Presentation is loading. Please wait.

Presentation is loading. Please wait.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan."— Presentation transcript:

1 Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan

2 Motivation Computer break-ins increasing Computer forensics is important –How did they get in

3 Current Forensic Methods Manual inspection of existing logs System, application logs –Not enough information Network log –May be encrypted Disk image –Only shows final state Machine level logs –No semantic information No way to separate out legitimate actions

4 BackTracker Can we help figure out what was exploited? Track back to exploited application Record causal dependencies between objects

5 Process File Socket Detection point Fork event Read/write event

6 Presentation Outline BackTracker design Evaluation Limitations Conclusions

7 BackTracker Online component, log objects and events Offline component to generate graphs BackTracker runs, shows source of intrusion intrusion detected intrusion occurs

8 BackTracker Objects Process File Filename

9 Dependency-Forming Events Process / Process –fork, clone, vfork Process / File –read, write, mmap, exec Process / Filename –open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

10

11 Prioritizing Dependency Graphs Hide read-only files Eliminate helper processes Filter “low-control” events /bin/bash /lib/libc bash proc backdoor

12 Prioritizing Dependency Graphs id pipe Hide read-only files Eliminate helper processes Filter “low-control” events bash proc backdoor

13 Prioritizing Dependency Graphs bash proc login_a utmp login_b backdoor Hide read-only files Eliminate helper processes Filter “low-control” events

14 Filtering “Low-Control” Events bash proclogin utmp backdoor

15 sshd bash Filtering “Low-Control” Events bash proclogin utmp

16

17 Process File Socket Detection point Fork event Read/write event

18 Implementation Prototype built on Linux 2.4.18 Both stand-alone and virtual machine Hook system call handler Inspect state of OS directly Guest OS Host OS VMMEventLogger Guest Apps Host OS EventLogger Host Apps Virtual Machine Implementation Stand-Alone Implementation

19 Evaluation Determine effectiveness of Backtracker Set up Honeypot virtual machine Intrusion detection using standard tools Attacks evaluated with six default filtering rules

20 Process File Socket Detection point Fork event Read/write event

21 Process File Socket Detection point Fork event Read/write event

22 BackTracker Limitations Layer-below attack Use “low control” events or filtered objects to carry out attack Hidden channels Create large dependency graph –Perform a large number of steps –Implicate innocent processes

23 Future Work Department system administrators currently evaluating BackTracker Use different methods of dependency tracking Forward tracking

24 Conclusions Tracking causality through system calls can backtrack intrusions Dependency tracking –Reduce events and objects by 100x –Still effective even when same application exploited many times Filtering –Further reduce events and objects

Download ppt "Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan."

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Flash: An efficient and portable Web server Authors: Vivek S. Pai, Peter Druschel, Willy Zwaenepoel Presented at the Usenix Technical Conference, June.

Flash: An efficient and portable Web server Authors: Vivek S. Pai, Peter Druschel, Willy Zwaenepoel Presented at the Usenix Technical Conference, June.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.

Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.
Design and Implementation of a Single System Image Operating System for High Performance Computing on Clusters Christine MORIN PARIS project-team, IRISA/INRIA.

Design and Implementation of a Single System Image Operating System for High Performance Computing on Clusters Christine MORIN PARIS project-team, IRISA/INRIA.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System

Similar presentations

Ads by Google