Download
high accuracy attack provenance via binary based execution partition n.
Skip this Video
Loading SlideShow in 5 Seconds..
High Accuracy Attack Provenance via Binary-based Execution Partition PowerPoint Presentation
Download Presentation
High Accuracy Attack Provenance via Binary-based Execution Partition

High Accuracy Attack Provenance via Binary-based Execution Partition

107 Vues Download Presentation
Télécharger la présentation

High Accuracy Attack Provenance via Binary-based Execution Partition

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 20th NDSS (February, 2013) High Accuracy Attack Provenance via Binary-based Execution Partition KyuHyung Lee XiangyuZhang DongyanXu Department of Computer Science and CERIAS, Purdue University

  2. See Author Slide for Some Pages • Author Slide • http://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based-execution-partition A Seminar at Advanced Defense Lab

  3. Outline • Introduction • Discovery Units and Unit Dependences • Implementation and Evaluation • Case Study • Discussion A Seminar at Advanced Defense Lab

  4. Introduction • Author slide: page 1-32 A Seminar at Advanced Defense Lab

  5. 11 Web sites and 14 Emails in 29 Minutes Linux Audit Log BEEP A Seminar at Advanced Defense Lab

  6. Discovery Units and Unit Dependences • Author slide: page 33-59 A Seminar at Advanced Defense Lab

  7. An Experiment A Seminar at Advanced Defense Lab

  8. Implementation and Evaluation • Author slide: page 60-71 A Seminar at Advanced Defense Lab

  9. Evaluation (cont.) • Training Overhead: 10x-200x • The average causal graph of 100 files (a user for 24 hours) A Seminar at Advanced Defense Lab

  10. Training Coverage • #1: the universal training set • #2: 30%-50% of #1 • #3: 30%-50% of #2 • Result: the training run coverage has little effect on BEEP A Seminar at Advanced Defense Lab

  11. Case Study: Attack Ramifications • A user used a system for 24 hours • At 13th hour, an attacker did something: • He used port scanning and find a ftp service, Proftpd • He compromised Proftpdand create a root shell • He used the shell to install a backdoor and to modify .bash_history • After 24 hours, user find the backdoor • Using the causal graph, he finds the root shell is the source • User wants to find what the root shell did. A Seminar at Advanced Defense Lab

  12. Case Study: Attack Ramifications (cont.) A Seminar at Advanced Defense Lab

  13. Case Study: Information Theft • An employee executes vim editor and opens three secret files (secret_1, secret_2and secret_3) and two other html files(index.html and secret.html) on a server in his company. • He copies secret information from secret_1 file and pastes it to secret.html file. • He modifies the index.htmlfile to generate a link to the secret.html file. • Now, company found some information is leaked. • We want to know what is leaked. A Seminar at Advanced Defense Lab

  14. Case Study: Information Theft (cont.) A Seminar at Advanced Defense Lab

  15. Discussion • BEEP is vulnerable to kernel level attacks. • A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP. • A legal user of the system with BEEP installed may try to confuse BEEP. • BEEP still requires user involvement. • BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation. A Seminar at Advanced Defense Lab

  16. Q & A A Seminar at Advanced Defense Lab