cache trigger impersonate enabling context sensitive
play

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient - PowerPoint PPT Presentation

Mar 26, 2024 •331 likes •686 views

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill Motivation PU Internet Get

  1. Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill

  2. Motivation PU Internet Get www.somenews.com ev Motivation Cache, Trigger, Impersonate 2 2

  3. Motivation PU Internet ev Motivation Cache, Trigger, Impersonate 3 3

  4. Motivation PU Internet Get www.exploitkit.com ev Motivation Cache, Trigger, Impersonate 4 4

  5. Motivation PU I have CVE-2015-0318 Win7, IE11 Flash Internet Flash 11.8 Exploit ev Motivation Cache, Trigger, Impersonate 5 5

  6. Current Approaches Internet www.owned.com www.evil.com www.mal.com Internet HTTP Analyzer Get http://www.owned.com Get http://www.evil.com Get http://www.mal.com www.mal.com End users www.evil.com www.owned.com Goals and Current Approaches Cache, Trigger, Impersonate 6 6

  7. Current Approaches Internet www.owned.com Internet HTTP Analyzer Get http://www.owned.com www.mal.com End users www.evil.com www.owned.com 7

  8. Operational Challenges and Constraints ❖ Limit interaction with the client or server. ❖ Must handle the fire hose of data. ❖ Attackers spread exploits across multiple web resources. HTML Javascript CSS Flash ❖ Limited to memory storage. Operational Challenges Cache, Trigger, Impersonate 8 8

  9. Framework ❖ CACHE: ❖ A small time window of traffic. ❖ TRIGGER: ❖ On a potentially exploitable file type. ❖ Flash comprises 75% for popular kits. ❖ IMPERSONATE: ❖ The client and server using the semantic cache and a honeyclient. Operational Challenges Cache, Trigger, Impersonate 9 9

  10. Example PU PU PU www.a.com www.b.com www.maliciouspage.com Internet evilflash.com/evil.swf ev Client IP: 192.168.2.30 Motivation Cache, Trigger, Impersonate 10 10

  11. Example Cont’d evilflash.com/evil.swf Network Client IP: 192.168.2.30 11 11

  12. CACHE Semantic Cache ! HTTP Analyzer ev www.maliciouspage.com evilflash.com/ www.a.com/ www.a.com/ evil.swf page1 page2 Two-level Cache 12 12

  13. TRIGGER Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer H(.) H(.) ev H( ⨁ ) H(.) H(.) H(.) 13 13

  14. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Network Oracle ev Retrieve Client Configuration Impersonate ! evilflash.com/evil.swf Network Client IP: 192.168.2.30 Browser: IE 10 Flash Version: 18.5 OS: Windows 7 14 14

  15. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Chaining Algorithm: Going Back in Time! evilflash.com/evil.swf ev www.a.com/page1 Impersonate ! www.a.com/page2 www.maliciouspage.com 15 15

  16. IMPERSONATE Semantic Semantic Trigger Cache Cache ! ! ! HTTP Analyzer Cache PU ev evilflash.com/ evil.swf Internet www.maliciouspage.com Impersonate ! Browser: IE 10 Get www.maliciouspage.com Flash Version: 18.5 OS: Windows 7 ev Alerts 16 16 www.maliciouspa Security Analyst

  17. Evaluation - Campus Metasploit Server Internet Serves: 11 Flash exploits Affects: 3 Flash Versions Dell R410 ShellOS: 5 VMs 128 GBs RAM Chrome, IE, Firefox 8 Core Xeon 2100 CPU Headless Browser: HTMLUnit EndaceDAG Card 25,000 Students Avg 1,000 Concurrent Users Windows 7 14,000 HTTP flows/min Firefox/IE Peak: 35,000 flows/min 3 Flash Versions UNC Campus Clients Evaluation Cache, Trigger, Impersonate 17 17

