A Data Driven Approach to Designing Adaptive Trustworthy Systems

Similar documents
Discovering Application-level Insider Attacks using Symbolic Execution. Karthik Pattabiraman Zbigniew Kalbarczyk Ravishankar K.

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment

AUTOMATED DERIVATION OF APPLICATION-AWARE ERROR AND ATTACK DETECTORS

Automated Derivation of Application-Aware Error Detectors using Static Analysis

Cyber security tips and self-assessment for business

10 FOCUS AREAS FOR BREACH PREVENTION

Resilience of Cyber-Physical Systems and Technologies

CSE 565 Computer Security Fall 2018

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

intelop Stealth IPS false Positive

Training for the cyber professionals of tomorrow

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

A Framework for Generation, Replay, and Analysis of Real-World Attack Variants

ISO27001 Preparing your business with Snare

Reliability and Security: From Measurements to Design

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Chapter 4. Network Security. Part I

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

A (sample) computerized system for publishing the daily currency exchange rates

Detecting Insider Attacks on Databases using Blockchains

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

PrecisionAccess Trusted Access Control

FORMAL FRAMEWORK AND TOOLS TO DERIVE EFFICIENT APPLICATION-LEVEL DETECTORS AGAINST MEMORY CORRUPTION ATTACKS FLORE QIN-YU YUAN THESIS

Activating Intrusion Prevention Service

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Raj Jain. Washington University in St. Louis

Overview Intrusion Detection Systems and Practices

Analysis of Security Vulnerabilities

Security Fundamentals for your Privileged Account Security Deployment

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

ProCurve Network Immunity

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

Ensuring Critical Data Integrity via Information Flow Signatures

WEB HOSTING SERVICE OPERATING PROCEDURES AND PROCESSES UNIVERSITY COMPUTER CENTER UNIVERSITY OF THE PHILIPPINES DILIMAN

Incorporating Network Flows in Intrusion Incident Handling and Analysis

Real-World Buffer Overflow Protection in User & Kernel Space

cs642 /introduction computer security adam everspaugh

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Carbon Black PCI Compliance Mapping Checklist

ECCouncil Certified Ethical Hacker. Download Full Version :

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

IDS: Signature Detection

GE Fanuc Intelligent Platforms

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Symantec Endpoint Protection Family Feature Comparison

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Computer Network Vulnerabilities

Computer Security: Principles and Practice

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Attackers Process. Compromise the Root of the Domain Network: Active Directory

AppGate 11.0 RELEASE NOTES

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Copyright

Using Honeypots for Security Operations

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Un SOC avanzato per una efficace risposta al cybercrime

C1: Define Security Requirements

What action do you want to perform by issuing the above command?

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

the SWIFT Customer Security

FairWarning Mapping to PCI DSS 3.0, Requirement 10

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

SentinelOne Technical Brief

CIS 5373 Systems Security

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Hands-On Ethical Hacking and Network Defense 3rd Edition

Policy Enforced Remote Login

SECURITY TESTING. Towards a safer web world

SentinelOne Technical Brief

WEB SECURITY: XSS & CSRF

RSA Web Threat Detection

2. INTRUDER DETECTION SYSTEMS

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Juniper Vendor Security Requirements

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Application vulnerabilities and defences

CS 161 Computer Security

Network Security. Chapter 0. Attacks and Attack Detection

Becoming the Adversary

CIS Controls Measures and Metrics for Version 7

CyberArk Privileged Threat Analytics

Penetration Testing with Kali Linux

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Seceon s Open Threat Management software

Transcription:

A Data Driven Approach to Designing Adaptive Trustworthy Systems Ravishankar K. Iyer (with A. Sharma, K. Pattabiraman, Z. Kalbarczyk, Center for Reliable and High-Performance Computing Department of Electrical and Computer Engineering and Coordinated Science Laboratory University of Illinois at Urbana-Champaign http://www.crhc.uiuc.edu/deped

Analysis of Security Incidents at NCSA: a Large Open Networked Computing Environment

NCSA Target System Number of hosts Number of Active Users: 5000+ (clusters, workstations, laptops) 6000+ Network Class B (/16) Monitoring Links Monitoring Tools OS Types 10Gb pipes - IDS (4.5GB daily logs) - Network Flow (2.0G) - File integrity check - Central Syslog (1.5G) Linux, AIX, Solaris, OS-X, Windows

Five-Minute Snapshot of In-and-Out Traffic within NCSA

Incident Data (124 real Incidents + 26 investigations) Sample records Monitors and Alert distribution

Distribution of Incident Types vs Alert Types

Major Observations: All Incidents The majority of incidents (55%) due to attacks on authentication mechanisms with varying levels of sophistication password guessing (bruteforce SSH), exploiting a vulnerability, e.g., VNC null session, installing trojaned versions of SSH and SSHD to sniff passwords and target public-private key pairs (credential stealing) The same alert can be triggered by different attacks. the basic steps followed by attacks (of same category) in penetrating the system are often similar regardless of the vulnerability exploited Anomaly-based detectors are seven times more likely to capture an incident than are signature-based detectors signatures are specialized to detect the presence (or download) of a known malicious binary but can be easily subverted the signature-based detectors have fewer false positives compared to the anomaly-based detectors.

Analysis of an Example Incident (Credentials Stealing Category: Total 32 incidents) An IDS alert shows suspicious download on a production system (victim: xx.yy.ww.zz) using http protocol from remote host aa.bb.cc.dd. May 16 03:32:36 %187538 start xx.yy.ww.zz:44619 > aa.bb.cc.dd:80 May 16 03:32:36 %187538 GET /.0/ptrat.c (200 "OK" [2286] server5.badhost.com) The file is suspect because This particular system is not expected to download any code apart from patches and system updates, and then only from authorized sources The downloaded file is a C language source code The server the source was downloaded from not a formal software distribution repository. The alert does not reveal what caused the potentially illegal download request

Correlations with Other Logs Network flows reveal further connections with other hosts in close time proximity to the occurrence of the download: SSH connection from IP address 195.aa.bb.cc Multiple FTP connections to ee.ff.gg.hh, pp.qq.rr.ss. 09-05-16 03:32:27 v tcp 195.aa.bb.cc.35213 -> xx.yy.ww.zz.22 80 96 8698 14159 FIN 09-05-16 03:33:36 v tcp xx.yy.ww.zz.44619 -> aa.bb.cc.dd.http 8 6 698 4159 FIN 09-05-16 03:34:37 v tcp xx.yy.ww.zz.53205 -> ee.ff.gg.hh.ftp 1699 2527 108920 359566 FIN 09-05-16 03:35:39 v tcp xx.yy.ww.zz.39837 -> pp.qq.rr.ss.ftp 236 364 15247 546947 FIN SSH connection record does not reveal Whether authentication was successful What credentials were used to authenticate the user

Correlation with syslog Alerts syslog confirms a user login from 195.aa.bb.cc, which is unusual, based on the know user profile and behavior patterns May 16 03:32:27 host sshd[7419]: Accepted password for user from 195.aa.bb.cc port 35794 ssh2 Four data points established from the anlysis A suspicious source code was downloaded, The user login occurred at nearly the same time as the download, First time login from IP address 195.aa.bb.cc, Additional communication on other ports (FTP)

Additional (Manual) Analysis Search of all files owned or created by this user found a footprint left behind by a credential-stealing exploit. -rwxrwxr-x 1 user user 3945 May 16 03:37 /tmp/libno_ex.so.1.0 The additional analysis showed The library file libno_ex.so.1.0 is known to be created when an exploit code for a known vulnerability (cve-2009-1185) is successfully executed File is owned by the user whose account was stolen and used to login to the system The attacker obtained root privileges in the system and replaced the SSHD daemon with a trojaned version Harvesting more user credentials

Observations: Incident Analysis No single available tool can perform this kind of analysis Need to correlate: data from different monitors system logs human expertise Need to develop techniques to pre-empt an attacker actions potentially let the attacker to progress under probation (or tight scrutiny) until the real intentions are clear

Credentials Stealing Attacks Initial investigation of security incidents indicated that nearly 26% (32/124) of the incidents analyzed involved credentials stealing 31 out of 32 incidents attackers came into the system with a valid credential of an NCSA user account Attackers rely on their access to an external repository of valid credentials to harvest more credentials Availability of valid credentials makes boundary protections (e.g., reliance only on a firewall) insufficient for this type of attacks. More scrutiny in monitoring user actions is required

