– Ruiqi Hu and Aloysius K. Mok Presented By – Vipul Gupta 3/23/2009
Preview:
Citation preview
- Slide 1
- Ruiqi Hu and Aloysius K. Mok Presented By Vipul Gupta
3/23/2009
- Slide 2
- Background Information Related Works Methodology Implementation
Experimental Results Conclusions
- Slide 3
- Virus - A computer program that multiplies and infects host
machines History: Creeper (1971) By Bob Thomas : ARPANET Im the
creeper, catch me if you can !! Wabbit (fork bomb 1974): multiplied
copies on a single machine ANIMAL (Game -1975): a related program
PERVADE also copied itself and ANIMAL to every folder user
accesses
- Slide 4
- 1983 Term virus coined Morris Worm (11/2/88) May 4, 2000
ILOVEYOU virus most costly to businesses (until 2004 survey)
ILOVEYOU in the subject line LOVE-LETTER-FOR-YOU.TXT.vbs August
2003 Blaster Worm (SYN FLOOD to cause DDoS against
windowsupdate.com) I just want to say LOVE YOU SAN !! Billy gates
why do you make this possible? Stop making money and fix your
software !! January 2009 Conficker (also called DOWNUP) worm
(affects 20 million MS server systems running 2000 to Vista;
disables Windows updates, security center, defender, error
reporting )
- Slide 5
- Intrusion Detection Techniques Misuse-based detection Simple
and effective Has limitations false negatives Anomaly-based
detection Effectively detect intrusions Hard for intruder to tell
what not to do Disadvantages false positives Detect Intrusions
ASAP
- Slide 6
- Virus Scanners Known signatures based Current researches aim
at: Automatic generation of signatures Kephart and Arnold:
statistical method for automatic signature generation Schultz et
al.: used data mining techniques to build a filter (email
integration possible)
- Slide 7
- Deception Tools Honeypots Developed to lure intruders Studying
intrusion techniques and system security evaluation Honeytokens
Generalized Honeypots not just a computer system Value lies in
abuse Eg. Fake email address to check if an email list has been
stolen
- Slide 8
- Detect intrusions without knowledge of signatures Very few
false positives Based on: Behavior Skewing Cordoning
- Slide 9
- Specify behavior as legal or illegal Disadvantages Often fail
to scale Often incomplete
- Slide 10
- Security Policy P S1 S2 S3 Legal (Consistent) Unspecified
(Independent) Illegal (Inconsistent)
- Slide 11
- Security Policy P S1 S2 S3 Unspecified (Independent) Illegal
(Inconsistent) Behaviors Legal (Consistent)
- Slide 12
- Information Items Information carrying logical entity Filename,
email address, binary file, etc. Behavior Skewing Customizing
access control
- Slide 13
- Done on a critical system resources Ensures integrity of
resources Achieved by: Dynamically isolating interactions between a
malicious process and a resource
- Slide 14
- Legal Behavior Unspecified Behavior Illegal Behavior Bait # 2
Bait # 1 Behavior Skewing # 1 Behavior Skewing # 2
- Slide 15
- Legal / Illegal Behavior Sets Explicitly defined Unspecified
Behavior Set Behaviors irrelevant to systems security User is
unaware & fails to specify the security requirements After
Behavior Skewing Detect violations of skewed policy Trigger
Intrusion Alert
- Slide 16
- Need Malicious executables need to misbehave - to be detected
Cordoning to recover system states Traditional recovery mechanisms
may cause loss of recent work.
- Slide 17
- Allows dynamic, partial virtualization of execution
environments for Critical System Resources Examples of CSRs
Executables, network services, data files, etc.
- Slide 18
- Actual CSR Cordoned CSR (recoverable) Current CSR (virtual CSR)
Safe State Process
- Slide 19
- Cordoning in time Delayed commitment Applied to delayable CSRs
(e.g. SMTP server) Cordoning in space Applied to a subsitutable CSR
(e.g. file) Actual CSR is kept in secure state Substitutes contents
copied when it reaches a secure state
- Slide 20
- BESIDES Three main components: Email Address Domain Skewer
Email Address Usage Monitor SMTP Server Cordoner
- Slide 21
- Email Address Domain Skewer (EADS) Skewing done based on email
address usage policy Makes certain email addresses unusable in any
locally composed email (baits)
- Slide 22
- Email Address Usage Monitor (EAUM) Monitors the use of email
addresses in SMTP sessions Looks for SMTP commands that explicitly
use email addresses (against those in the skewed email address
list) On a violation, SSC is informed
- Slide 23
- SMTP Server Cordoner (SSC) Protect SMTP servers (CSRs) from
possible abuse SSC buffers messages internally SSC identifies the
SMTP sever the process requests, assigns to it a virtual (current)
SMTP server After delivering a message, SSC creates a log On being
informed of an intrusion alert, SSC identifies the malicious
process Determines the victims from the logs (all processes that
access CSRs updated by the malicious process)
- Slide 24
- SSC Recovery Mechanism SSC identifies all victims based on logs
Initiates recovery on all cordoned CSRs they have updated No
buffered messages are committed, instead they are quarantined For
messages already committed, a warning is sent to the recipients
(using logs)
- Slide 25
- Slide 26
- Effectiveness Experiments Effectiveness of BESIDES
- Slide 27
- Performance Experiments System Overhead
- Slide 28
- Latex Application Series Average Overhead: 8% Highest Increases
(13%) Latex 1 &2 (I/O) Lowest Increases (1.5% & 3.3%)
- Slide 29
- Command-line Web Client Relatively small overhead Few other
system calls made Average overhead ~ 3.4% Close to 2.02%
- Slide 30
- Proactive methods can be introduced in a system to create
unpredictability Proactive system anticipates the attacks and
prepares itself in advance Can detect unknown intrusions
- Slide 31
- Questions