Detecting Attacks, cont.

Similar documents
Detecting Attacks, Part 2

Bitcoin, Security for Cloud & Big Data

Detecting Attacks, Part 1

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

Securing Internet Communication: TLS

Anonymous Communication and Internet Freedom

Anonymous Communication and Internet Freedom

Crypto tricks: Proof of work, Hash chaining

CS 161 Computer Security

Attacks on DNS: Risks of Caching

Application Firewalls

Securing Internet Communication

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

MPEG Frame Types intrapicture predicted picture bidirectional predicted picture. I frames reference frames

Lecture 12. Application Layer. Application Layer 1

Scaling Trust with Millions of Containers: Microsegmentation Strategies for Authorization

Introduction to Computer Security

CSE 565 Computer Security Fall 2018

CS 161 Computer Security

CSE Computer Security (Fall 2006)

Why do we really want an ID/locator split anyway?

CSc 466/566. Computer Security. 18 : Network Security Introduction

DO NOT OPEN UNTIL INSTRUCTED

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Outline Key Management CS 239 Computer Security February 9, 2004

CS5112: Algorithms and Data Structures for Applications

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Intrusion Detection Systems

Activating Intrusion Prevention Service

Interdomain Routing Design for MobilityFirst

CSC 474 Network Security. Authentication. Identification

ID: Cookbook: urldownload.jbs Time: 08:25:02 Date: 29/10/2018 Version: Fire Opal

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

Parallel DBs. April 25, 2017

Web Security, Part 2

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Security and Compliance for Office 365

2018 Edition. Security and Compliance for Office 365

CS 161 Computer Security

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Malware, , Database Security

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

ELEC5616 COMPUTER & NETWORK SECURITY

Distributed Systems Final Exam

No, the bogus packet will fail the integrity check (which uses a shared MAC key).!

Monitoring the Device

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

Instructions 1 Elevation of Privilege Instructions

CS 161 Computer Security

Tracking Evil with Passive DNS

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

GFI product comparison: GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

CSC 6575: Internet Security Fall 2017

Denial-of-Service (DoS) & Web Attacks

CSE Computer Security

CPSC 467b: Cryptography and Computer Security

Computer Security Spring 2010 Paxson/Wagner Notes 3/8. Key Management. 1 Cryptographic Hash Functions. 2 Man-in-the-middle Attacks

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

COMP3121/3821/9101/ s1 Assignment 1

CS Computer Networks 1: Authentication

CS 161 Computer Security

SentinelOne Technical Brief

The following topics describe how to manage various policies on the Firepower Management Center:

Security Landscape Thorsten Stoeterau Security Systems Engineer - Barracuda Networks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSE543 - Computer and Network Security Module: Intrusion Detection

Testing Exploit-Prevention Mechanisms in Anti-Malware Products

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

ID: Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/2018 Version:

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni

Top 10 Considerations for Securing Private Clouds

ID: Cookbook: urldownload.jbs Time: 20:47:24 Date: 09/12/2017 Version:

Jonathan Wald and Jason Zigelbaum (A project report written under the guidance of Prof.

SentinelOne Technical Brief

Network Security. Course notes. Version

John Coggeshall Copyright 2006, Zend Technologies Inc.

WHY ANTIVIRUS WILL NEVER DIE ADVANCED DETECTION FOR DUMMIES EDDY WILLEMS SECURITY EVANGELIST

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Comodo Unknown File Hunter Software Version 2.1

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

CIS Controls Measures and Metrics for Version 7

CS 161 Computer Security

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Once all of the features of Intel Active Management Technology (Intel

CIS Controls Measures and Metrics for Version 7

exam. Number: Passing Score: 800 Time Limit: 120 min File Version: CHECKPOINT

Optimizing IBM QRadar Advisor with Watson

Qualifying exam: operating systems, 1/6/2014

Announcements. Designing IP. Our Story So Far (Context) Goals of Today s Lecture. Our Story So Far (Context), Con t. The Internet Hourglass

Transcription:

Detecting Attacks, cont. CS 161: Computer Security Prof. David Wagner April 8, 2016 Special request: Please spread out! Pair up. Each pair, sit far away from anyone else. If you re just arriving, sit next to someone who is alone.

Specification-Based Detection Idea: don t learn what s normal; specify what s allowed FooCorp example: decide that all URL parameters sent to foocorp.com servers must have at most one / in them Flag any arriving param with > 1 slash as an attack What s nice about this approach? Can detect novel attacks Can have low false positives If FooCorp audits its web pages to make sure they comply What s problematic about this approach? Expensive: lots of labor to derive specifications And keep them up to date as things change ( churn )

Styles of Detection: Behavioral Idea: don t look for attacks, look for evidence of compromise FooCorp example: inspect all output web traffic for any lines that match a passwd file Example for monitoring user shell keystrokes: unset HISTFILE Example for catching code injection: look at sequences of system calls, flag any that prior analysis of a given program shows it can t generate E.g., observe process executing read(), open(), write(), fork(), exec() but there s no code path in the (original) program that calls those in exactly that order!

