1 / 25

Syzygy

Syzygy. Community Epidemic Detection. Adam J. Oliner Naeim Semsarilar Alex Aiken. Goal. Detect bad behavior in homogenous software communities. ALERT!. Application. Homogenous Communities. Bad News Uniform Large. Homogenous Communities. Good News Uniform Large. Bigger is Better.

autumn-burke
Download Presentation

Syzygy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Syzygy Community Epidemic Detection Adam J. Oliner Naeim Semsarilar Alex Aiken

  2. Goal Detect bad behavior in homogenous software communities ALERT! Application

  3. Homogenous Communities • Bad News • Uniform • Large

  4. Homogenous Communities • Good News • Uniform • Large Bigger is Better

  5. Using the Community • More data • Rare data • Independent data • Heroes

  6. Today’s Menu • Bigger is Better • Syzygy • What’s New • What’s Next

  7. Syzygy • Model application • Report anomalies • Detect epidemic

  8. Syzygy: Key Idea • Clients should behave independently • Correlated anomalies unlikely • … unless shared dependence (exploit) • Flag Day in Fargo

  9. Model: Approach • Black box • Sequences of system calls • connect.gettimeofday.recv.gettimeofday.write.write • read.read.close.munmap.open.fcntl64

  10. The Model The model of an application is the set of all sequences of six consecutive system calls it has made 1 - A.A.A.A.A.A A A A A A A A B 2 - A.A.A.A.A.B

  11. Model: Dynamic Analysis

  12. Anomalies • Local violations of the model • New sequence • Rare

  13. Report Anomalies

  14. Detect Epidemic • Community event • Several local anomalies • Short window of time • Notify Vernier

  15. Detect Epidemic

  16. What’s New • Integration with Vernier • Wild exploit • Wild experiment

  17. Integration with Vernier

  18. Wild Exploit • Samba vulnerability • Buffer overflow in smbd • Execute remote shell • April 2003 Bugtraq advisory

  19. Wild Experiment • Train on six Vernier nodes • Samba and Syzygy inside Linux VM • Workload generator • Monitor under workload • Release exploit into community

  20. Experiment: Train Faster

  21. Experiment: Startup • [root@vernier3 vernier]# ./syzygy-server.py -p 5555 -n "shelves/samba.shelf" -m • Shelf 'shelves/samba.shelf' exists, resuming... • [1182536201.405299] VERNIER Server started on port 5555 in Monitoring mode. • [1182537150.093904] Client joined: 10.3.3.133:32770 • [1182537151.599924] Client joined: 10.3.3.134:32770 • [1182537153.184554] Client joined: 10.3.3.135:32770 • [1182537207.236289] Client joined: 10.3.3.137:32770 • [1182537208.789680] Client joined: 10.3.3.138:32770 • [1182537210.405664] Client joined: 10.3.3.139:32770

  22. Experiment: Quiet Time • … • [1182537582.204169] Local Anomaly: 10.3.3.133:32770, geteuid32.write.geteuid32.write.close.select • [1182537653.921447] Local Anomaly: 10.3.3.133:32770, wait4.sigreturn.stat64.accept.fork.wait4 • [1182537653.922954] Local Anomaly: 10.3.3.133:32770, sigreturn.stat64.accept.fork.wait4.wait4 • [1182537731.022635] Local Anomaly: 10.3.3.133:32770, write.geteuid32.write.close.select.close • …

  23. Experiment: Epidemic • [1182539016.398678] Local Anomaly: 10.3.3.134:32807, sigreturn.select.wait4.wait4.sigreturn.time • … • [1182539016.877422] Local Anomaly: 10.3.3.135:32807, select.wait4.wait4.sigreturn.time.accept • … • [1182539017.338386] Local Anomaly: 10.3.3.138:32805, write.geteuid32.write.geteuid32.write.socket • [1182539017.338450] Epidemic: ['10.3.3.138:32805', '10.3.3.135:32807', '10.3.3.134:32807']

  24. What’s Next • Quantify false positives • Desired dependence • Multi-user deployment

  25. Bigger is Better • More data • Rare data • Independent data • Heroes • Syzygy • Community epidemic detection • Correlated anomalies

More Related