Upload
teddy
View
57
Download
0
Embed Size (px)
DESCRIPTION
20 th NDSS ( February, 2013 ). High Accuracy Attack Provenance via Binary-based Execution Partition. Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS, Purdue University. See Author Slide for Some Pages. Author Slide - PowerPoint PPT Presentation
Citation preview
High Accuracy Attack Provenance via Binary-based Execution Partition
High Accuracy Attack Provenance via Binary-based Execution PartitionKyu Hyung Lee Xiangyu Zhang Dongyan XuDepartment of Computer Science and CERIAS, Purdue University
20th NDSS(February, 2013)See Author Slide for Some PagesAuthor Slidehttp://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based-execution-partition2013/5/20A Seminar at Advanced Defense Lab2OutlineIntroduction
Discovery Units and Unit Dependences
Implementation and Evaluation
Case Study
Discussion
2013/5/20A Seminar at Advanced Defense Lab3IntroductionAuthor slide: page 1-322013/5/20A Seminar at Advanced Defense Lab411 Web sites and 14 Emails in 29 Minutes2013/5/20A Seminar at Advanced Defense Lab5
Linux Audit LogBEEPDiscovery Units and Unit DependencesAuthor slide: page 33-592013/5/20A Seminar at Advanced Defense Lab6An Experiment2013/5/20A Seminar at Advanced Defense Lab7
Implementation and EvaluationAuthor slide: page 60-71
2013/5/20A Seminar at Advanced Defense Lab8Evaluation (cont.)Training Overhead: 10x-200x
The average causal graph of 100 files (a user for 24 hours)2013/5/20A Seminar at Advanced Defense Lab9
Training Coverage #1: the universal training set#2: 30%-50% of #1#3: 30%-50% of #2
Result: the training run coverage has little effect on BEEP2013/5/20A Seminar at Advanced Defense Lab10
Case Study: Attack RamificationsA user used a system for 24 hoursAt 13th hour, an attacker did something:He used port scanning and find a ftp service, ProftpdHe compromised Proftpd and create a root shellHe used the shell to install a backdoor and to modify .bash_historyAfter 24 hours, user find the backdoorUsing the causal graph, he finds the root shell is the sourceUser wants to find what the root shell did.2013/5/20A Seminar at Advanced Defense Lab11Case Study: Attack Ramifications (cont.)2013/5/20A Seminar at Advanced Defense Lab12
Case Study: Information TheftAn employee executes vim editor and opens three secret files (secret_1, secret_2 and secret_3) and two other html files(index.html and secret.html) on a server in his company. He copies secret information from secret_1 file and pastes it to secret.html file.He modifies the index.html file to generate a link to the secret.html file.
Now, company found some information is leaked.We want to know what is leaked.2013/5/20A Seminar at Advanced Defense Lab13Case Study: Information Theft (cont.)2013/5/20A Seminar at Advanced Defense Lab14
DiscussionBEEP is vulnerable to kernel level attacks.
A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP.
A legal user of the system with BEEP installed may try to confuse BEEP.
BEEP still requires user involvement.
BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation.2013/5/20A Seminar at Advanced Defense Lab15Q & A2013/5/20A Seminar at Advanced Defense Lab16