Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rootkit Detection and Mitigation

Published byShon Ellis Modified over 6 years ago

Similar presentations

Presentation on theme: "Rootkit Detection and Mitigation"— Presentation transcript:

1 Rootkit Detection and Mitigation
Project Outbrief DARPA Contract N C-2052 April 26, 2007

2 Summary Conclusions and Recommendations
Best current approach is tailored detection Best current approach only detects known rootkits and techniques No current detection of unknown or new rootkits and techniques Solution: Collect evidence related to induced and passive indirect effects Collect evidence from multiple perspectives Probabilistic reasoning over evidence

3 Project Overview Purpose: Establish current state of rootkits and detection Project future state of rootkits and detection Identify promising solutions Approach: Collect and study rootkit samples Empirically test current detection methods Discussion with experts and practitioners Research emerging rootkits and detection approaches Propose solution

4 + Threat Remote access to compromised systems and data
Difficult to detect = Sensitive processing on compromised computers Statistics: ~100 entities conducting espionage against the U.S. Nine documented cases of corporate espionage Data theft accounts for 80% of cybercrime 46% of companies do not keep current on application patches Motive: Financial, strategic, military, political Means: Wide availability of tools Opportunity: Vulnerable systems, network connectivity

5 Current State Rootkits: Kernel mode drivers to provide functionality and stealth Prevention: Patch maintenance and standard security practices Detection: Tailored detection, cross view differences Mitigation: Full system containment Recovery: Restore known good (surgical recovery rare)

6 Detection Testing

7 Detection Testing: Alternate View

8 Detection Testing: Scored and Sorted

9 Future State Rootkits: Direct injection, plain sight, virtual machines Locations, platforms Distributed and cooperating Prevention: Signed code Detection: Multiple tailored methods, cross-view diffs and variations Mitigation: Selected mitigation possible Recovery: Virtual machine images, surgical restore possible

10 Solution Overview Required properties: Detect indirect rootkit effects Collect evidence from multiple perspectives Advanced evidence marshalling and reasoning Solution: Evidence collection as a suite of tests (induced and passive) Host agent to execute evidence collection Agent operates at five different levels Multi-Entity Bayesian Network to reason over evidence

11 Evidence Collection Tests
Designed to detect indirect effects of rootkits Examples: Hidden process PID Hidden process memory footprint Data tracing

12 Host Agent Implemented as a virtual machine byte code interpreter: VM Interpreter Tests (evidence collection) are byte code sequences Other actions Advantages: Detection resistant Small footprint Verifiable integrity Views of system and data at different perspectives Extensible Cross platform

13 Multiple Levels Five levels (perspectives): Remote collection User-level tools Visible kernel driver Detection-resistant kernel driver Hardware device

14 Evidence Reasoning Multi-Entity Bayesian Network Collections of indicators as network fragments Logic to join fragments when evidence is received Local or remote Executes continuously Output: Likelihood of rootkit presence Reasoning chain Supporting evidence Contrarian evidence Additional evidence

15 Evaluation Develop variant and new rootkits (i.e., create “unknown” rootkits) Empirical testing against known and unknown rootkits Test deployments (truly unknown rootkits)

16 Solution Architecture

17 Concept of Operations Agent installation Detection mode Configurable Reasoner alert Analyst: Additional library tests Custom tests Collect data Take mitigation actions

18 Solution Development Phase 1: Tailored detection tool 6 months - $600k Optional Phase 2: Proof of Concept 6 months - $450k Concurrent with Phase 1 Phase 3: Functional Implementation 18 months - $2.7M After Phase 2 Phase 4: Extensions and Enhancements 12 months - $900k After Phase 3

19 Team SAIC: Rootkits, probabilistic reasoning, operational knowledge HBGary: Rootkits, agent IET: Probabilistic reasoning Northrup Grumman/TASC: Rootkits, operational knowledge

20 Discussion and Next Steps

Download ppt "Rootkit Detection and Mitigation"

Similar presentations

The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.

1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Security Controls – What Works

Security Controls – What Works
V.S. Subrahmanian University of Maryland 1 IMPACT: Future Directions (years 3 and 4)

V.S. Subrahmanian University of Maryland 1 IMPACT: Future Directions (years 3 and 4)
Lecture 13 Revision IMS9001 - Systems Analysis and Design.

Lecture 13 Revision IMS Systems Analysis and Design.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Chapter 9 Database Design

Chapter 9 Database Design
DECISION SUPPORT SYSTEM DEVELOPMENT

DECISION SUPPORT SYSTEM DEVELOPMENT
8 Systems Analysis and Design in a Changing World, Fifth Edition.

8 Systems Analysis and Design in a Changing World, Fifth Edition.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.

Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
Installing software on personal computer

Installing software on personal computer
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Agenda Master Expert Associat e Microsoft Certified Solutions Master (MCSM) Microsoft Certified Solutions Expert (MCSE) Microsoft Certified Solutions.

Agenda Master Expert Associat e Microsoft Certified Solutions Master (MCSM) Microsoft Certified Solutions Expert (MCSE) Microsoft Certified Solutions.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google