1 / 16

High Accuracy Attack Provenance via Binary-based Execution Partition

20 th NDSS ( February, 2013 ). High Accuracy Attack Provenance via Binary-based Execution Partition. Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS, Purdue University. See Author Slide for Some Pages. Author Slide

teddy
Download Presentation

High Accuracy Attack Provenance via Binary-based Execution Partition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 20th NDSS (February, 2013) High Accuracy Attack Provenance via Binary-based Execution Partition KyuHyung Lee XiangyuZhang DongyanXu Department of Computer Science and CERIAS, Purdue University

  2. See Author Slide for Some Pages • Author Slide • http://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based-execution-partition A Seminar at Advanced Defense Lab

  3. Outline • Introduction • Discovery Units and Unit Dependences • Implementation and Evaluation • Case Study • Discussion A Seminar at Advanced Defense Lab

  4. Introduction • Author slide: page 1-32 A Seminar at Advanced Defense Lab

  5. 11 Web sites and 14 Emails in 29 Minutes Linux Audit Log BEEP A Seminar at Advanced Defense Lab

  6. Discovery Units and Unit Dependences • Author slide: page 33-59 A Seminar at Advanced Defense Lab

  7. An Experiment A Seminar at Advanced Defense Lab

  8. Implementation and Evaluation • Author slide: page 60-71 A Seminar at Advanced Defense Lab

  9. Evaluation (cont.) • Training Overhead: 10x-200x • The average causal graph of 100 files (a user for 24 hours) A Seminar at Advanced Defense Lab

  10. Training Coverage • #1: the universal training set • #2: 30%-50% of #1 • #3: 30%-50% of #2 • Result: the training run coverage has little effect on BEEP A Seminar at Advanced Defense Lab

  11. Case Study: Attack Ramifications • A user used a system for 24 hours • At 13th hour, an attacker did something: • He used port scanning and find a ftp service, Proftpd • He compromised Proftpdand create a root shell • He used the shell to install a backdoor and to modify .bash_history • After 24 hours, user find the backdoor • Using the causal graph, he finds the root shell is the source • User wants to find what the root shell did. A Seminar at Advanced Defense Lab

  12. Case Study: Attack Ramifications (cont.) A Seminar at Advanced Defense Lab

  13. Case Study: Information Theft • An employee executes vim editor and opens three secret files (secret_1, secret_2and secret_3) and two other html files(index.html and secret.html) on a server in his company. • He copies secret information from secret_1 file and pastes it to secret.html file. • He modifies the index.htmlfile to generate a link to the secret.html file. • Now, company found some information is leaked. • We want to know what is leaked. A Seminar at Advanced Defense Lab

  14. Case Study: Information Theft (cont.) A Seminar at Advanced Defense Lab

  15. Discussion • BEEP is vulnerable to kernel level attacks. • A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP. • A legal user of the system with BEEP installed may try to confuse BEEP. • BEEP still requires user involvement. • BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation. A Seminar at Advanced Defense Lab

  16. Q & A A Seminar at Advanced Defense Lab

More Related