Presentation is loading. Please wait.

Presentation is loading. Please wait.

Backtracking Intrusions

Published byDewi Pranata Modified over 6 years ago

Similar presentations

Presentation on theme: "Backtracking Intrusions"— Presentation transcript:

1 Backtracking Intrusions
Sam King Peter Chen CoVirt Project, University of Michigan

2 Motivation Computer break-ins increasing
Computer forensics is important How did they get in

3 Current Forensic Methods
Manual inspection of existing logs System, application logs Not enough information Network log May be encrypted Disk image Only shows final state Machine level logs No semantic information No way to separate out legitimate actions

4 BackTracker Can we help figure out what was exploited?
Track back to exploited application Record causal dependencies between objects

5 Process File Socket Detection point Fork event Read/write event

6 Presentation Outline BackTracker design Evaluation Limitations
Conclusions

7 BackTracker runs, shows
intrusion detected occurs BackTracker runs, shows source of intrusion Online component, log objects and events Offline component to generate graphs

8 BackTracker Objects Process File Filename

9 Dependency-Forming Events
Process / Process fork, clone, vfork Process / File read, write, mmap, exec Process / Filename open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

10

11 Prioritizing Dependency Graphs
Hide read-only files Eliminate helper processes Filter “low-control” events proc /bin/bash bash /lib/libc backdoor

12 Prioritizing Dependency Graphs
Hide read-only files Eliminate helper processes Filter “low-control” events proc id bash pipe backdoor

13 Prioritizing Dependency Graphs
Hide read-only files Eliminate helper processes Filter “low-control” events proc login_a login_b utmp bash backdoor

14 Filtering “Low-Control” Events
proc login utmp backdoor bash

15 Filtering “Low-Control” Events
proc login backdoor sshd bash utmp bash

16

17 Process File Socket Detection point Fork event Read/write event

18 Implementation Prototype built on Linux 2.4.18
Both stand-alone and virtual machine Hook system call handler Inspect state of OS directly Guest Apps Guest OS Host Apps VMM EventLogger Host OS Host OS EventLogger Virtual Machine Implementation Stand-Alone Implementation

19 Evaluation Determine effectiveness of Backtracker
Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

20 Process File Socket Detection point Fork event Read/write event

21 Process File Socket Detection point Fork event Read/write event

22 BackTracker Limitations
Layer-below attack Use “low control” events or filtered objects to carry out attack Hidden channels Create large dependency graph Perform a large number of steps Implicate innocent processes

23 Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

24 Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking Reduce events and objects by 100x Still effective even when same application exploited many times Filtering Further reduce events and objects

Download ppt "Backtracking Intrusions"

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.

Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Similar presentations

Ads by Google