  18. Evaluation – Results Total: 576,000 Filtered: 99% of Flash Files. 5% Fully Analyzed 11% Interactive 8% Low and Slow 76% Errors * Found on avg 2 malicious sites per day Evaluation Cache, Trigger, Impersonate 18 18

  19. Conclusion: Honeyclient to the Wire ❖ Current network-based approaches are too slow to react. ❖ We propose a framework that: ❖ Caches minutes worth of web objects. ❖ Triggers an analysis on exploitable file types. ❖ Impersonates both the client and the server. ❖ Demonstrated utility on a large campus network. Conclusion Cache, Trigger, Impersonate 19 19

  20. Questions? Teryl Taylor Cache, Trigger, Impersonate 20 20

  21. Evaluation – Performance Evaluation Cache, Trigger, Impersonate 21 21

  22. Evaluation – Cache Evaluation Cache, Trigger, Impersonate 22 22

  23. Evaluation – VirusTotal over Time Evaluation Cache, Trigger, Impersonate 23 23

  24. Evaluation – Minutes between Flash-in-Flash Evaluation Cache, Trigger, Impersonate 24 24

  25. Evaluation – Length of Client Cache Evaluation Cache, Trigger, Impersonate 25 25

  26. ➍ Honeyclients ❖ Honeyclient H1 (ShellOS): ❖ Process contains code injection/code reuse payload. ❖ Process memory exceeds tunable threshold – heap spray. ❖ Process terminates or crashes. (Snow et. al, ShellOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks, USENIX Security, 2011.) Honeyclients Cache, Trigger, Impersonate 26 26

  27. ➍ Honeyclients ❖ Honeyclient H2 (Cuckoo Sandbox): ❖ Process uses known anti-detection technique. ❖ Process spawns another process. ❖ Process downloads exe or dll file. ❖ Process accesses registry or system files. (https://cuckoosandbox.org/) Honeyclients Cache, Trigger, Impersonate 27 27

  28. Exploit Kits – Corporate Ownage as a Service Targeted Victims/day: 90,000 Successful Infections: 40% Exploits Served Per Day: 9,000 Ransomware Delivered: 62% • Cisco Talos Group: http://www.talosintel.com/angler-exposed/ • October 2015 Exploit Kits Cache, Trigger, Impersonate 28 28

  29. Impact of File Hashing Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer 29 29

  30. Impact of Piecewise Hashing Semantic Semantic Trigger Trigger Cache Cache ! ! ! ! HTTP Analyzer 30 30

  31. Evaluation – Detection Performance Prototype: Monitors 10,000 lines of Code H1: ShellOS Code Injection/ Reuse. Configuration: Windows 7 IE 8 and 10 Four Core 177 Exploit Kit 8 Flash Versions i7-2600 CPU Traces* 3.40 GHz Monitors 16 GB RAM OS Changes. H2: Cuckoo *www.malware-traffic-analysis.net Evaluation Cache, Trigger, Impersonate 31 31

  32. Evaluation – H1 Results 92% True Positive Rate Evaluation Cache, Trigger, Impersonate 32 32

  33. Evaluation – H2 Results 56% True Positive Rate H1 & H2 Combined: 100% True Positive Rate Evaluation Cache, Trigger, Impersonate 33 33

  34. Evaluation – Comparison – VirusTotal 61 % True Positive Rate Evaluation Cache, Trigger, Impersonate 34 34

Recommend

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

972 views • 66 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

1.19k views • 90 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9, 2014 Context Sensitive Solutions Context Sensitive Solutions Project Team TxDOT James Williams Jon Geiselbrecht Shirley Nichols CTRMA Melissa

485 views • 46 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of Edinburgh jrl@inf.ed.ac.uk 26 November

611 views • 24 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach (2010) Produced by FHWA/EPA/CNU/ ITE Recommended Practice, focus on new ideas and needs @CompleteStreets Implementing Context Sensitive Design

