Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security (part 1) CPS210 Spring 2006. Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information.

Published byPercival White Modified over 8 years ago

Similar presentations

Presentation on theme: "Security (part 1) CPS210 Spring 2006. Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information."— Presentation transcript:

1 Security (part 1) CPS210 Spring 2006

2 Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information  Network log  May be encrypted  Disk image  Only shows final state  Machine level logs (ReVirt)  No semantic information

3 Fixing the vulnerability  Logs contain other traffic  Disks have other updates  No way to separate out legitimate actions  How do I rollback?  Remove the effects of the attack  Leave any real work

4 Process File Socket Detection point Fork event Read/write event

5 BackTracker  Online component, log objects and events  Offline component to generate graphs BackTracker runs, shows source of intrusion intrusion detected intrusion occurs

6 BackTracker Objects  Process  File  Filename

7 Dependency-Forming Events  Process / Process  fork, clone, vfork  Process / File  read, write, mmap, exec  Process / Filename  open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

8

9 Prioritizing Dependency Graphs  Hide read-only files  Eliminate helper processes  Filter “low- control” events /bin/bash /lib/libc bash proc backdoor

10 Prioritizing Dependency Graphs id pipe  Hide read-only files  Eliminate helper processes  Filter “low- control” events bash proc backdoor

11 Prioritizing Dependency Graphs bash proc login_a utmp login_b backdoor  Hide read-only files  Eliminate helper processes  Filter “low- control” events

12

13 Process File Socket Detection point Fork event Read/write event

14 Implementation  Prototype built on Linux 2.4.18  Both stand-alone and virtual machine  Hook system call handler  Inspect state of OS directly Guest OS Host OS VMMEventLogger Guest Apps Host OS EventLogger Host Apps Virtual Machine Implementation Stand-Alone Implementation

15 Evaluation  Determine effectiveness of Backtracker  Set up Honeypot virtual machine  Intrusion detection using standard tools  Six default filtering rules

16 Process File Socket Detection point Fork event Read/write event

17 Process File Socket Detection point Fork event Read/write event

18 BackTracker Limitations  Layer-below attack  Use of filtered objects for attack  Hidden channels  Create large dependency graph  Perform a large number of steps  Implicate innocent processes

Download ppt "Security (part 1) CPS210 Spring 2006. Current Forensic Methods  Manual inspection of existing logs  System, application logs  Not enough information."

Similar presentations

NAGIOS AND CACTI NETWORK MANAGEMENT AND MONITORING SYSTEMS.

NAGIOS AND CACTI NETWORK MANAGEMENT AND MONITORING SYSTEMS.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.

Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.

Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google