1 / 11

Automating Intrusion Recovery through Application-Level Replay

Taser, an intrusion recovery system, uses taint analysis to detect and revert attacker's sessions. This system automates recovery by comparing inputs and outputs of applications to identify deviations in behavior. Experimentation with multi-session attacks shows promising results for distinguishing between legitimate and malicious activities. The proposed solution enhances security by validating dependencies and plans for further integration with Taser.

marcelh
Download Presentation

Automating Intrusion Recovery through Application-Level Replay

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented By: Fareha Shafique June 9, 2006 Professor Ashvin Goel Automating Intrusion Recovery via Application level Replay

  2. Introduction Computer virus and worm attacks are increasingly being used to attack systems in a covert manner. Taser is an intrusion recovery system that determines and reverts an attacker’s session through taint analysis. It works well when the attacker’s footprint is small.

  3. Motivation Attacker's first session

  4. Motivation User’s legitimate session

  5. Motivation Attacker's second session

  6. The Problem What would Taser do? Declare that the legitimate user is attack-related. White-list the password file but disconnects the attacker's session. Taser's dependency analysis does not work well under multi-session attack.

  7. Our Solution In the example If the attacker can never modify the password file, then his telnet login would be denied. Simple principle If the primary attack has never succeeded, then: Benign activities would proceed normally. Malicious activities would deviate from their original behavior.

  8. Outline of Approach • Change the inputs to an application and compare the outputs (system call trace) • Replay activities offline (e.g. a login session). • Similar output → no dependence. • Different output → dependence. • Challenge: non-determinism in the replay • Training: replay several times with the original input to build a model. • Testing: replay with the modified input. • Use statistical methods for comparison.

  9. Experiment • Multi-session WU-FTPd Attack • Taser would mark all sessions following the initial attacker’s session as tainted. • We replay the legitimate session and the attacker’s second session using the modified password file during training and the original during testing.

  10. Results • The comparison gives the ratio of common and different system calls (c, d) with respect to the training • c ~ 1 implies similar output. • d ~ 1 implies different output. • Legitimate telnet session: (1.02, 0.93) • Legitimate FTP session: (1.02, 0.94) • Attacker’s telnet session: (0.7, 7.87) • Attacker’s FTP session: (0.53, 1.99)

  11. Conclusion & Future Work • Taint analysis does not have to be speculative • Through application level replay and input/output comparison, this system allows verification of dependencies. • We plan to implement a replay system and incorporate this within Taser.

More Related