250 likes | 264 Views
Application Communities. April 2004 Site Visit. Benefits from an Application Community. Increased Accuracy A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. Amortized Risk
E N D
Application Communities April 2004 Site Visit
Benefits from an Application Community • Increased Accuracy • A community provides behavior variations and more data, increasing the accuracy of the dataset and improving the ability to find anomalies. • Amortized Risk • A problem in a few will lead to a solution for the rest • A community can afford to sacrifice a few members. • Shared Burden • A community can use expensive monitoring techniques by distributing the burden across the members
Attack Landscape • Execution of Malicious Code • Denial of Service • Privilege Escalation • Cross Site Scripting • Weak or Missing Permissions • Information Leak
Attack Landscape % of vulnerabilities Execution of Malicious Code Denial of Service Source: CVE, Microsoft Security Bulletins, 2003-2004
Attack Landscape Client Server
Attack Landscape • Execution of Malicious Code • Denial of Service • Privilege Escalation • Cross Site Scripting • Weak or Missing Permissions • Information Leak
Monitor Monitor Monitor Monitor Monitor Monitor Monitor Impact Monitor Monitor Monitor Monitor Enforce Collect Deploy Refine Detect Fix Conceptual Flow a Community System Learn Create Analyze
1. Execution of Malicious Code 1.1 Memory Based • Injection of malicious code • Reuse of existing code for malicious purposes 1.2 Script Based • Unintended use of an expansive script interface • Exploit a buggy script interpreter 1.3 Executable Based • Insert a new binary and get it executed • Replace an existing binary with a malicious one
1.1 Memory Based Attacks • Attack Types • Format String vulnerabilities, Buffer Overflow, Integer Underflow/Overflow, Return to libc. • Before Application Communities • If detected: cannot continue execution. Denial of Service • Otherwise: Full impact of the attack • With Application Communities • Malicious code Execution Detection by MF constraint identification constraint enforcement eliminate the problem
1.2 Script Based Attacks • Attack types • IE VB, JavaScript and ActiveX attacks, malformed image attacks, malicious word attachments, malicious e-mail attachments • Before Application Communities • No clear solution (mainly signatures or lockdown) • With Application Communities • Detection of an attack constraint identification constraint enforcement eliminate problem
1.3 Executable Based Attacks • Types of attacks • Malware executables, adware, viruses and rootkits • Before application communities • Signatures: blacklists get overwhelmed by variations • Lockdown: whitelists are hard to manage • With application communities • Handles day-zero or custom variations of malware • Easily manageable lockdown with whitelists that accept updates and upgrades
2 Denial of Service • Attack Types • Crash or hang programs. Get programs into invalid states • Before Application Communities • No clear solution (mainly signatures) • With Application Communities • Detection of an attack (program crash or hang) constraint identification constraint enforcement eliminate problem
Introduction to DaiKonstraints
Application Behavior Monitoring, Anomaly Detection and Enforcement • Monitor Application Execution • Collect constraints • Merge constraints from the community • Detect an Attack • Informed by Memory Firewall or • Crash • Other detectors • Identify the Violations that lead to Compromise • Constraints directly available or • Need to track the propagation over multiple attacks • Create fixes • Identify constraint(s) to check and a remediation • Test the fixes on a few machines to gain confidence • Deploy the best fix and Enforce the Constraint • Keep monitoring to detect any false positives
Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Central Management System Daikon LiveShield
Impact Application Daikon Daikon Daikon Daikon Daikon Daikon Daikon Daikon LiveShield Deployment Monitor LiveShield Managed Program Execution Daikon LiveShield Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix
Impact Impact Application Daikon Monitor Daikon Monitor Monitor Daikon Daikon Monitor Monitor Daikon Daikon Daikon Daikon LiveShield Deployment Monitor Monitor Monitor Monitor Monitor Monitor Enforce Monitor LiveShield Managed Program Execution Collect Refine Deploy Learn Create Daikon LiveShield Detect Analyze Fix Application Behavior Monitoring, Anomaly Detection and Enforcement Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix
Community Benefits • Increased Accuracy • Varied behavior reduce the risk of false positives • Observance of multiple attacks increase the accuracy of the fixes • Amortized Risk • The fixes are first tested on a few machines • Learn from any problems • Only deployed widely if no adverse effect • Shared Burden • Partial instrumentation of individual applications. Community aggregation provides the full picture.
Introduction to Program Genealogy
Looking for Family Resemblance • Compare the DNA instead of portraits or faces • Apply to both • Malware families • Updates and upgrades of legitimate software
Gray to Black or White • A blacklist and whitelist file hash database • enforces what applications are allowed to run • For an unknown application (graylist) • Is allowed to run under monitoring • Execution profile is created • Community monitoring • Find a similar execution profile in the database • Add the application hash to blacklist or whitelist • Add the profile to the database
Gray to Black or White Community Member Application Daikon Daikon Daikon Daikon Daikon Daikon Behavioral Traces Daikon Blacklist/ Whitelist Monitor Managed Program Execution Central Management System Trace DB Blacklist Whitelist DB Behavior Matching
Impact Application Daikon Daikon Daikon Daikon Daikon Daikon Behavioral Traces Daikon Blacklist/ Whitelist Monitor Managed Program Execution Trace DB Blacklist Whitelist DB Behavior Matching Gray to Black or White Community Member Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enforce Collect Refine Deploy Learn Create Central Management System Detect Analyze Fix
Community Benefits • Increased Accuracy • Multiple users provide a better application trace profile • Amortized Risk • Cannot tell if an unknown application is good or bad without running it • When it is clear that the application is bad, the machine already may be compromised • However, saves the rest of the community • Shared Burden • Only a few early-users need to profile an unknown application.