Slide 1

Ruiqi Hu and Aloysius K. Mok Presented By Vipul Gupta 3/23/2009

Slide 2

Background Information Related Works Methodology Implementation Experimental Results Conclusions

Slide 3

Virus - A computer program that multiplies and infects host machines History: Creeper (1971) By Bob Thomas : ARPANET Im the creeper, catch me if you can !! Wabbit (fork bomb 1974): multiplied copies on a single machine ANIMAL (Game -1975): a related program PERVADE also copied itself and ANIMAL to every folder user accesses

Slide 4

1983 Term virus coined Morris Worm (11/2/88) May 4, 2000 ILOVEYOU virus most costly to businesses (until 2004 survey) ILOVEYOU in the subject line LOVE-LETTER-FOR-YOU.TXT.vbs August 2003 Blaster Worm (SYN FLOOD to cause DDoS against windowsupdate.com) I just want to say LOVE YOU SAN !! Billy gates why do you make this possible? Stop making money and fix your software !! January 2009 Conficker (also called DOWNUP) worm (affects 20 million MS server systems running 2000 to Vista; disables Windows updates, security center, defender, error reporting )

Slide 5

Intrusion Detection Techniques Misuse-based detection Simple and effective Has limitations false negatives Anomaly-based detection Effectively detect intrusions Hard for intruder to tell what not to do Disadvantages false positives Detect Intrusions ASAP

Slide 6

Virus Scanners Known signatures based Current researches aim at: Automatic generation of signatures Kephart and Arnold: statistical method for automatic signature generation Schultz et al.: used data mining techniques to build a filter (email integration possible)

Slide 7

Deception Tools Honeypots Developed to lure intruders Studying intrusion techniques and system security evaluation Honeytokens Generalized Honeypots not just a computer system Value lies in abuse Eg. Fake email address to check if an email list has been stolen

Slide 8

Detect intrusions without knowledge of signatures Very few false positives Based on: Behavior Skewing Cordoning

Slide 9

Specify behavior as legal or illegal Disadvantages Often fail to scale Often incomplete

Slide 10

Security Policy P S1 S2 S3 Legal (Consistent) Unspecified (Independent) Illegal (Inconsistent)

Slide 11

Security Policy P S1 S2 S3 Unspecified (Independent) Illegal (Inconsistent) Behaviors Legal (Consistent)

Slide 12

Information Items Information carrying logical entity Filename, email address, binary file, etc. Behavior Skewing Customizing access control

Slide 13

Done on a critical system resources Ensures integrity of resources Achieved by: Dynamically isolating interactions between a malicious process and a resource

Slide 14

Legal Behavior Unspecified Behavior Illegal Behavior Bait # 2 Bait # 1 Behavior Skewing # 1 Behavior Skewing # 2

Slide 15

Legal / Illegal Behavior Sets Explicitly defined Unspecified Behavior Set Behaviors irrelevant to systems security User is unaware & fails to specify the security requirements After Behavior Skewing Detect violations of skewed policy Trigger Intrusion Alert

Slide 16

Need Malicious executables need to misbehave - to be detected Cordoning to recover system states Traditional recovery mechanisms may cause loss of recent work.

Slide 17

Allows dynamic, partial virtualization of execution environments for Critical System Resources Examples of CSRs Executables, network services, data files, etc.

Slide 18

Actual CSR Cordoned CSR (recoverable) Current CSR (virtual CSR) Safe State Process

Slide 19

Cordoning in time Delayed commitment Applied to delayable CSRs (e.g. SMTP server) Cordoning in space Applied to a subsitutable CSR (e.g. file) Actual CSR is kept in secure state Substitutes contents copied when it reaches a secure state

Slide 20

BESIDES Three main components: Email Address Domain Skewer Email Address Usage Monitor SMTP Server Cordoner

Slide 21

Email Address Domain Skewer (EADS) Skewing done based on email address usage policy Makes certain email addresses unusable in any locally composed email (baits)

Slide 22

Email Address Usage Monitor (EAUM) Monitors the use of email addresses in SMTP sessions Looks for SMTP commands that explicitly use email addresses (against those in the skewed email address list) On a violation, SSC is informed

Slide 23

SMTP Server Cordoner (SSC) Protect SMTP servers (CSRs) from possible abuse SSC buffers messages internally SSC identifies the SMTP sever the process requests, assigns to it a virtual (current) SMTP server After delivering a message, SSC creates a log On being informed of an intrusion alert, SSC identifies the malicious process Determines the victims from the logs (all processes that access CSRs updated by the malicious process)

Slide 24

SSC Recovery Mechanism SSC identifies all victims based on logs Initiates recovery on all cordoned CSRs they have updated No buffered messages are committed, instead they are quarantined For messages already committed, a warning is sent to the recipients (using logs)

Slide 25

Slide 26

Effectiveness Experiments Effectiveness of BESIDES

Slide 27

Performance Experiments System Overhead

Slide 28

Latex Application Series Average Overhead: 8% Highest Increases (13%) Latex 1 &2 (I/O) Lowest Increases (1.5% & 3.3%)

Slide 29

Command-line Web Client Relatively small overhead Few other system calls made Average overhead ~ 3.4% Close to 2.02%

Slide 30

Proactive methods can be introduced in a system to create unpredictability Proactive system anticipates the attacks and prepares itself in advance Can detect unknown intrusions

Slide 31

Questions