Presentation is loading. Please wait.

Presentation is loading. Please wait.

Community Awareness Initial Results

Published byBerenice Stafford Modified over 6 years ago

Similar presentations

Presentation on theme: "Community Awareness Initial Results"— Presentation transcript:

1 Community Awareness Initial Results
Sam Larsen Determina

2 Overview Can we automatically detect anomalous program behavior?
Security attacks Applications are large, complex, and hard to characterize Can we employ an application community to gain visibility into application behavior? We expect data to vary among machines What about control? Determina product has unique ability to monitor precise control-flow

3 Initial Study Is it possible to identify an attack by comparing the behavior of multiple machines running the same server application? Simple first step: compare basic blocks placed in the code cache Measure of code coverage

4 Step 1 How much does the code cache vary on different runs of the same input? Approximate an application community IIS serving a simple ASP Different runs vary by less than 1% Guestbook web application IIS processes vary by less than 1% SQL processes vary by 4-7% Loadsim (exchange benchmark) All processes vary by less than 1%

5 Step 2 Execute an attack and observe the effect on the code cache
IIS serving a simple ASP + CodeRed worm Normal and attack runs differ by about 12% But how do different ASPs compare? i.e., does an attack look like we’re simply serving a different page?

6 Attack Results

7 Next Steps More realistic testbed
See if we can detect the same behavior with coarser grain information Many attacks execute an obscure piece of code Track function calls Track DLLs loaded and unloaded Efficient data gathering and analysis Particularly problematic for basic blocks What other anomalous behavior can we detect?

Download ppt "Community Awareness Initial Results"

Similar presentations

1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.

1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Session 13 Active Server Pages (ASP) Matakuliah: M0114/Web Based Programming Tahun: 2005 Versi: 5.

Session 13 Active Server Pages (ASP) Matakuliah: M0114/Web Based Programming Tahun: 2005 Versi: 5.
CS 345 Computer System Overview

CS 345 Computer System Overview
SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.

SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.
Recap. The Memory Hierarchy Increasing distance from the processor in access time L1$ L2$ Main Memory Secondary Memory Processor (Relative) size of the.

Recap. The Memory Hierarchy Increasing distance from the processor in access time L1$ L2$ Main Memory Secondary Memory Processor (Relative) size of the.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Chapter 1 and 2 Computer System and Operating System Overview

Chapter 1 and 2 Computer System and Operating System Overview
 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.

 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.
1 Using A Multiscale Approach to Characterize Workload Dynamics Characterize Workload Dynamics Tao Li June 4, 2005 Dept. of Electrical.

1 Using A Multiscale Approach to Characterize Workload Dynamics Characterize Workload Dynamics Tao Li June 4, 2005 Dept. of Electrical.
Nu Project Management Office A web based tool to Manage Projects.

Nu Project Management Office A web based tool to Manage Projects.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.

Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.

Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
Filtering Out Email Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.

Filtering Out Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.

Similar presentations

Ads by Google