Behavioral-Based Detection What s nice about this approach? Can detect a wide range of novel attacks Can have low false positives Depending on degree to which behavior is distinctive E.g., for system call profiling: no false positives! Can be cheap to implement E.g., system call profiling can be mechanized What s problematic about this approach? Post facto detection: discovers that you definitely have a problem, w/ no opportunity to prevent it Brittle: for some behaviors, attacker can maybe avoid it Easy enough to not type unset HISTFILE How could they evade system call profiling? Mimicry: adapt injected code to comply w/ allowed call sequences

Inside a Modern HIDS ( AV ) URL/Web access blocking: Prevent users from going to known bad locations Protocol scanning of network traffic (esp. HTTP) Detect & block known attacks Detect & block known malware communication Payload scanning Detect & block known malware (Auto-update of signatures for these) Cloud queries regarding reputation Who else has run this executable and with what results? What s known about the remote host / domain / URL?

Inside a Modern Antivirus Sandbox execution Run selected executables in constrained/monitored environment Analyze: System calls Changes to files / registry Self-modifying code (polymorphism/metamorphism) File scanning Look for malware that installs itself on disk Memory scanning Look for malware that never appears on disk Runtime analysis Apply heuristics/signatures to execution behavior

Summary of Evasion Issues Evasions arise from uncertainty/ambiguity (or incompleteness/inconsistency) because detector must infer behavior/processing it can t directly observe A general problem any time detection separate from potential target One general strategy: impose canonical form ( normalize ) E.g., rewrite URLs to expand/remove hex escapes E.g., enforce blog comments to only have certain HTML tags (Another strategy: analyze all possible interpretations rather than assuming one E.g., analyze raw URL, hex-escaped URL, doubly-escaped URL ) Another strategy: fix the basic observation problem E.g., monitor directly at end systems

Key Concepts for Detection Signature-based vs anomaly detection (blacklisting vs whitelisting) Evasion attacks Evaluation metrics: False positive rate, false negative rate Base rate problem

Securing DNS: DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2013 Special request: Please spread out! Pair up. Each pair, sit far away from anyone else. If you re just arriving, sit next to someone who is alone.

Securing DNS Lookups Topic for today: How can we ensure that when clients look up names with DNS, they can trust the answers they receive? But first, a diversion

Active learning Today: Active learning + peer instruction I m going to ask you to work out how to secure DNS, on your own. I ll give you a series of problems. I want you to break into groups of two, decide what you think a solution might be, then report back to the class. I will circulate. Ask me for help! Research suggests this might be more effective than lecturing. Let s give it a try! I welcome your feedback on whether it helps you learn.

Outsourcing Data Lookups Problem 1. Berkeley has a database of all its alumni, D = {d 1, d 2,, d n }, replicated across many mirror sites. Given a name x, any client should be able to query any mirror and learn whether x D. We don t trust the mirrors, so if answer to query is yes (i.e., if x D), client should receive a proof that it can verify. Don t worry about proofs if answer is no. Make performance as good as possible.

Solutions Give to the mirror: Sign(Dave), Sign(Eve),.. To answer a query like Dave, response = Sign(Dave)

Solutions Give to the mirror: Signatures: d1,sign(d1),,dn,sign(dn)

Outsourcing Data Lookups Question 2. Suppose we use your solution, with client connecting to mirror via HTTP but there is a man-in-the-middle (on-path attacker). What can attacker do, without being detected? A. Can spoof both yes (x D) and no (x D) responses. B. Can spoof yes, but can t spoof no. C. Can spoof no, but can t spoof yes. D. Can t spoof either kind of response.

Authenticating Yes and No Problem 3. Same as Problem 1, except now, if answer is no (i.e., x D), client should receive a proof that it can verify.

Authenticating Yes and No Problem 3. Same as Problem 1, except now, if answer is no (i.e., x D), client should receive a proof that it can verify. Hint: Organize the data in some CS 61B data structure, then.

Authenticating Yes and No Problem 3. Same as Problem 1, except now, if answer is no (i.e., x D), client should receive a proof that it can verify. Hint: Organize the elements as a binary tree or hash table, then.

Solutions Say D = {Alice, Bob, Jim, Xavier}. Give to mirror: Sign(C, no ), Sign(D, no), Sign(E, no),.., Sign(Aa, no), Sign(Ab, no), Sign(Ac, no) Hashtable, plus Sign(i contents of bucket i) for each I Sign(first, Alice), Sign(Alice, Bob), Sign(Bob, Jim), Sign(Jim, Xavier), Sign(Xavier, last) To answer query Doug :

Solutions Say D = {Alice, Bob, Jim, Xavier}. Give to mirror: Sign(1, Alice), Sign(2, Bob), Sign(3, Jim), Sign(4, Xavier) Sign(Alice,Bob), Sign(Bob, Jim), Sign(Jim,Xavier) To answer query Doug : Doug -> no, Bob, Jim, Sign(2, Bob), Sign(3, Jim); or Doug -> no, Sign(Bob, Jim)

Side note: CS 61B again If there is a data structure that can answer queries in time T(n), then there is a way to cache the data structure and have cahces provide proofs of size O(T(n)). Why?

DNS Problem 4. Now Berkeley wants to protect its DNS records; how could it do it? What would be the advantages and disadvantages of your solution?

DNSSEC Guess what you just invented DNSSEC! Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the network or resolvers involved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback