EASEAndroid: Automatic Analysis and Refinement for SEAndroid Policy via Large-scale Audit Log Analytics Presenter: Hongyang Zhao Ruowen Wang, Xinwen Zhang,

Slides:

Advertisements

Similar presentations

Institute for Cyber Security

Advertisements

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Context-aware Query Suggestion by Mining Click-through and Session Data Authors: H. Cao et.al KDD 08 Presented by Shize Su 1.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Access Control Intro, DAC and MAC System Security.

Cloud Computing Lecture #3 More MapReduce Jimmy Lin The iSchool University of Maryland Wednesday, September 10, 2008 This work is licensed under a Creative.

IMapReduce: A Distributed Computing Framework for Iterative Computation Yanfeng Zhang, Northeastern University, China Qixin Gao, Northeastern University,

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Large-Scale Deduplication with Constraints using Dedupalog Arvind Arasu et al.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq

Presented by Zeehasham Rasheed

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Bootstrapping Privacy Compliance in Big Data System Shayak Sen, Saikat Guha et al Carnegie Mellon University Microsoft Research Presenter: Cheng Li.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture 11 Intrusion Detection (cont)

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,

1 Prototype Hierarchy Based Clustering for the Categorization and Navigation of Web Collections Zhao-Yan Ming, Kai Wang and Tat-Seng Chua School of Computing,

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

UML - Development Process 1 Software Development Process Using UML (2)

An Integrated Approach to Extracting Ontological Structures from Folksonomies Huairen Lin, Joseph Davis, Ying Zhou ESWC 2009 Hyewon Lim October 9 th, 2009.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. LogKV: Exploiting Key-Value.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

The Database and Info. Systems Lab. University of Illinois at Urbana-Champaign User Profiling in Ego-network: Co-profiling Attributes and Relationships.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

AUTHORS – X. NIE, D. FENG, J. CHE, X. WANG PRESENTED BY- PREOYATI KHAN KENT STATE UNIVERSITY Design and Implementation of Security Operating System based.

Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.

Computer Security: Principles and Practice

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.

4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.

Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

Database and Cloud Security

A Generic Approach to Big Data Alarms Prioritization

Automatically Labeled Data Generation for Large Scale Event Extraction

Understanding Android Security

Adaptive Android Kernel Live Patching

Distributed Network Traffic Feature Extraction for a Real-time IDS

DDoS Attack Detection under SDN Context

Suwen Zhu, Long Lu, Kapil Singh

AWS Cloud Computing Masaki.

Understanding Android Security

Autonomous Network Alerting Systems and Programmable Networks

Access Control What’s New?

EASEAndroid: Automatic Analysis and Refinement for SEAndroid Policy

Presentation transcript:

EASEAndroid: Automatic Analysis and Refinement for SEAndroid Policy via Large-scale Audit Log Analytics Presenter: Hongyang Zhao Ruowen Wang, Xinwen Zhang, Peng Ning, Douglas Reeves, William Enck, Dingbang Xu, Wu Zhou, and Ahmed M. Azab Adapted from author’s slides

Security Enhanced Android 2  SEAndroid  Security enhancements to Android.  Enforce mandatory access control (MAC) policy between subjects (process) and objects (files, sockets)

The core of SEAndroid : Policy 3  Policy rule  Define which domain of subjects can operate which class and type of objects with a set of permissions  Subject: process  Object: files, sockets  Label: assigned to subjects/objects that share same semantics  Domain: subject label  Type: object label

Policy Language 4  Security labels  Concrete Subjects/Objects  app_data_file /data/data/.*  Allow rules grant benign operations  allow appdomain app_data_file:file {read write execute}  Neverallow rules define privilege escalation  neverallow untrusted_app init:file {read}

SEAndroid Policy Challenges 5  Require Complete Redesign of Policy  Android is different from traditional Linux  Require Policy Analysts to Have Both  Domain Knowledge (Allow Benign Accesses)  Security Expertise (Prevent Malicious Accesses)  Require Continuous Refinements  New Android releases  New attacks

SEAndroid Policy Challenges 6 “Vendors don’t know how to write policies” “Defeat SEAndroid” at Defcon 2013

Problem Statement 7  Current solution to SEAndroid policy refinement  Analyze audit logs to refine policies Log access events not matched with allow rules Analysts parse the logs to refine policy  Goal  Reduce the manual effort required to refine SEAndroid policy using audit logs.

