High Accuracy Attack Provenance via Binary-based Execution Partition

High Accuracy Attack Provenance via Binary-based Execution PartitionKyu Hyung Lee Xiangyu Zhang Dongyan XuDepartment of Computer Science and CERIAS, Purdue University

20th NDSS(February, 2013)See Author Slide for Some PagesAuthor Slidehttp://www.internetsociety.org/doc/high-accuracy-attack-provenance-binary-based-execution-partition2013/5/20A Seminar at Advanced Defense Lab2OutlineIntroduction

Discovery Units and Unit Dependences

Implementation and Evaluation

Case Study

Discussion

2013/5/20A Seminar at Advanced Defense Lab3IntroductionAuthor slide: page 1-322013/5/20A Seminar at Advanced Defense Lab411 Web sites and 14 Emails in 29 Minutes2013/5/20A Seminar at Advanced Defense Lab5

Linux Audit LogBEEPDiscovery Units and Unit DependencesAuthor slide: page 33-592013/5/20A Seminar at Advanced Defense Lab6An Experiment2013/5/20A Seminar at Advanced Defense Lab7

Implementation and EvaluationAuthor slide: page 60-71

2013/5/20A Seminar at Advanced Defense Lab8Evaluation (cont.)Training Overhead: 10x-200x

The average causal graph of 100 files (a user for 24 hours)2013/5/20A Seminar at Advanced Defense Lab9

Training Coverage #1: the universal training set#2: 30%-50% of #1#3: 30%-50% of #2

Result: the training run coverage has little effect on BEEP2013/5/20A Seminar at Advanced Defense Lab10

Case Study: Attack RamificationsA user used a system for 24 hoursAt 13th hour, an attacker did something:He used port scanning and find a ftp service, ProftpdHe compromised Proftpd and create a root shellHe used the shell to install a backdoor and to modify .bash_historyAfter 24 hours, user find the backdoorUsing the causal graph, he finds the root shell is the sourceUser wants to find what the root shell did.2013/5/20A Seminar at Advanced Defense Lab11Case Study: Attack Ramifications (cont.)2013/5/20A Seminar at Advanced Defense Lab12

Case Study: Information TheftAn employee executes vim editor and opens three secret files (secret_1, secret_2 and secret_3) and two other html files(index.html and secret.html) on a server in his company. He copies secret information from secret_1 file and pastes it to secret.html file.He modifies the index.html file to generate a link to the secret.html file.

Now, company found some information is leaked.We want to know what is leaked.2013/5/20A Seminar at Advanced Defense Lab13Case Study: Information Theft (cont.)2013/5/20A Seminar at Advanced Defense Lab14

DiscussionBEEP is vulnerable to kernel level attacks.

A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP.

A legal user of the system with BEEP installed may try to confuse BEEP.

BEEP still requires user involvement.

BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation.2013/5/20A Seminar at Advanced Defense Lab15Q & A2013/5/20A Seminar at Advanced Defense Lab16