Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory.

Published byClara McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory."— Presentation transcript:

1 1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory Travis

2 2 Agenda  Introduction to Kernel based activity monitoring (Sebek as context)  Performance evaluation  A possible solution  Revaluate performance  Roadmap

3 3 Kernel based Activity Monitoring Motivation  Goal is to observe activity while minimizing disruptions.  Network data analysis is no longer sufficient Intruders started using session encryption  Desire to study intra-system behavior Process vs User behavior

4 4 Kernel Activity Monitoring Basics  Basic tasks Observe system call activity Record Data Export Data

5 5 Kernel Activity Monitoring Basics II  Try to make it hard to detect Fail, Try, Fail… Notice that nobody bothers looking  Implemented as Loadable Module or kernel patch  Lets not call it a Rootkit, but a system enhancement.

6 6 Sebek as Kernel Activity Monitor  Linux developed by Balas  Win32 developed by Davis  Latest versions collect Keystrokes / read data Process heritage Files opened by a process Sockets opened by a process  GenIII Honeynet design based in part on this type of data.

7 7 Illustration of Data’s Value

8 8 Illustration of Data’s value

9 9 Sebek as Firehose  Sebek defies one of the claimed values of honeynets “They only collect data of value”  Rudimentary of control on what it collects Makes more analysis work Limits use in operations Provides potential for detection

10 10 Delay imposed by Sebek  Micro RDTSC based, Macro “dd” based  1 bytes Reads from /dev/zero 1,000,000 times  Linux 2.6 Sebek

11 11 Quantity of “uninteresting” data  Per hour record generation rates: Idle Keystroke only ~5,212 Idle Full Read ~98,000 Slowly surfing porn w/ Full Read ~750,000

12 12 What is the problem?  Delay could be used as basis for detection Create per CPU profiles determine if test data exceeds delay threshold Generalize distribution and look for deviations in curve shape  Unintended data capture/sensitive data  Data Volume

13 13 Obvious Solution: don’t record uninteresting  Depending on use case, a prior sense of what is of interest is present Is /dev/zero ever of interest? If we are watching for remote connections, do we care about unrelated local activity  Recall that recent version of Sebek records process tree, sockets and file activity…  Applicable for any Kernel-based Activity Monitoring

14 14 Filtering approach  Make it feel like firewall filters  Make decisions based on Process name Socket parameters File names User names  Use process tree to make filters dynamic

15 15 Example: Monitor a remote user  Action=keystrokes user=ebalas sock=(proto=tcp local_port=22) opt=(follow_child_proc ) Keystroke monitor ebalas when he logs in remotely via ssh. Also monitor any processes decendant from the process that serviced the socket.

16 16 More Examples  action=ignore file=(name=/var strict inc_subdirs) Ignore any activity associated with files in the /var sub directory  action=keystrokes user=bob file(name=/var/sekrit/squirel.txt opt=(follow_child_proc) Silly honeytoken.

17 17 Okam prototype  Other Kernel Activity Monitor(OKAM)  Based on Sebek  Binary flags are added to inode and process data structure to control if we record.  Tagging occurs when A process forks File is opened Socket activity is observed

18 18 Filtered Performance  Volume of data at idle reduced dramatically  Performance when not recording similar to stock  Depends on good filter selection for improvement but control is good.

19 19 Future Direction  Benchmark other monitored system calls  Explore HTB / fair queuing as a way to prevent local process level logging Dos.  Release Okam or integrate into Sebek? Trademarks,Copyright Oh my! Hopefully have something out in May

Download ppt "1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory."

Similar presentations

Performance Testing - Kanwalpreet Singh.

Performance Testing - Kanwalpreet Singh.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.
® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan
Confused, Timid, and Unstable: Picking a Video Streaming Rate is Hard Published in 2012 ACM’s Internet Measurement Conference (IMC) Five students from.

Confused, Timid, and Unstable: Picking a Video Streaming Rate is Hard Published in 2012 ACM’s Internet Measurement Conference (IMC) Five students from.
TTCN-3 Test Case Generation from arbitrary traces Capture & Replay Bogdan Stanca-Kaposta & Theofanis Vassiliou-Gioles (Testing Technologies)

TTCN-3 Test Case Generation from arbitrary traces Capture & Replay Bogdan Stanca-Kaposta & Theofanis Vassiliou-Gioles (Testing Technologies)
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.

1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.

Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.
Flow Anomaly Detection in Firewalled Networks Research Report Mike Chapple December 15, 2005.

Flow Anomaly Detection in Firewalled Networks Research Report Mike Chapple December 15, 2005.
Performance Evaluation of Load Sharing Policies on a Beowulf Cluster James Nichols Marc Lemaire Advisor: Mark Claypool.

Performance Evaluation of Load Sharing Policies on a Beowulf Cluster James Nichols Marc Lemaire Advisor: Mark Claypool.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.
1 CS 430 / INFO 430 Information Retrieval Lecture 24 Usability 2.

1 CS 430 / INFO 430 Information Retrieval Lecture 24 Usability 2.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Similar presentations

Ads by Google