Real-World Challenges 8  Millions of such audit logs  Unknown new benign & malicious access patterns mixed together  Continuous efforts due to Android updates and emerging new attacks

EASEAndroid 9  Elastic Analytics of SEAndroid  Features:  Analyze audit logs in a large scale  Classify new benign & malicious access patterns  Propose new security labels and rules as policy  Key insight:  Model policy refinement as semi-supervised learning

Audit log 10  Audit Log  Log access events not matched with allow rules  Information in one access event  Security labels of the denied access  Syscall Subject Info (e.g. process)  Syscall Object Info (e.g. file path)  We model as 6-tuple access pattern 

Audit log 11 Labels & Permission Syscall & process info Object info

Audit log 12  Access Event  Cause the audit log entries.  Result from a policy denial, or an auditallow policy rule  Access Pattern (6-tuple)  Map access events to access pattern 

Audit log 13 <“/init”, “init”, “entrypoint”,“file”, “/system/etc/install-recovery.sh”,“system file”>

Semi-learning 14  Observation  Labeled data: insufficient and expensive  Unlabeled data: sufficient and easy to collect  Semi-learning  Correlate features in unlabeled data with labeled data, infer the labels of the unlabeled instances with strong correlation.

Key Insight 15  Learning Unknown based on Semantic Correlations  A known malicious subject: an unseen behaviors (malicious)  A system daemon: perform a new/similar operation (benign)

EASEAndroid Architecture 16

Nearest-Neighbor (NN) Classifier 17  Observation  Known sbjs perform new access patterns Android apps/binaries update with new features  New sbjs perform known access patterns Certain operations become popular, and are copied by other new applications  NN Classifier identifies connections between  Known subjects  New access patterns  New subjects  Known access patterns

Pattern-to-Rule Distance Measurer 18  Observation  New access patterns close to existing incomplete rules are the missing parts of those rules  Decision-Tree-based Approach  Classified as benign if closest to allow  Classified as malicious if closest to neverallow  Remain unclassified if far from both sides

Decision-Tree-Based Pattern-to-Rule 19  Subject label, object labels, tclass, permission 

Co-Occurrence Learner 20  Observation  A functionality or an attack often involve a series of access patterns captured together  Co-Occurrence Learner  Infer new access patterns based on known access patterns if they co-occur together

Learning Balancer & Combiner 21  Manage thresholds of each learner  Combine results to expand knowledge base  Balance precision and coverage  Automated Mode (high precision)  Semi-Automated Mode (high coverage)

Policy Refinement Generator 22  Suggest new security labels and rules  Group sbjs/objs together based on existing coarse- grained labels  Infer fine-grained labels and encode into rules 

Implementation 23  A prototype of EASEAndroid on an 8-node Hadoop cluster with each node having 8-core Xeon 2GHz, 32 GB memory.  Open source Cloudera Impala as the distributed SQL layer, with 10K SLOC Java as the learning layer

Evaluation 24  Audit Log Dataset  1.3M logs from real-world Samsung devices with Android 4.3 over 2014  145K unique access events and generalized into 3530 access patterns  Initial Knowledge  5094 allow rules and 59 neverallow rules  17 malicious access pattern  Ground Truth  A later version of human-refined policy (6337/94)  Consult with experienced policy analysts

Evaluation 25  Coverage & Precision

Evaluation 26  Different Thresholds (Coverage)

Evaluation 27  Different Thresholds (Precision)

Limitations 28  Information missed by audit logs  High-level semantics in Android framework  Countermeasure against EASEAndroid  Data poisoning attacks  Unclassified access patterns  Human can interact with EASEAndroid by adding extra knowledge

Conclusion 29  SEAndroid policy development and refinement is challenging  Propose EASEAndroid, an analytic system to refine the policy based on semi-supervised learning  Evaluate with 1.3 million audit logs and discovered over 2,500 new access patterns, generated 331 policy rules

Quiz 30  Why semi-supervised learning algorithm is suitable for refining policies ？  Are the real-world audit logs trustful?  Can EASEAndroid survive when its audit log system are compromised?

Thank you!