1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory.

Slides:

Advertisements

Similar presentations

Performance Testing - Kanwalpreet Singh.

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

Confused, Timid, and Unstable: Picking a Video Streaming Rate is Hard Published in 2012 ACM’s Internet Measurement Conference (IMC) Five students from.

TTCN-3 Test Case Generation from arbitrary traces Capture & Replay Bogdan Stanca-Kaposta & Theofanis Vassiliou-Gioles (Testing Technologies)

PlanetLab Operating System support* *a work in progress.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.

Flow Anomaly Detection in Firewalled Networks Research Report Mike Chapple December 15, 2005.

Performance Evaluation of Load Sharing Policies on a Beowulf Cluster James Nichols Marc Lemaire Advisor: Mark Claypool.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

1 CS 430 / INFO 430 Information Retrieval Lecture 24 Usability 2.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Lecture 11 Reliability and Security in IT infrastructure.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

SP2 Mikael Nystrom. Agenda Översikt Installation.

Microsoft ® Official Course Monitoring and Troubleshooting Custom SharePoint Solutions SharePoint Practice Microsoft SharePoint 2013.

Enabling Internet “Suspend/Resume” with Session Continuations Alex C. Snoeren MIT Laboratory for Computer Science (with Hari Balakrishnan, Frans Kaashoek,

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.

Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

KONOE, a toolkit for an object- oriented online environment, with Gate Package M.Abe,Y.Nagasaka,F.Fujiwara, T.Tamura,I.Nakano,H.Sakamoto, Y.Sakamoto,S.Enomoto,

Introduction to Interactive Media Interactive Media Tools: Software.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

TECHNOLOGY GUIDE THREE Protecting Your Information Assets.

Chapter Nine NetWare-Based Networking. Introduction to NetWare In 1983, Novell introduced its NetWare network operating system Versions 3.1 and 3.1—collectively.

Data Capture in Encrypted Environments with Sebek.

Economics 173 Business Statistics Lecture 7 Fall, 2001 Professor J. Petry

Midterm Stats Min: 16/38 (42%) Max: 36.5/38 (96%) Average: 29.5/36 (78%)

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

Welcome! These workshops are called “Managing for Success.” But, what is success? While we’re waiting for everyone to arrive could you… Jot down what success.

Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.

Hidden Processes: The Implication for Intrusion Detection

Example: Rumor Performance Evaluation Andy Wang CIS 5930 Computer Systems Performance Analysis.

Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar

Measuring the Capacity of a Web Server USENIX Sympo. on Internet Tech. and Sys. ‘ Koo-Min Ahn.

Chemistry XXI The central goal of this unit is to help you understand and apply basic ideas that can be used to distinguish the different substances present.

Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

Performance Testing Test Complete. Performance testing and its sub categories Performance testing is performed, to determine how fast some aspect of a.

May 25 – June 15, Technical Overview Bruce Cowper IT Pro Advisor Microsoft Canada Damir Bersinic IT Pro Advisor Microsoft.

Chemistry XXI The central goal of this unit is to help you understand and apply basic ideas that can be used to distinguish the different substances present.

1 Chapter Overview Monitoring Access to Shared Folders Creating and Sharing Local and Remote Folders Monitoring Network Users Using Offline Folders and.

KYUNG-HWA KIM HENNING SCHULZRINNE 12/09/2008 INTERNET REAL-TIME LAB, COLUMBIA UNIVERSITY DYSWIS.

Event Management. EMU Graham Heyes April Overview Background Requirements Solution Status.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

Lecture 4 Page 1 CS 111 Summer 2013 Scheduling CS 111 Operating Systems Peter Reiher.

PRES: Probabilistic Replay with Execution Sketching on Multiprocessors Soyeon Park and Yuanyuan Zhou (UCSD) Weiwei Xiong, Zuoning Yin, Rini Kaushik, Kyu.

