Fine-Grained Tracking of Grid InfectionsGRID-2010... · 2010. 10. 28. · Auditing System Calls...

Fine-Grained Trackingof Grid Infections

Ashish Gehani

Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar

Fine-Grained Tracking of Grid Infections – p. 1/18

IntroductionGrid semantics

Not middleware-specificDistributed system“Application community”

InfectionSecurity, Reliability, Quality-of-Service

ConstraintsFine-grained monitoringGrid-wide correlationTimely analysis

Motivation

Attractive attack platformAccess to large set of resources

Automatic privilege escalationSingle sign-on

Significant consequencesIntegrity loss of valuable data

Exposed servicesOpen ports for callbacks

ApplicationCommunity

ThreatDigestThreat

Anomalies

DigestThreat

Grid Node

Digest

Grid NodeGrid Node

Grid Node

Anomalies

Risk Monitor

Grid Node

Edit Layer 0 and 1 as needed

Central Monitoring

Collect Grid-wide anomalies

Raw stream saturates network

35 clients, 10Mb/s (Oliner et al, RAID 2010)Only event typesNo arguments

Must scale to hundreds of nodes

Local Monitoring

Framed as set operations

Application activitySet of events

Normal behaviorUnion of events during training

Anomalous behaviorDifference set (by subtracting normal)

Correlating node activityIntersection of anomaly sets

Approach

Decompose sets into epochs

Compress epoch activity

Collect data provenance

Map anomalies to provenance

Epoch Compression

Anomaly

BloomFilter

Grid Node Risk Monitor

Digest

Application

Auditing

SystemCalls

Kernel

DetectorAnomaly

Set representationAllows use of Bloom filters

Fold filter ⌈log(f + b)⌉ timesIncrease update frequency by f

Decrease bandwidth used by b

More false positivesFine-Grained Tracking of Grid Infections – p. 8/18

Correlating Activity

Combine Bloom filtersCounting filter

Event on τ nodesCorresponding buckets are ≥ τ

Construct vaccinationBloom filter bit 1 ⇐⇒counting filter bucket ≥ τ

Data Provenance

Process

File 1 Read

File 2 Read

close()open()

open() close()

File 3 Write

Process execution Time

close()open()

File 3

File 1 File 2

Record few argumentsProcess creation, File versionsFile access, modification

Anomaly Tracking

Synthetic attack

Unexpected writeof dump.log

userenv.log

prefs-1.js

Process CreateRead

syscfg32.exe

Process Create

Read Read

dump.log

iexplore.exe

application.ini

SDBOT05B.EXE-0A1D8339.pf

sdbot05b.exeSYSCFG32.EXE-2E372F88.pf

syscfg32.exe config.initargets.txt

boinc.exe

Process Create

Evaluation Platform

Microsoft Windows XP (SP3)

BOINC 6.10.43 volunteer Grid application

Process Monitor 2.7 tool

Open Bloom Filter library

Synthetic infectionInternet Explorer vulnerabilityWindows CreateRemoteThread()MailBoy 2004 injected

Workload

24 hours 20 minutes

1.5 million events

Raw log: 216 MB / Grid node

Anomaly detection with 11-tuples

MailBoy 2004 as spam relay20 threads30 second timeout1,700 email addresses

Storage

100000

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06

Number of Events

Disk Storage4000-bit Bloom filter2000-bit Bloom filter

Normal Operation

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 1.6e+06

Total Number of Events

500-bit Bloom filter1000-bit Bloom filter2000-bit Bloom filter4000-bit Bloom filter

Malware Injected

0 200000 400000 600000 800000 1e+006 1.2e+006 1.4e+006 1.6e+006 1.8e+006

Total Number of Events

500-bit Bloom filter1000-bit Bloom filter2000-bit Bloom filter4000-bit Bloom filter

ProvenanceDatabase

0 200 400 600 800 1000 1200 1400 1600

Time (minutes)

File Identifiers in Normal DataFile Identifiers in Attack Data

Process Identifiers in Normal and Attack Data

Conclusion

Apparent tensionFine-grained anomaly detectionGrid-wide monitoring

SolutionAudit provenance on Grid nodesCompress event streamMap anomalies to provenance

AcknowledgementNSF Grant OCI-0722068

Fine-Grained Tracking of Grid InfectionsGRID-2010... · 2010. 10. 28. · Auditing System Calls...

Documents

Monolithic Fine-grained

GIT Anomaly

Density Anomaly

Modern active filters and traditional passive filtersbulletin/(54-3)255.pdf · Modern active filters and traditional passive filters Passive filters have a value-added function

Comparing data assimilation ﬁlters for parameter estimation in a …feng/papers/data_aaimilation_conference... · Comparing data assimilation ﬁlters for parameter estimation in

Coarse-Grained Transactions

DATAMINING2 Anomaly & Outliers Detectiondidawiki.di.unipi.it/...dm2_anomaly_outliers_2020.pdf · General Issues: Anomaly Scoring •Many anomaly detection techniques provide only

Ebsteins Anomaly

Ebstein's anomaly

13 Particle ﬁlters for the geosciences

Product Development with · Fine Grained PBI Fine Grained PBI … … … Coarse Grained PBI Coarse Grained PBI Product Development with Stakeholder Demands Customer / Market Demands

Monogenic Wavelet Frames for Image Analysis · only adaptable for image analysis by a tensor product approach. Steerable filters are directional filters. Directional filters are

Evaluation of accelerometer mechanical ﬁlters on …downloads.hindawi.com/journals/sv/1998/513249.pdf255 Evaluation of accelerometer mechanical ﬁlters on submerged cylinders near

Secrecy-Preserving Coarse grained and Fine-Grained Access ...€¦ · Secrecy-Preserving Coarse grained and Fine-Grained Access Control in Public Clouds. Volume No: 1 (2015),

LIMESTONES Calcite (calcium carbonate) dominates Fine-grained –Chalk (cliffs of Dover, England) Medium-grained –Oolitic limestones Coarse-grained –Coquina

The Equatorial Anomaly - Miles Mathismilesmathis.com › equat.pdfThe Equatorial Anomaly by Miles Mathis First published August 18, 2013 The equatorial anomaly is an anomaly in the

First-order filters Ideal filters Practical filters Frequency ...web.cecs.pdx.edu/~ece2xx/ECE223/Slides/DTFilters.pdf · Example 1: First-Order Filters ... Portland State University

Fine grained monitoring

Earthquake forecasting based on data assimilation: sequential … · particle filters, SMC filters have been particularly success-ful at low-dimensional filtering problems for

Drop impact on solids: contact-angle hysteresis ﬁlters