Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Slides:



Advertisements
Similar presentations
Capacity Planning in a Virtual Environment
Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Operating System Structures
Operating System Structure
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Chapter 2: Operating-System Structures
NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
PRASHANTHI NARAYAN NETTEM.
Operating System Organization
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Computer Networks IGCSE ICT Section 4.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.
VMware vCenter Server Module 4.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Client/Server Architectures
E Virtual Machines Lecture 4 Device Virtualization
WORKFLOW IN MOBILE ENVIRONMENT. WHAT IS WORKFLOW ?  WORKFLOW IS A COLLECTION OF TASKS ORGANIZED TO ACCOMPLISH SOME BUSINESS PROCESS.  EXAMPLE: Patient.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

How to Resolve Bottlenecks and Optimize your Virtual Environment Chris Chesley, Sr. Systems Engineer
Hands-On Virtual Computing
Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
NETWORK SERVERS Oliver Topping (with a little help from my Mum)
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Virtualization Concepts Presented by: Mariano Diaz.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
April 2000Dr Milan Simic1 Network Operating Systems Windows NT.
Distributed File Systems Overview  A file system is an abstract data type – an abstraction of a storage device.  A distributed file system is available.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.
SAM-21 Fortress Model and Defense in Depth Some revision on Computer Architecture.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
VMware vSphere Configuration and Management v6
Distributed System Services Fall 2008 Siva Josyula
Page 1 Printing & Terminal Services Lecture 8 Hassan Shuja 11/16/2004.
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
Overview of Windows Driver Development Reference: us/gstart/hh/gstart/gs_intro_031j.asp.
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
Capacity Planning in a Virtual Environment Chris Chesley, Sr. Systems Engineer
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Containers as a Service with Docker to Extend an Open Platform
Credits: 3 CIE: 50 Marks SEE:100 Marks Lab: Embedded and IOT Lab
Chapter 2: System Structures
Operating System Structure
Introduction to Operating Systems
Basic Concepts Protection: Security:
Operating Systems : Overview
CSCE 313 – Introduction to UNIx process
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Operating Systems : Overview
Operating Systems : Overview
Chapter 2: Operating-System Structures
Presentation transcript:

Web Canary -- client honey pot UTSA

Architecture of Web canary. 2

Implementation of Web canary.  Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory  VM M memory, 8 GB disk space  Host OS – Windows XP x64 sp2  Guest OS – Windows XP sp2  VM – Vmware Workstation  Browser – IE 6.0 SP2 3

Guest OS Guest OS – VMware Workstation: isolation, easy reverting. PS -- Persistent Storage (PS) which is a shared folder between the guest OS and the host OS. In the guest OS, only the BHO and Capture Client can write to this folder. Snapshot -- a pristine state, a tool of VMworkstation 4

Design of Capture client(1) Capture Client: monitor files, processes and registry changes in the Windows OS at kernel level. supports exclusion lists to filter out the normal changes. The Capture client consists of two components: The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes. The user space process captures the state changes from the kernel drivers and filters the events based on the exclusion lists 5

Design of Capture client(2) Exclusion lists Since some events occur during normal operation, exclusion lists allow to ignore certain type of events. Kernel Drivers kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can be monitored. 6

Design of Capture client(3) CmRegistryCallback PsSetCreateProcessNotifyRoutine FilterLoad, FltRegisterFilter(filtering I/O operations) e.g. A driver calls CmRegisterCallback to register a RegistryCallback routine. RegistryCallback by passing a user allocated buffer from user space into kernel space where the kernel drivers, we can copy information into that buffer, so the application can process it in user space. 7

BHO BHO -- A Browser Helper Object (BHO) which can capture all the URLs visited by IE. It then writes the URLs to a log the in PS(Permanent storage). They create a browser add-on to capture the URLs requests made by the browser. 8

Canary Server Canary Server -- shows the health state of the guest OS and can start, stop or revert the VM. send the detected malicious URLs to a remote central server with user's permission. Controls the VMware servers using the VMware C API Auto-reversion -- auto-reversion of the VM to its pristine state upon the detection of unauthorized events. Host OS 9

Analysis Engine Analysis Engine – reads the log files of the BHO and Capture Client and correlates system changes to the URL according the rule. Rules -- Upon receiving system change events and visited URLs, correlate them together according to the time interval. Host OS 10

Conclusion Present a system that can leverage a large, distributed network of users, who simply by using a standard Web browser, silently collaborate to detect and report malicious Web pages. The advantages of this method are that it can get meaningful URLs from users and easily visit Web pages that require CAPTCHAs or pass- words. 11

Appendix 1 Windows Driver Kit: Kernel-Mode Driver Architecture PsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. CmRegisterCallback The CmRegisterCallback routine registers a RegistryCallback routine. 12

Appendix 2 Windows Driver Kit: Installable File System Drivers FltRegisterFilter FltRegisterFilter registers a minifilter driver. FilterLoad The FilterLoad function dynamically loads a minifilter driver into the system. 13

Appendix 3  Boost::regex library Use it to describe the filer rule (RE). 14

Questions 1.The method that correlating URL to malicious Web pages according to time interval seems not always right. 2. Try to distribute the browser running on VM is not quite impractical. 3. The idea of real distributed users is good. But how to protect the server which used for collecting various users’ information. The server is the most vulnerable unit in the whole system. And if attacker use the client to send a lot of benign URL as a malicious URL to server, How to distinguish them? 15

Thank you! 16