Embed Size (px)
Citation preview
High Accuracy Attack Provenance via Binary-based Execution Partition
Kyu Hyung Lee
Xiangyu Zhang
Dongyan Xu
Department of Computer Science and CERIAS, Purdue University
20th NDSS(February, 2013)
A SEMINAR AT ADVANCED DEFENSE LAB 2
See Author Slide for Some Pages
Author Slide http://www.internetsociety.org/doc/high-accuracy-attack-provenance-
binary-based-execution-partition
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 3
Outline
Introduction
Discovery Units and Unit Dependences
Implementation and Evaluation
Case Study
Discussion
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 4
Introduction
Author slide: page 1-32
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 5
11 Web sites and 14 Emails in 29 Minutes
2013/5/20
Linux Audit Log BEE
P
A SEMINAR AT ADVANCED DEFENSE LAB 6
Discovery Units and Unit Dependences Author slide: page 33-59
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 7
An Experiment
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 8
Implementation and Evaluation
Author slide: page 60-71
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 9
Evaluation (cont.)
Training Overhead: 10x-200x
The average causal graph of 100 files (a user for 24 hours)
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 10
Training Coverage
#1: the universal training set #2: 30%-50% of #1 #3: 30%-50% of #2
Result: the training run coverage has little effect on BEEP
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 11
Case Study: Attack Ramifications
A user used a system for 24 hours At 13th hour, an attacker did something:
He used port scanning and find a ftp service, Proftpd He compromised Proftpd and create a root shell He used the shell to install a backdoor and to
modify .bash_history
After 24 hours, user find the backdoor Using the causal graph, he finds the root shell is the source
User wants to find what the root shell did.
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 12
Case Study: Attack Ramifications (cont.)
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 13
Case Study: Information Theft
An employee executes vim editor and opens three secret files (secret_1, secret_2 and secret_3) and two other html files(index.html and secret.html) on a server in his company.
He copies secret information from secret_1 file and pastes it to secret.html file.
He modifies the index.html file to generate a link to the secret.html file.
Now, company found some information is leaked.
We want to know what is leaked.
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 14
Case Study: Information Theft (cont.)
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 15
Discussion BEEP is vulnerable to kernel level attacks.
A remote attacker may intrude the system via some non-kernel level attacks and acquire the privileges to tamper with the binaries instrumented by BEEP.
A legal user of the system with BEEP installed may try to confuse BEEP.
BEEP still requires user involvement.
BEEP is not capable of processing obfuscated binaries due to the difficulty of binary instrumentation.
2013/5/20
A SEMINAR AT ADVANCED DEFENSE LAB 16
Q & A
2013/5/20