 Using Touchloggers To Build User Profiles Through Machine Learning Craig Dezangle.

Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.

CHAP-1 INTRODUCTION TO LINUX 1 Created By: Asst. Prof. Ashish Shah, J.M.Patel College of Commerce.

TECHNOLOGY GUIDE THREE

Backtracking Intrusions

LINUX SECURITY Dongmei Wu ID: /25/00.

IS3440 Linux Security Unit 7 Securing the Linux Kernel

SECURITY IN THE LINUX OPERATING SYSTEM

Presentation transcript:

1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory Travis

2 Agenda  Introduction to Kernel based activity monitoring (Sebek as context)  Performance evaluation  A possible solution  Revaluate performance  Roadmap

3 Kernel based Activity Monitoring Motivation  Goal is to observe activity while minimizing disruptions.  Network data analysis is no longer sufficient Intruders started using session encryption  Desire to study intra-system behavior Process vs User behavior

4 Kernel Activity Monitoring Basics  Basic tasks Observe system call activity Record Data Export Data

5 Kernel Activity Monitoring Basics II  Try to make it hard to detect Fail, Try, Fail… Notice that nobody bothers looking  Implemented as Loadable Module or kernel patch  Lets not call it a Rootkit, but a system enhancement.

6 Sebek as Kernel Activity Monitor  Linux developed by Balas  Win32 developed by Davis  Latest versions collect Keystrokes / read data Process heritage Files opened by a process Sockets opened by a process  GenIII Honeynet design based in part on this type of data.

7 Illustration of Data’s Value

8 Illustration of Data’s value

9 Sebek as Firehose  Sebek defies one of the claimed values of honeynets “They only collect data of value”  Rudimentary of control on what it collects Makes more analysis work Limits use in operations Provides potential for detection

10 Delay imposed by Sebek  Micro RDTSC based, Macro “dd” based  1 bytes Reads from /dev/zero 1,000,000 times  Linux 2.6 Sebek

11 Quantity of “uninteresting” data  Per hour record generation rates: Idle Keystroke only ~5,212 Idle Full Read ~98,000 Slowly surfing porn w/ Full Read ~750,000

12 What is the problem?  Delay could be used as basis for detection Create per CPU profiles determine if test data exceeds delay threshold Generalize distribution and look for deviations in curve shape  Unintended data capture/sensitive data  Data Volume

13 Obvious Solution: don’t record uninteresting  Depending on use case, a prior sense of what is of interest is present Is /dev/zero ever of interest? If we are watching for remote connections, do we care about unrelated local activity  Recall that recent version of Sebek records process tree, sockets and file activity…  Applicable for any Kernel-based Activity Monitoring

14 Filtering approach  Make it feel like firewall filters  Make decisions based on Process name Socket parameters File names User names  Use process tree to make filters dynamic

15 Example: Monitor a remote user  Action=keystrokes user=ebalas sock=(proto=tcp local_port=22) opt=(follow_child_proc ) Keystroke monitor ebalas when he logs in remotely via ssh. Also monitor any processes decendant from the process that serviced the socket.

16 More Examples  action=ignore file=(name=/var strict inc_subdirs) Ignore any activity associated with files in the /var sub directory  action=keystrokes user=bob file(name=/var/sekrit/squirel.txt opt=(follow_child_proc) Silly honeytoken.

17 Okam prototype  Other Kernel Activity Monitor(OKAM)  Based on Sebek  Binary flags are added to inode and process data structure to control if we record.  Tagging occurs when A process forks File is opened Socket activity is observed

18 Filtered Performance  Volume of data at idle reduced dramatically  Performance when not recording similar to stock  Depends on good filter selection for improvement but control is good.

19 Future Direction  Benchmark other monitored system calls  Explore HTB / fair queuing as a way to prevent local process level logging Dos.  Release Okam or integrate into Sebek? Trademarks,Copyright Oh my! Hopefully have something out in May