Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Published byCecil Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Canary -- client honey pot UTSA. Architecture of Web canary. 2."— Presentation transcript:

1 Web Canary -- client honey pot UTSA

2 Architecture of Web canary. 2

3 Implementation of Web canary.  Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory  VM -- 256M memory, 8 GB disk space  Host OS – Windows XP x64 sp2  Guest OS – Windows XP sp2  VM – Vmware Workstation  Browser – IE 6.0 SP2 3

4 Guest OS Guest OS – VMware Workstation: isolation, easy reverting. PS -- Persistent Storage (PS) which is a shared folder between the guest OS and the host OS. In the guest OS, only the BHO and Capture Client can write to this folder. Snapshot -- a pristine state, a tool of VMworkstation 4

5 Design of Capture client(1) Capture Client: monitor files, processes and registry changes in the Windows OS at kernel level. supports exclusion lists to filter out the normal changes. The Capture client consists of two components: The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes. The user space process captures the state changes from the kernel drivers and filters the events based on the exclusion lists 5

6 Design of Capture client(2) Exclusion lists Since some events occur during normal operation, exclusion lists allow to ignore certain type of events. Kernel Drivers kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can be monitored. 6

7 Design of Capture client(3) CmRegistryCallback PsSetCreateProcessNotifyRoutine FilterLoad, FltRegisterFilter(filtering I/O operations) e.g. A driver calls CmRegisterCallback to register a RegistryCallback routine. RegistryCallback by passing a user allocated buffer from user space into kernel space where the kernel drivers, we can copy information into that buffer, so the application can process it in user space. 7

8 BHO BHO -- A Browser Helper Object (BHO) which can capture all the URLs visited by IE. It then writes the URLs to a log the in PS(Permanent storage). They create a browser add-on to capture the URLs requests made by the browser. 8

9 Canary Server Canary Server -- shows the health state of the guest OS and can start, stop or revert the VM. send the detected malicious URLs to a remote central server with user's permission. Controls the VMware servers using the VMware C API Auto-reversion -- auto-reversion of the VM to its pristine state upon the detection of unauthorized events. Host OS 9

10 Analysis Engine Analysis Engine – reads the log files of the BHO and Capture Client and correlates system changes to the URL according the rule. Rules -- Upon receiving system change events and visited URLs, correlate them together according to the time interval. Host OS 10

11 Conclusion Present a system that can leverage a large, distributed network of users, who simply by using a standard Web browser, silently collaborate to detect and report malicious Web pages. The advantages of this method are that it can get meaningful URLs from users and easily visit Web pages that require CAPTCHAs or pass- words. 11

12 Appendix 1 Windows Driver Kit: Kernel-Mode Driver Architecture PsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. CmRegisterCallback The CmRegisterCallback routine registers a RegistryCallback routine. 12

13 Appendix 2 Windows Driver Kit: Installable File System Drivers FltRegisterFilter FltRegisterFilter registers a minifilter driver. FilterLoad The FilterLoad function dynamically loads a minifilter driver into the system. 13

14 Appendix 3  Boost::regex library Use it to describe the filer rule (RE). 14

15 Questions 1.The method that correlating URL to malicious Web pages according to time interval seems not always right. 2. Try to distribute the browser running on VM is not quite impractical. 3. The idea of real distributed users is good. But how to protect the server which used for collecting various users’ information. The server is the most vulnerable unit in the whole system. And if attacker use the client to send a lot of benign URL as a malicious URL to server, How to distinguish them? 15

16 Thank you! 16

Download ppt "Web Canary -- client honey pot UTSA. Architecture of Web canary. 2."

Similar presentations

Capacity Planning in a Virtual Environment

Capacity Planning in a Virtual Environment
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Operating System Structures

Operating System Structures
Operating System Structure

Operating System Structure
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures
NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.

NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
PRASHANTHI NARAYAN NETTEM.

PRASHANTHI NARAYAN NETTEM.
Operating System Organization

Operating System Organization
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.

Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.

Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Client/Server Architectures

Client/Server Architectures
E Virtual Machines Lecture 4 Device Virtualization

E Virtual Machines Lecture 4 Device Virtualization
WORKFLOW IN MOBILE ENVIRONMENT. WHAT IS WORKFLOW ?  WORKFLOW IS A COLLECTION OF TASKS ORGANIZED TO ACCOMPLISH SOME BUSINESS PROCESS.  EXAMPLE: Patient.

WORKFLOW IN MOBILE ENVIRONMENT. WHAT IS WORKFLOW ?  WORKFLOW IS A COLLECTION OF TASKS ORGANIZED TO ACCOMPLISH SOME BUSINESS PROCESS.  EXAMPLE: Patient.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>> www.softwaretestinggenius.com

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

Similar presentations

Ads by Google