures

Cross-Site Scripting Travis Deyarmin.

Chapter 2: System Structures

ADVANCED PERSISTENT THREATS (APTs) - Simulation

Hardware Support for Embedded Operating System Security

Botnets A collection of compromised machines

Introduction to Operating Systems

11/12/2018 6:58 PM © 2004 Microsoft Corporation. All rights reserved.

Modern web applications

12/6/2018 Honeypot ICT Infrastructure Sashan

Mid Term II Review.

Modern web applications

Software Acceleration in Hybrid Systems Xiaoqiao (XQ) Meng IBM T. J

CrawlBuddy The web’s best friend.

Chapter 2 Operating System Overview

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Operating System Overview

Web Servers (IIS and Apache)

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

IIS and .NET Security Application Pools Pamella Smith June 18, 2009.

Web Application Development Using PHP

Presentation transcript:

Community Awareness Initial Results Sam Larsen Determina

Overview Can we automatically detect anomalous program behavior? Security attacks Applications are large, complex, and hard to characterize Can we employ an application community to gain visibility into application behavior? We expect data to vary among machines What about control? Determina product has unique ability to monitor precise control-flow

Initial Study Is it possible to identify an attack by comparing the behavior of multiple machines running the same server application? Simple first step: compare basic blocks placed in the code cache Measure of code coverage

Step 1 How much does the code cache vary on different runs of the same input? Approximate an application community IIS serving a simple ASP Different runs vary by less than 1% Guestbook web application IIS processes vary by less than 1% SQL processes vary by 4-7% Loadsim (exchange benchmark) All processes vary by less than 1%

Step 2 Execute an attack and observe the effect on the code cache IIS serving a simple ASP + CodeRed worm Normal and attack runs differ by about 12% But how do different ASPs compare? i.e., does an attack look like we’re simply serving a different page?

Attack Results

Next Steps More realistic testbed See if we can detect the same behavior with coarser grain information Many attacks execute an obscure piece of code Track function calls Track DLLs loaded and unloaded Efficient data gathering and analysis Particularly problematic for basic blocks What other anomalous behavior can we detect?