Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Slides:



Advertisements
Similar presentations
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Advertisements

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Flash: An efficient and portable Web server Authors: Vivek S. Pai, Peter Druschel, Willy Zwaenepoel Presented at the Usenix Technical Conference, June.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
To run the program: To run the program: You need the OS: You need the OS:
Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.
Design and Implementation of a Single System Image Operating System for High Performance Computing on Clusters Christine MORIN PARIS project-team, IRISA/INRIA.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
1 Abstracting the Content of System Call Traces Waseem Fadel Abdelwahab Hamou-Lhadj Department of Electrical and Computer Engineering Concordia University.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based.
A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Parallelizing Security Checks on Commodity Hardware Ed Nightingale Dan Peek, Peter Chen Jason Flinn Microsoft Research University of Michigan.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Backtracking Intrusions. Introduction Rapidly increasing frequency of computer intrusions Common routines for system administrators (1)Understand how.
Security monitoring boxes Andrew McNab University of Manchester.
Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #30 Network Forensics (Revisited) November 7, 2007.
1 J. Keller, R. Naues: A Collaborative Virtual Computer Security Lab Amsterdam,Dec 4, 2006 Amsterdam, DEC 4, 2006 Jörg Keller FernUniversität in Hagen,
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
Speculative Execution in a Distributed File System Ed Nightingale Peter Chen Jason Flinn University of Michigan.
1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Module 10: Implementing Administrative Templates and Audit Policy.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
6/13/20161 Operating Systems Design (CS 423) Elsa L Gunter 2112 SC, UIUC Based on slides by Roy Campbell, Sam King,
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security (part 1) CPS210 Spring Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Working at a Small-to-Medium Business or ISP – Chapter 8
Network Exploitation Tool
Operating Systems Design (CS 423)
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Evaluating a Real-time Anomaly-based IDS
Backtracking Intrusions
Backtracking Intrusions
By Dunlap, King, Cinar, Basrai, Chen
Operating System Support for Virtual Machines
12/6/2018 Honeypot ICT Infrastructure Sashan
Bethesda Cybersecurity Club
Presentation transcript:

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan

Motivation Computer break-ins increasing Computer forensics is important –How did they get in

Current Forensic Methods Manual inspection of existing logs System, application logs –Not enough information Network log –May be encrypted Disk image –Only shows final state Machine level logs –No semantic information No way to separate out legitimate actions

BackTracker Can we help figure out what was exploited? Track back to exploited application Record causal dependencies between objects

Process File Socket Detection point Fork event Read/write event

Presentation Outline BackTracker design Evaluation Limitations Conclusions

BackTracker Online component, log objects and events Offline component to generate graphs BackTracker runs, shows source of intrusion intrusion detected intrusion occurs

BackTracker Objects Process File Filename

Dependency-Forming Events Process / Process –fork, clone, vfork Process / File –read, write, mmap, exec Process / Filename –open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes Filter “low-control” events /bin/bash /lib/libc bash proc backdoor

Prioritizing Dependency Graphs id pipe Hide read-only files Eliminate helper processes Filter “low-control” events bash proc backdoor

Prioritizing Dependency Graphs bash proc login_a utmp login_b backdoor Hide read-only files Eliminate helper processes Filter “low-control” events

Filtering “Low-Control” Events bash proclogin utmp backdoor

sshd bash Filtering “Low-Control” Events bash proclogin utmp

Process File Socket Detection point Fork event Read/write event

Implementation Prototype built on Linux Both stand-alone and virtual machine Hook system call handler Inspect state of OS directly Guest OS Host OS VMMEventLogger Guest Apps Host OS EventLogger Host Apps Virtual Machine Implementation Stand-Alone Implementation

Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

Process File Socket Detection point Fork event Read/write event

Process File Socket Detection point Fork event Read/write event

BackTracker Limitations Layer-below attack Use “low control” events or filtered objects to carry out attack Hidden channels Create large dependency graph –Perform a large number of steps –Implicate innocent processes

Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking –Reduce events and objects by 100x –Still effective even when same application exploited many times Filtering –Further reduce events and objects

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.