1 / 28

Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich

Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich. Present by JW. Motivation. Computer break-ins increasing Computer forensics is important How did they get in. Current Forensic Methods. Manual inspection of existing logs System, application logs Not enough information

lotta
Download Presentation

Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Backtracking Intrusions, SOSP '03, Sam King and Peter Chen, UMich Present by JW

  2. Motivation • Computer break-ins increasing • Computer forensics is important • How did they get in

  3. Current Forensic Methods • Manual inspection of existing logs • System, application logs • Not enough information • Network log • May be encrypted • Disk image • Only shows final state • Machine level logs • No semantic information • No way to separate out legitimate actions

  4. BackTracker • Can we help figure out what was exploited? • Track back to exploited application • Record causal dependencies between objects

  5. Process File Socket Detection point Fork event Read/write event

  6. intrusion occurs intrusion detected BackTracker runs, shows source of intrusion BackTracker • Online component, log objects and events • Offline component to generate graphs

  7. BackTracker Objects • Process • File • Filename

  8. Dependency-Forming Events • Process / Process • fork, clone, vfork • Process / File • read, write, mmap, exec • Process / Filename • open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

  9. Constructing Dependency Graph Raw log Complete graph Graph by GraphGen

  10. Graph could be still VERY large!

  11. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc /bin/bash bash /lib/libc backdoor

  12. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc id bash pipe backdoor

  13. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc login_a login_b utmp bash backdoor

  14. Process File Socket Detection point Fork event Read/write event

  15. Implementation • Prototype built on Linux 2.4.18 • Both stand-alone and virtual machine • Hook system call handler • Inspect state of OS directly Guest Apps Host Apps Guest OS VMM EventLogger Host OS Host OS EventLogger Stand-Alone Implementation Virtual Machine Implementation

  16. Evaluation • Determine effectiveness of Backtracker • Set up Honeypot virtual machine • Intrusion detection using standard tools • TripWire, Ethereal, Snort • Attacks evaluated with six default filtering rules

  17. Evaluation

  18. BackTracker Limitations • Layer-below attack (e.g. VMM) • Use “low control” events or filtered objects to carry out attack • Hidden channels • e.g. steal password and log in next time • Create large dependency graph • Perform a large number of steps • Implicate innocent processes • Single host without network dependency • 1.2GB/day/host is too large

  19. Process File Socket Detection point Fork event Read/write event

  20. Process File Socket Detection point Fork event Read/write event

  21. BackTracker Limitations • Layer-below attack (e.g. VMM) • Use “low control” events or filtered objects to carry out attack • Hidden channels • e.g. steal password and log in next time • Create large dependency graph • Perform a large number of steps • Implicate innocent processes • Single host without network dependency • 1.2GB/day/host is too large

  22. Cross-host multi-hop attacks C A D • Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network • Forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack ssh log in Backtracker user Attacker download/replace exes ls modify some files detection point B /etc/passwd

  23. Enriching intrusion alerts through multi-host causality, NDSS’05

  24. BackTracker Limitations • Layer-below attack (e.g. VMM) • Use “low control” events or filtered objects to carry out attack • Hidden channels • e.g. steal password and log in next time • Create large dependency graph • Perform a large number of steps • Implicate innocent processes • Single host without network dependency • 1.2GB/day/host is too large

  25. Dependency explosion

  26. BEEP: High Accuracy Attack Provenance via Binary-based Execution Partition, NDSS’13 Insight • The execution of a wide range of applications (both server-side and client-side) is dominated by a small number of loops (with large number of iterations for each loop). • Each iteration of such a loop can be considered a semantically autonomous unit as it often operates on an independent input object. Technique • Reverse engineer such loops from application binaries. • Reverse engineer instructions that could cause workflow between units. • Perform selective logging for unit boundaries and unit dependences (memory dependence).

  27. An example

  28. References • S. T. King and P. M. Chen. Backtracking intrusions. In SOSP 2003. • King, Samuel T., Zhuoqing Morley Mao, Dominic G. Lucchetti, and Peter M. Chen. "Enriching Intrusion Alerts Through Multi-Host Causality." In NDSS. 2005. • Lee, Kyu Hyung, Xiangyu Zhang, and Dongyan Xu. "High Accuracy Attack Provenance via Binary-based Execution Partition." In NDSS 2013.

More Related