1 / 25

Application Communities

Application Communities. April 2004 Site Visit. Benefits from an Application Community. Increased Accuracy A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. Amortized Risk

cassandrar
Download Presentation

Application Communities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Communities April 2004 Site Visit

  2. Benefits from an Application Community • Increased Accuracy • A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. • Amortized Risk • A problem in a few will lead to a solution for the rest • A community can afford to sacrifice a few members. • Shared Burden • A community can use expensive monitoring techniques by distributing the burden across the members

  3. Attack Landscape • Execution of Malicious Code • Denial of Service • Privilege Escalation • Cross Site Scripting • Weak or Missing Permissions • Information Leak

  4. Attack Landscape % of vulnerabilities Execution of Malicious Code Denial of Service Source: CVE, Microsoft Security Bulletins, 2003-2004

  5. Attack Landscape Client Server

  6. Attack Landscape • Execution of Malicious Code • Denial of Service • Privilege Escalation • Cross Site Scripting • Weak or Missing Permissions • Information Leak

  7. Monitor Monitor Monitor Monitor Monitor Monitor Monitor Impact Monitor Monitor Monitor Monitor Enforce Collect Deploy Refine Detect Fix Conceptual Flow a Community System Learn Create Analyze

  8. 1. Execution of Malicious Code 1.1 Memory Based • Injection of malicious code • Reuse of existing code for malicious purposes 1.2 Script Based • Unintended use of an expansive script interface • Exploit a buggy script interpreter 1.3 Executable Based • Insert a new binary and get it executed • Replace an existing binary with a malicious one

  9. 1.1 Memory Based Attacks • Attack Types • Format String vulnerabilities, Buffer Overflow, Integer Underflow/Overflow, Return to libc. • Before Application Communities • If detected: cannot continue execution. Denial of Service • Otherwise: Full impact of the attack • With Application Communities • Malicious code Execution  Detection by MF  constraint identification  constraint enforcement  eliminate the problem

  10. 1.2 Script Based Attacks • Attack types • IE VB, JavaScript and ActiveX attacks, malformed image attacks, malicious word attachments, malicious e-mail attachments • Before Application Communities • No clear solution (mainly signatures or lockdown) • With Application Communities • Detection of an attack  constraint identification  constraint enforcement  eliminate problem

  11. 1.3 Executable Based Attacks • Types of attacks • Malware executables, adware, viruses and rootkits • Before application communities • Signatures: blacklists get overwhelmed by variations • Lockdown: whitelists are hard to manage • With application communities • Handles day-zero or custom variations of malware • Easily manageable lockdown with whitelists that accept updates and upgrades

  12. 2 Denial of Service • Attack Types • Crash or hang programs. Get programs into invalid states • Before Application Communities • No clear solution (mainly signatures) • With Application Communities • Detection of an attack (program crash or hang) constraint identification  constraint enforcement  eliminate problem

  13. Attack Handling Capabilities

  14. Introduction to DaiKonstraints

  15. Application Behavior Monitoring, Anomaly Detection and Enforcement • Monitor Application Execution • Collect constraints • Merge constraints from the community • Detect an Attack • Informed by Memory Firewall or • Crash • Other detectors • Identify the Violations that lead to Compromise • Constraints directly available or • Need to track the propagation over multiple attacks • Create fixes • Identify constraint(s) to check and a remediation • Test the fixes on a few machines to gain confidence • Deploy the best fix and Enforce the Constraint • Keep monitoring to detect any false positives

  16. Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Central Management System Daikon LiveShield

  17. Impact Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Daikon LiveShield Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix

  18. Impact Impact Application Daikon Monitor Daikon Monitor Monitor Daikon Daikon Monitor Monitor Daikon Daikon Daikon Daikon LiveShield Deployment Monitor Monitor Monitor Monitor Monitor Monitor Enforce Monitor LiveShield Managed Program Execution Collect Refine Deploy Learn Create Daikon LiveShield Detect Analyze Fix Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix

  19. Community Benefits • Increased Accuracy • Varied behavior reduce the risk of false positives • Observance of multiple attacks increase the accuracy of the fixes • Amortized Risk • The fixes are first tested on a few machines • Learn from any problems • Only deployed widely if no adverse effect • Shared Burden • Partial instrumentation of individual applications. Community aggregation provides the full picture.

  20. Introduction to Program Genealogy

  21. Looking for Family Resemblance • Compare the DNA instead of portraits or faces • Apply to both • Malware families • Updates and upgrades of legitimate software

  22. Gray to Black or White • A blacklist and whitelist file hash database • enforces what applications are allowed to run • For an unknown application (graylist) • Is allowed to run under monitoring • Execution profile is created • Community monitoring • Find a similar execution profile in the database • Add the application hash to blacklist or whitelist • Add the profile to the database

  23. Gray to Black or White Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Behavioral Traces Daikon Blacklist/ Whitelist Monitor Managed Program Execution Central Management System Trace DB Blacklist Whitelist DB Behavior Matching

  24. Impact Application Daikon Daikon Daikon Daikon Daikon Daikon Behavioral Traces Daikon Blacklist/ Whitelist Monitor Managed Program Execution Trace DB Blacklist Whitelist DB Behavior Matching Gray to Black or White Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix

  25. Community Benefits • Increased Accuracy • Multiple users provide a better application trace profile • Amortized Risk • Cannot tell if an unknown application is good or bad without running it • When it is clear that the application is bad, the machine already may be compromised • However, saves the rest of the community • Shared Burden • Only a few early-users need to profile an unknown application.

More Related