1.54k views • 124 slides
Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max Doblas , Ioannis-Vatistas Kostalabros , Miquel Moret and Carles Hernndez Computer Sciences - Runtime Aware Architecture, Barcelona

1.17k views • 30 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitivity in natural language Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of

472 views • 16 slides
Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in natural language Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics University of

360 views • 25 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

599 views • 13 slides
Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30 NOV 2018 1 / 15 Overview Introduction 1 Formal definition 2 Context Sensitive Language 3 Examples Closure properties 4 Relation Between

196 views • 15 slides
CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart Lich & DISTRICT 6: Nikki Boden CONTEXT SENSITIVE UTILITIES SUCCESS STORIES Telephone duct is completely inside KYTC Right of Way.

550 views • 19 slides
Review: important OS concepts Time-sharing, context, context-switch Interprocess

Review: important OS concepts Time-sharing, context, context-switch Interprocess

Review: important OS concepts Time-sharing, context, context-switch Interprocess communication Exception control flow Priority and scheduling Cache and memory hierarchy (this lecture) Cache & Memory Hierarchy Recall our

517 views • 23 slides
Towards Enabling Internet-Scale Context-as-a-Service: A Position Paper Alexandru SORICI, Andrei

Towards Enabling Internet-Scale Context-as-a-Service: A Position Paper Alexandru SORICI, Andrei

Towards Enabling Internet-Scale Context-as-a-Service: A Position Paper Alexandru SORICI, Andrei OLARU, Adina Magda FLOREA University Politehnica of Bucharest What is Context-Awareness? Context is any information that can be used to

355 views • 12 slides
Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars Lars Hermerschmidt, Stephan Kugelmann, Bernhard Rumpe Software Engineering RWTH Aachen http://www.se-rwth.de/ Lars

240 views • 13 slides
L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache, and all blocks initially marked as not valid , Given the main memory word addresses 0 1 2 3 4 3 4 15, calculate Cache hit rate. Cache Index

654 views • 9 slides
Pixel trigger in CMS Peter Wittich CMS/Cornell University 12/2/2019 Trigger in CMS for Phase 2:

Pixel trigger in CMS Peter Wittich CMS/Cornell University 12/2/2019 Trigger in CMS for Phase 2:

Pixel trigger in CMS Peter Wittich CMS/Cornell University 12/2/2019 Trigger in CMS for Phase 2: track trigger Big change for CMS in Phase 2: add information from solid state tracking detector to the hardware trigger Phase 2 CMS tracker

603 views • 7 slides
DAQ/Trigger status and planned developments Sergey Boyarinov Mar 5, 2019 DAQ/Trigger Hardware

DAQ/Trigger status and planned developments Sergey Boyarinov Mar 5, 2019 DAQ/Trigger Hardware

DAQ/Trigger status and planned developments Sergey Boyarinov Mar 5, 2019 DAQ/Trigger Hardware VXS (24) Global Trigger Crate VXS (1) FADCs (scalers) from fast detectors PMTs CLUSTERS (ECAL, PCAL, FTOF, CTOF, SSPs VTPs SEGMENTS HTCC,

594 views • 18 slides
Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview

Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview

Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview Where are we standing now? Theres more to languages than context-free grammars can describe From syntax to semantics

485 views • 23 slides
results PHYSIOTHERAPY What Is Trigger Point Dry Needling? How Is TDN Different From Trigger Point

results PHYSIOTHERAPY What Is Trigger Point Dry Needling? How Is TDN Different From Trigger Point

T rigger P oinT D ry n eeDling results PHYSIOTHERAPY What Is Trigger Point Dry Needling? How Is TDN Different From Trigger Point Injection? Trigger point dry needling (TDN) is a specifjc treatment technique TDN does not deliver any medications.

493 views • 3 slides
PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen ,

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen ,

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen , s , Ben Gras , Lionel Sambuc , Asia Slowinska , Enes G okta Herbert Bos , Cristiano Giuffrida Joint first authorship

588 views • 42 slides

More recommend