Presentation is loading. Please wait.

Presentation is loading. Please wait.

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

Published byMelvyn Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,"— Presentation transcript:

1 High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS, Purdue University 20 th NDSS (February, 2013)

2 See Author Slide for Some Pages  Author Slide  http://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based- execution-partition http://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based- execution-partition 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 2

3 Outline  Introduction  Discovery Units and Unit Dependences  Implementation and Evaluation  Case Study  Discussion 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 3

4 Introduction  Author slide: page 1-32 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 4

5 11 Web sites and 14 Emails in 29 Minutes 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 5 Linux Audit Log BEE P

6 Discovery Units and Unit Dependences  Author slide: page 33-59 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 6

7 An Experiment 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 7

8 Implementation and Evaluation  Author slide: page 60-71 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 8

9 Evaluation (cont.)  Training Overhead: 10x-200x  The average causal graph of 100 files (a user for 24 hours) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 9

10 Training Coverage  #1: the universal training set  #2: 30%-50% of #1  #3: 30%-50% of #2  Result: the training run coverage has little effect on BEEP 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 10

11 Case Study: Attack Ramifications  A user used a system for 24 hours  At 13 th hour, an attacker did something:  He used port scanning and find a ftp service, Proftpd  He compromised Proftpd and create a root shell  He used the shell to install a backdoor and to modify.bash_history  After 24 hours, user find the backdoor  Using the causal graph, he finds the root shell is the source  User wants to find what the root shell did. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 11

12 Case Study: Attack Ramifications (cont.) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 12

13 Case Study: Information Theft  An employee executes vim editor and opens three secret files ( secret_1, secret_2 and secret_3 ) and two other html files( index.html and secret.html ) on a server in his company.  He copies secret information from s ecret_1 file and pastes it to secret.html file.  He modifies the index.html file to generate a link to the secret.html file.  Now, company found some information is leaked.  We want to know what is leaked. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 13

14 Case Study: Information Theft (cont.) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 14

15 Discussion  BEEP is vulnerable to kernel level attacks.  A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP.  A legal user of the system with BEEP installed may try to confuse BEEP.  BEEP still requires user involvement.  BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 15

16 Q & A 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 16

Download ppt "High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,"

Similar presentations

WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Introduction to Unix GLY 560: GIS for Earth Scientists Class Home Page:

Introduction to Unix GLY 560: GIS for Earth Scientists Class Home Page:
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.

Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
Exploring the Internet Creating and setting up your website 91.113-021 Instructor: Michael Krolak 91.113-031 Instructor: Patrick Krolak See also

Exploring the Internet Creating and setting up your website Instructor: Michael Krolak Instructor: Patrick Krolak See also
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Introduction to HTML 2006 CIS101. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.

Introduction to HTML 2006 CIS101. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.

Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Introduction to: Web Site Development. Terminology HTML Hypertext Markup Language HTML File A web page built from HTML Index File The home or main page.

Introduction to: Web Site Development. Terminology HTML Hypertext Markup Language HTML File A web page built from HTML Index File The home or main page.
Introduction to Web Lingo

Introduction to Web Lingo
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Introduction to Web Creation iMet Tool Training. Basic Principles Have a plan Focus on the content and communication Make navigation logical and consistent.

Introduction to Web Creation iMet Tool Training. Basic Principles Have a plan Focus on the content and communication Make navigation logical and consistent.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Website Administration Information Systems 337 Prof. Harry Plantinga.

Website Administration Information Systems 337 Prof. Harry Plantinga.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Similar presentations

Ads by Google