Detection of Credentials Stealing Incidents About 28% (9/32) of credentials stealing incidents missed by the monitors, i.e., none ofiincident was discovered by external notification IDS = 7 Incidents Flows=5 Incidents Syslogs = 11 incidents

Characteristics of Credentials Stealing Incidents Attackers obtained access to the host Using a stolen password (78%) A public key (16%) Combination of multiple authentication means (password + gssapi-with-mic or password + publickey) (6%). 31% of incidents miscreants obtain root on the compromised host and install a rootkit and/or sniffer by using a local root escalation exploit In 9% of incidents, the attacker downloaded additional tools to scan for a vulnerability in the NFS file system. Attackers came in with valid credentials (over 90%)! Insider like attacks

Application-aware Checking TRUSTED ILLIAC Project

Application-aware Detection App-aware: Use application properties to derive error and attack detectors (runtime checks) Achieve high-detection coverage with low overheads Detect only attacks and errors that matter to the application Ensure that attack and error is detected before propagation Application Level Application Properties Operating System Level Architectural Level Device/Circuit Level Runtime Checks (Detectors)

Unified Design Framework Reliability Identify critical variables and their location within a program Security Apply heuristics, e.g., fanouts, to identify critical variables. Use application semantics to identify security critical variables, e.g., a password Critical Variable Recomputation Static program analysis: Extract backward slices of critical variables Information-flow signatures (IFS) Generate correctness checks for data values in critical program locations Generate checks to verify that value is produced by legitimate instructions. Runtime checking to ensure integrity of critical variables according to the slice

Techniques and Attack/Error Models Selectively enforce source-level properties of writes to critical data at runtime Techniques: IFS (information flow signatures) protects critical data integrity CVR (critical value re-computation) verifies correctness of critical data computation Attack Models Memory corruption attacks Control and/or data flow change Insider attacks (malicious libraries, 3 rd party plugins) Binary modifications illegal downloads Fault Models Soft errors Memory corruption errors Race conditions and/or atomicity violations

Hybrid Implementation (hw + sw) Runtime enforcement using combination of hardware and software Single hardware framework host modules providing reliability and security protection FPGA-based prototype evaluated on embedded programs and network applications (e.g., OpenSSH) Performance overhead = 1% to 30 % (depending on the application) Area overhead = 4% to 20 % (relative to Leon3 processor)

Results (5 critical var per func) Average Perf. Overhead Checking = 25% Modification = 8% Total = 33 % Average Coverage Before Prop = 64 % Before Crash = 13% Total Detected = 77 %

H/W Implementation - RSE Main Processor Pipeline Execute Decode Fetch Memory Commit PC Operands Result Data Halt Signal RSE Reliability and Security Engine Security Checks Pointer Taintedness Information-flow Signature Signature Accumulator Critical Variable Signatures Reliability Checks Assertion Checking Critical Variable Re-Computation Path Tracking Pointer Taintedness Checking Taintedness Tracking Taintedness Detection Hang Detection Module Sequence Checking Module

Validation Using Symbolic Execution and Model- Checking Framework

Formal Framework for Software and Detector Validation Assembly Language Program Input: Application code with embedded error/attack detectors Formal Verification Tool/ Technique Symbolic Execution and Model Checking SymPLFIED SymPLAI D Enumeration of all errors/attacks that escape detection Output: Understanding of the limitations of error/attack detectors

SymPLFIED: (Symbolic Program Level Fault-Injection and Error Detection Framework) Goal: evaluate the effects of runtime errors on programs with detectors Analyze programs directly in assembly language Generic representation of error detectors Allows arbitrary error detectors to be specified in application Fault Model: Hardware (memory and processor) and (some) software errors Comprehensive enumeration of undetected errors that lead to program failure

SymPLFIED: Case Study Tcas: Application Characteristics FAA mandated Aircraft collision avoidance system Rigorously verified protocol and implementation About 150 lines of C code = 1000 lines of assembly 1 Inputs: Positional parameters of other aircraft (and self) 2 Outputs: 0 Unresolved 1 Ascend 2 - Descend

Summary Derivation error and attack detectors Using application-properties discovered through static and dynamic analysis Detectors derived from backward slice of critical variables in the application Derived detectors can be implemented in programmable hardware and software Future Directions Controlled Diversity Formal Techniques Hardware Compilation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback