Download presentation
Presentation is loading. Please wait.
1
Application Communities
April 2004 Site Visit
2
Benefits from an Application Community
Increased Accuracy A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. Amortized Risk A problem in a few will lead to a solution for the rest A community can afford to sacrifice a few members. Shared Burden A community can use expensive monitoring techniques by distributing the burden across the members
3
Attack Landscape Execution of Malicious Code Denial of Service
Privilege Escalation Cross Site Scripting Weak or Missing Permissions Information Leak
4
Attack Landscape % of vulnerabilities
Execution of Malicious Code Denial of Service Source: CVE, Microsoft Security Bulletins,
5
Attack Landscape Client Server
6
Attack Landscape Execution of Malicious Code Denial of Service
Privilege Escalation Cross Site Scripting Weak or Missing Permissions Information Leak
7
Conceptual Flow a Community System
Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Detect Fix Analyze
8
1. Execution of Malicious Code
1.1 Memory Based Injection of malicious code Reuse of existing code for malicious purposes 1.2 Script Based Unintended use of an expansive script interface Exploit a buggy script interpreter 1.3 Executable Based Insert a new binary and get it executed Replace an existing binary with a malicious one
9
1.1 Memory Based Attacks Attack Types Before Application Communities
Format String vulnerabilities, Buffer Overflow, Integer Underflow/Overflow, Return to libc. Before Application Communities If detected: cannot continue execution. Denial of Service Otherwise: Full impact of the attack With Application Communities Malicious code Execution Detection by MF constraint identification constraint enforcement eliminate the problem
10
1.2 Script Based Attacks Attack types Before Application Communities
IE VB, JavaScript and ActiveX attacks, malformed image attacks, malicious word attachments, malicious attachments Before Application Communities No clear solution (mainly signatures or lockdown) With Application Communities Detection of an attack constraint identification constraint enforcement eliminate problem
11
1.3 Executable Based Attacks
Types of attacks Malware executables, adware, viruses and rootkits Before application communities Signatures: blacklists get overwhelmed by variations Lockdown: whitelists are hard to manage With application communities Handles day-zero or custom variations of malware Easily manageable lockdown with whitelists that accept updates and upgrades
12
2 Denial of Service Attack Types Before Application Communities
Crash or hang programs. Get programs into invalid states Before Application Communities No clear solution (mainly signatures) With Application Communities Detection of an attack (program crash or hang) constraint identification constraint enforcement eliminate problem
13
Attack Handling Capabilities
DaiKonstraints Program Genealogy 1. Execution of Malicious Code 1.1 Memory Based 1.2 Script Based 1.3 Executable Based 2. Denial of Service
14
Introduction to DaiKonstraints
15
Application Behavior Monitoring, Anomaly Detection and Enforcement
Monitor Application Execution Collect constraints Merge constraints from the community Detect an Attack Informed by Memory Firewall or Crash Other detectors Identify the Violations that lead to Compromise Constraints directly available or Need to track the propagation over multiple attacks Create fixes Identify constraint(s) to check and a remediation Test the fixes on a few machines to gain confidence Deploy the best fix and Enforce the Constraint Keep monitoring to detect any false positives
16
Application Behavior Monitoring, Anomaly Detection and Enforcement
Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Central Management System Daikon LiveShield
17
Application Behavior Monitoring, Anomaly Detection and Enforcement
Daikon Application Managed Program Execution Monitor LiveShield Deployment Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix
18
Application Behavior Monitoring, Anomaly Detection and Enforcement
Daikon Application Managed Program Execution Monitor LiveShield Deployment Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Monitor Learn Collect Create Enforce Detect Fix Deploy Analyze Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix
19
Community Benefits Increased Accuracy Amortized Risk Shared Burden
Varied behavior reduce the risk of false positives Observance of multiple attacks increase the accuracy of the fixes Amortized Risk The fixes are first tested on a few machines Learn from any problems Only deployed widely if no adverse effect Shared Burden Partial instrumentation of individual applications. Community aggregation provides the full picture.
20
Introduction to Program Genealogy
21
Looking for Family Resemblance
Compare the DNA instead of portraits or faces Apply to both Malware families Updates and upgrades of legitimate software
22
Gray to Black or White A blacklist and whitelist file hash database
enforces what applications are allowed to run For an unknown application (graylist) Is allowed to run under monitoring Execution profile is created Community monitoring Find a similar execution profile in the database Add the application hash to blacklist or whitelist Add the profile to the database
23
Gray to Black or White Application Daikon Daikon Daikon Daikon
Community Member Application Daikon Daikon Daikon Daikon Behavioral Traces Daikon Daikon Daikon Blacklist/ Whitelist Monitor Managed Program Execution Central Management System Trace DB Blacklist Whitelist DB Behavior Matching
24
Gray to Black or White Impact Deploy Detect Fix Monitor Enforce Refine
Daikon Application Managed Program Execution Monitor Behavioral Traces Blacklist/ Whitelist Trace DB Behavior Matching Blacklist Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Impact Refine Collect Deploy Learn Create Central Management System Detect Analyze Fix
25
Community Benefits Increased Accuracy Amortized Risk Shared Burden
Multiple users provide a better application trace profile Amortized Risk Cannot tell if an unknown application is good or bad without running it When it is clear that the application is bad, the machine already may be compromised However, saves the rest of the community Shared Burden Only a few early-users need to profile an unknown application.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.