Ruiqi Hu and Aloysius K. Mok Presented By Vipul Gupta
3/23/2009
Slide 2
Background Information Related Works Methodology Implementation
Experimental Results Conclusions
Slide 3
Virus - A computer program that multiplies and infects host
machines History: Creeper (1971) By Bob Thomas : ARPANET Im the
creeper, catch me if you can !! Wabbit (fork bomb 1974): multiplied
copies on a single machine ANIMAL (Game -1975): a related program
PERVADE also copied itself and ANIMAL to every folder user
accesses
Slide 4
1983 Term virus coined Morris Worm (11/2/88) May 4, 2000
ILOVEYOU virus most costly to businesses (until 2004 survey)
ILOVEYOU in the subject line LOVE-LETTER-FOR-YOU.TXT.vbs August
2003 Blaster Worm (SYN FLOOD to cause DDoS against
windowsupdate.com) I just want to say LOVE YOU SAN !! Billy gates
why do you make this possible? Stop making money and fix your
software !! January 2009 Conficker (also called DOWNUP) worm
(affects 20 million MS server systems running 2000 to Vista;
disables Windows updates, security center, defender, error
reporting )
Slide 5
Intrusion Detection Techniques Misuse-based detection Simple
and effective Has limitations false negatives Anomaly-based
detection Effectively detect intrusions Hard for intruder to tell
what not to do Disadvantages false positives Detect Intrusions
ASAP
Slide 6
Virus Scanners Known signatures based Current researches aim
at: Automatic generation of signatures Kephart and Arnold:
statistical method for automatic signature generation Schultz et
al.: used data mining techniques to build a filter (email
integration possible)
Slide 7
Deception Tools Honeypots Developed to lure intruders Studying
intrusion techniques and system security evaluation Honeytokens
Generalized Honeypots not just a computer system Value lies in
abuse Eg. Fake email address to check if an email list has been
stolen
Slide 8
Detect intrusions without knowledge of signatures Very few
false positives Based on: Behavior Skewing Cordoning
Slide 9
Specify behavior as legal or illegal Disadvantages Often fail
to scale Often incomplete
Information Items Information carrying logical entity Filename,
email address, binary file, etc. Behavior Skewing Customizing
access control
Slide 13
Done on a critical system resources Ensures integrity of
resources Achieved by: Dynamically isolating interactions between a
malicious process and a resource
Legal / Illegal Behavior Sets Explicitly defined Unspecified
Behavior Set Behaviors irrelevant to systems security User is
unaware & fails to specify the security requirements After
Behavior Skewing Detect violations of skewed policy Trigger
Intrusion Alert
Slide 16
Need Malicious executables need to misbehave - to be detected
Cordoning to recover system states Traditional recovery mechanisms
may cause loss of recent work.
Slide 17
Allows dynamic, partial virtualization of execution
environments for Critical System Resources Examples of CSRs
Executables, network services, data files, etc.
Slide 18
Actual CSR Cordoned CSR (recoverable) Current CSR (virtual CSR)
Safe State Process
Slide 19
Cordoning in time Delayed commitment Applied to delayable CSRs
(e.g. SMTP server) Cordoning in space Applied to a subsitutable CSR
(e.g. file) Actual CSR is kept in secure state Substitutes contents
copied when it reaches a secure state
Slide 20
BESIDES Three main components: Email Address Domain Skewer
Email Address Usage Monitor SMTP Server Cordoner
Slide 21
Email Address Domain Skewer (EADS) Skewing done based on email
address usage policy Makes certain email addresses unusable in any
locally composed email (baits)
Slide 22
Email Address Usage Monitor (EAUM) Monitors the use of email
addresses in SMTP sessions Looks for SMTP commands that explicitly
use email addresses (against those in the skewed email address
list) On a violation, SSC is informed
Slide 23
SMTP Server Cordoner (SSC) Protect SMTP servers (CSRs) from
possible abuse SSC buffers messages internally SSC identifies the
SMTP sever the process requests, assigns to it a virtual (current)
SMTP server After delivering a message, SSC creates a log On being
informed of an intrusion alert, SSC identifies the malicious
process Determines the victims from the logs (all processes that
access CSRs updated by the malicious process)
Slide 24
SSC Recovery Mechanism SSC identifies all victims based on logs
Initiates recovery on all cordoned CSRs they have updated No
buffered messages are committed, instead they are quarantined For
messages already committed, a warning is sent to the recipients
(using logs)
Slide 25
Slide 26
Effectiveness Experiments Effectiveness of BESIDES
Slide 27
Performance Experiments System Overhead
Slide 28
Latex Application Series Average Overhead: 8% Highest Increases
(13%) Latex 1 &2 (I/O) Lowest Increases (1.5% & 3.3%)
Slide 29
Command-line Web Client Relatively small overhead Few other
system calls made Average overhead ~ 3.4% Close to 2.02%
Slide 30
Proactive methods can be introduced in a system to create
unpredictability Proactive system anticipates the attacks and
prepares itself in advance Can detect unknown intrusions