1 / 24

Backtracking Intrusions

BackTracker is a novel system for detecting and analyzing intrusions by tracking causal dependencies between objects, processes, files, and sockets at the system level. By prioritizing and filtering events, BackTracker significantly reduces the volume of data to improve efficiency. Evaluation on a Linux platform showed its effectiveness in identifying intrusion sources. Despite limitations such as layer-below attacks, hidden channels, and innocent process implication, BackTracker is a promising tool for enhancing computer forensics.

ruthn
Download Presentation

Backtracking Intrusions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan

  2. Motivation • Computer break-ins increasing • Computer forensics is important • How did they get in

  3. Current Forensic Methods • Manual inspection of existing logs • System, application logs • Not enough information • Network log • May be encrypted • Disk image • Only shows final state • Machine level logs • No semantic information • No way to separate out legitimate actions

  4. BackTracker • Can we help figure out what was exploited? • Track back to exploited application • Record causal dependencies between objects

  5. Process File Socket Detection point Fork event Read/write event

  6. Presentation Outline • BackTracker design • Evaluation • Limitations • Conclusions

  7. intrusion occurs intrusion detected BackTracker runs, shows source of intrusion BackTracker • Online component, log objects and events • Offline component to generate graphs

  8. BackTracker Objects • Process • File • Filename

  9. Dependency-Forming Events • Process / Process • fork, clone, vfork • Process / File • read, write, mmap, exec • Process / Filename • open, creat, link, unlink, mkdir, rmdir, stat, chmod, …

  10. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc /bin/bash bash /lib/libc backdoor

  11. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc id bash pipe backdoor

  12. Prioritizing Dependency Graphs • Hide read-only files • Eliminate helper processes • Filter “low-control” events proc login_a login_b utmp bash backdoor

  13. backdoor Filtering “Low-Control” Events proc login utmp bash

  14. sshd bash backdoor Filtering “Low-Control” Events proc login utmp bash

  15. Process File Socket Detection point Fork event Read/write event

  16. Implementation • Prototype built on Linux 2.4.18 • Both stand-alone and virtual machine • Hook system call handler • Inspect state of OS directly Guest Apps Host Apps Guest OS VMM EventLogger Host OS Host OS EventLogger Stand-Alone Implementation Virtual Machine Implementation

  17. Evaluation • Determine effectiveness of Backtracker • Set up Honeypot virtual machine • Intrusion detection using standard tools • Attacks evaluated with six default filtering rules

  18. Process File Socket Detection point Fork event Read/write event

  19. Process File Socket Detection point Fork event Read/write event

  20. BackTracker Limitations • Layer-below attack • Use “low control” events or filtered objects to carry out attack • Hidden channels • Create large dependency graph • Perform a large number of steps • Implicate innocent processes

  21. Future Work • Department system administrators currently evaluating BackTracker • Use different methods of dependency tracking • Forward tracking

  22. Conclusions • Tracking causality through system calls can backtrack intrusions • Dependency tracking • Reduce events and objects by 100x • Still effective even when same application exploited many times • Filtering • Further reduce events and objects

More Related