Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

Slides:

Advertisements

Similar presentations

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.

Advertisements

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

LIBRA: Lightweight Data Skew Mitigation in MapReduce

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)

Language Model based Information Retrieval: University of Saarland 1 A Hidden Markov Model Information Retrieval System Mahboob Alam Khalid.

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.

1 Engineering Problem Solving With C++ An Object Based Approach Fundamental Concepts Chapter 1 Engineering Problem Solving.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.

1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

1 Security problems of your keyboard –Authentication based on key strokes –Compromising emanations consist of electrical, mechanical, or acoustical –Supply.

Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.

Memento: Learning Secrets from Process Footprints Suman Jana and Vitaly Shmatikov The University of Texas at Austin.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

COMP1070/2002/lec3/H.Melikian COMP1070 Lecture #3 v Operating Systems v Describe briefly operating systems service v To describe character and graphical.

Address Space Layout Permutation

Offline Performance Monitoring for Linux Abhishek Shukla.

C LIENT R EGISTRY OpenEMPI: Operations Support Training SYSNET International, Inc.

Yongzhi Wang, Jinpeng Wei VIAF: Verification-based Integrity Assurance Framework for MapReduce.

A few Linux basics Network Monitoring & Management.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

MATSEC Past Papers May 2010 Paper 1 Paper 2A. What is the difference between each of the following pairs of items? Syntax Error Caused by forgetting certain.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.

Operating System (OS) Basics. Operating System Basics Software (applications) Operating System (OS) Hardware.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

22CS 338: Graphical User Interfaces. Dario Salvucci, Drexel University. Lecture 10: Advanced Input.

UNIX (Linux) Introduction Module-1. OS Kernel In computing, the kernel is the central component of OS. It is a bridge between applications and the actual.

INCS Virtual Data Center Security using Linux.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

Ensemble Learning for Low-level Hardware-supported Malware Detection

Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

Dr. Sajib Datta CSE Spring 2016 INTERMEDIATE PROGRAMMING.

Toshiba IR Test Apparatus Project Ahmad Nazri Fadzal Zamir Izam Nurfazlina Kamaruddin Wan Othman.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Dr. Sajib Datta Jan 15,  Instructor: Sajib Datta ◦ Office Location: ERB 336 ◦ Address: ◦ Web Site:

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

Definition of the Hidden Markov Model A Seminar Speech Recognition presentation A Seminar Speech Recognition presentation October 24 th 2002 Pieter Bas.

Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.

June 12, 2016CITALA'121 Cloud Computing Technology For Large Scale and Efficient Arabic Handwriting Recognition System HAMDI Hassen, KHEMAKHEM Maher

 Using Touchloggers To Build User Profiles Through Machine Learning Craig Dezangle.

Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi.

Linux and Coldfusion MX Mid-Michigan Coldfusion User’s Group, Nov

Multiple Sequence Alignment with PASTA Michael Nute Austin, TX June 17, 2016.

7. Performance Measurement

LECTURE 01: Introduction to Algorithms and Basic Linux Computing

Online Multiscale Dynamic Topic Models

Distributed Network Traffic Feature Extraction for a Real-time IDS

Timing Analysis of Keystrokes and Timing Attacks on SSH

Chapter 2: System Structures

Bethesda Cybersecurity Club

Timing Analysis of Keystrokes And Timing Attacks on SSH

Handwritten Characters Recognition Based on an HMM Model

Request Behavior Variations

Mole: Motion Leaks through Smartwatch Sensors

Presentation transcript:

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang, Indiana University, Bloomington

Agenda 2  Overview  Assumption  Implementation  Experiment  Conclusion

Overview  For some command such as ps or top, they need some information about the process  The virtual file system procfs, which discloses such information, locates at /proc/ /stat  Our attack take advantage of the stack information of a process to infer keystrokes Specially ESP 、 EIP 3

Overview (cont.) 4  For some command such as ps or top, they need some information about the process  The virtual file system procfs, which discloses such information, locates at /proc/ /stat  Our attack take advantage of the stack information of a process to infer keystrokes Specially ESP 、 EIP Fig. 1: The sketch of keystroke extraction and recognition

Assumption  Capability to execute program  Multi-core system  Access to the victim’s information  Attacker can obtain some victim’s typing sample as training data 5

Implementation 6  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 1: The sketch of keystroke extraction and recognition

Implementation 7  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 2: Steps about keystroke pattern extraction

Implementation (cont.) 8  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 3: Steps about trace logging and getting inter-timing

Implementation (cont.) 9  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 4: Steps about keystroke analysis

Pattern extraction  Deterministic program Same input cause the same output, such as vim Use strace to get all system call sequences, then extract the difference False positive check  Non-deterministic program Same input could cause different outputs, almost all GUI programs are non-deterministic An instruction level analysis tool to the function gtk_main_do_event(event) to get it’s event 10

Trace logging 11  Attacker’s shadow program keep monitor on /proc/ /stat That’s why we need multi-core system However, the log won’t be complete  Avoid detection Decrease the sample rate Hide CPU usage Fig. 3: Steps about trace logging and getting inter-timing

Get inter-timing 12  Use Longest Common Subsequence (LCS) algorithm to compare log with pattern Ignore ASLR by normalize ESP pattern  Use a time duration to get only consecutive keystroke pattern Fig. 5: Pattern matchingFig. 6: Using time duration

Keystroke analysis 13  Now, we have got inter-timing sequences  We use Hidden Markov Model (HMM) to guess what victim input and list 4500 candidates N-Viterbi algorithm: use conditional probability Average all probabilities M-N-Viterbi algorithm: use conditional probability Fig. 4: Steps about keystroke analysis

Experiment  Environment Intel Core 2 Duo E6700, 3GB RAM Red Hat Linux Enterprise 4.0, Debian 4.0, and Ubuntu 8.04  Evaluation on three public server A Linux workstation in a public machine room (Server 1) A web server of Indiana University that allows SSH connections from its users (Server 2) A server for students’ course projects (Server 3) 72-hour monitoring on these servers that user number range from 1 to 24 14

Experiment (cont.) 15 Fig. 11: CPU usage of three real world server during 72 hours Fig. 10: Percentage of keystroke detected versus CPU usage

Experiment (cont.) 16  Speculating passwords Training: 15 training keys, each has 13 letters and 2 digits, totally 225 key pairs. We detect 45 inter- timings for each of these pairs from a user Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates

Experiment (cont.) 17  Speculating passwords Training: 15 training keys, each has 13 letters and 2 digits, totally 225 key pairs. We detect 45 inter-timings for each of these pairs from a user Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates Fig. 7: Percentage of space to search before find the right password

Experiment (cont.) 18  Guess English words Training: use the word frequency of British national corpus to compute transition probabilities Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them Fig. 8: Time distribution of letter pairs

Experiment (cont.) 19  Guess English words Training: use the word frequency of British national corpus to compute transition probabilities Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them Fig. 8: Time distribution of letter pairs Fig. 9: Success rate on English word

Conclusion  Information leak: one can get others’ keystrokes without any special permission  Trade-off between convenience and security  Contribute for keystrokes detection and extraction method on almost all distributions of Linux 20

Future work  More precise detection method for non- deterministic programs  Way to detect keystrokes when system calls are not immediately triggered by keystrokes  Better algorithm to identify English words  Utilize more information to infer other events, such as mouse moving 21

The End