High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

Slides:



Advertisements
Similar presentations
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Advertisements

Cryptography and Network Security Chapter 20 Intruders
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Introduction to Unix GLY 560: GIS for Earth Scientists Class Home Page:
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
Exploring the Internet Creating and setting up your website Instructor: Michael Krolak Instructor: Patrick Krolak See also
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Introduction to HTML 2006 CIS101. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Introduction to: Web Site Development. Terminology HTML Hypertext Markup Language HTML File A web page built from HTML Index File The home or main page.
Introduction to Web Lingo
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Introduction to Web Creation iMet Tool Training. Basic Principles Have a plan Focus on the content and communication Make navigation logical and consistent.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Website Administration Information Systems 337 Prof. Harry Plantinga.
Test Review. What is the main advantage to using shadow copies?
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Address Space Layout Permutation
CPSC 203 Introduction to Computers Lab 21, 22 By Jie Gao.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Web Pages I Jeffrey Muday Department of Biology Wake Forest University.
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
CPSC 203 Introduction to Computers Lab 23 By Jie Gao.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Android Security Auditing Slides and projects at samsclass.info.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Cracking Techniques Onno W. Purbo
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Module 11: Designing Security for Network Perimeters.
Website Administration Information Systems 337 Prof. Harry Plantinga.
Retina Network Security Scanner
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Malicious Software.
Company Confidential 1 A Course on Planning A Group Policy Management And Implementation Strategy Prepared for: *Stars* New Horizons Certified Professional.
11 PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY Chapter 10.
Getting Started Introduction Section 0 Lecture 1 Slide 1 Section 0 Slide 1 INTRODUCTION TO Modern Physics PHYX 2710 Fall 2004 Intermediate Lab Fall.
The Diagnostic Pathfinder System Introduction Getting Started.
Securing the Linux Operating System Erik P. Friebolin.
Trusted Operating Systems
Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Twesige Richard.  Advanced RISC Machines.  Set of instruction set architectures related to programing registers, CPU’s also I/O devices.  RISC acronym.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
4.01 How Web Pages Work.
WannaCry/WannaCrypt Ransomware
WannaCry/WannaCrypt Ransomware
Operating System Security
Employee clicks on fake
Condor – A Hunter of Idle Workstation
Onno W. Purbo Cracking Techniques Onno W. Purbo
Recommending a Security Strategy
Chapter 27: System Security
Exploiting sandbox backdoor it with one evil Nikolay Klendar bsploit gmail.com.
Rootkits Jonathan Hobbs.
Presentation transcript:

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS, Purdue University 20 th NDSS (February, 2013)

See Author Slide for Some Pages  Author Slide  execution-partition execution-partition 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 2

Outline  Introduction  Discovery Units and Unit Dependences  Implementation and Evaluation  Case Study  Discussion 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 3

Introduction  Author slide: page /5/20A SEMINAR AT ADVANCED DEFENSE LAB 4

11 Web sites and 14 s in 29 Minutes 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 5 Linux Audit Log BEE P

Discovery Units and Unit Dependences  Author slide: page /5/20A SEMINAR AT ADVANCED DEFENSE LAB 6

An Experiment 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 7

Implementation and Evaluation  Author slide: page /5/20A SEMINAR AT ADVANCED DEFENSE LAB 8

Evaluation (cont.)  Training Overhead: 10x-200x  The average causal graph of 100 files (a user for 24 hours) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 9

Training Coverage  #1: the universal training set  #2: 30%-50% of #1  #3: 30%-50% of #2  Result: the training run coverage has little effect on BEEP 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 10

Case Study: Attack Ramifications  A user used a system for 24 hours  At 13 th hour, an attacker did something:  He used port scanning and find a ftp service, Proftpd  He compromised Proftpd and create a root shell  He used the shell to install a backdoor and to modify.bash_history  After 24 hours, user find the backdoor  Using the causal graph, he finds the root shell is the source  User wants to find what the root shell did. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 11

Case Study: Attack Ramifications (cont.) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 12

Case Study: Information Theft  An employee executes vim editor and opens three secret files ( secret_1, secret_2 and secret_3 ) and two other html files( index.html and secret.html ) on a server in his company.  He copies secret information from s ecret_1 file and pastes it to secret.html file.  He modifies the index.html file to generate a link to the secret.html file.  Now, company found some information is leaked.  We want to know what is leaked. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 13

Case Study: Information Theft (cont.) 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 14

Discussion  BEEP is vulnerable to kernel level attacks.  A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP.  A legal user of the system with BEEP installed may try to confuse BEEP.  BEEP still requires user involvement.  BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation. 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 15

Q & A 2013/5/20A SEMINAR AT ADVANCED DEFENSE LAB 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.