Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar LUMS Fine-Grained Tracking of Grid Infections – p. 1/18
Introduction Grid semantics Not middleware-specific Distributed system “Application community” Infection Security , Reliability, Quality-of-Service Constraints Fine-grained monitoring Grid-wide correlation Timely analysis Fine-Grained Tracking of Grid Infections – p. 2/18
Motivation Attractive attack platform Access to large set of resources Automatic privilege escalation Single sign-on Significant consequences Integrity loss of valuable data Exposed services Open ports for callbacks Fine-Grained Tracking of Grid Infections – p. 3/18
Application Community Anomalies Grid Node Grid Node Anomalies Edit Layer 0 and 1 as needed Grid Node Grid Node Threat Edit Layer 0 and 1 as needed Anomalies Digest Edit Layer 0 and 1 as needed Risk Monitor Edit Layer 0 and 1 as needed Grid Node Grid Node Threat Edit Layer 0 and 1 as needed Edit Layer 0 and 1 as needed Digest Threat Edit Layer 0 and 1 as needed Digest Grid Node Grid Node Grid Node Fine-Grained Tracking of Grid Infections – p. 4/18
Central Monitoring Collect Grid-wide anomalies Raw stream saturates network 35 clients, 10Mb/s (Oliner et al, RAID 2010) Only event types No arguments Must scale to hundreds of nodes Fine-Grained Tracking of Grid Infections – p. 5/18
Local Monitoring Framed as set operations Application activity Set of events Normal behavior Union of events during training Anomalous behavior Difference set (by subtracting normal) Correlating node activity Intersection of anomaly sets Fine-Grained Tracking of Grid Infections – p. 6/18
Approach Decompose sets into epochs Compress epoch activity Collect data provenance Map anomalies to provenance Fine-Grained Tracking of Grid Infections – p. 7/18
Epoch Compression Grid Node Risk Monitor Anomaly Bloom Application Filter Detector User System Anomaly Calls Kernel Digest Auditing Log Set representation Allows use of Bloom filters Fold filter ⌈ log( f + b ) ⌉ times Increase update frequency by f Decrease bandwidth used by b More false positives Fine-Grained Tracking of Grid Infections – p. 8/18
Correlating Activity Combine Bloom filters Counting filter Event on τ nodes Corresponding buckets are ≥ τ Construct vaccination Bloom filter bit 1 ⇐ ⇒ counting filter bucket ≥ τ Fine-Grained Tracking of Grid Infections – p. 9/18
Data Provenance File 2 Read open() close() File 3 File 1 Read close() Process open() Owner Process execution Time close() File 1 File 2 open() File 3 Write Record few arguments Process creation, File versions File access, modification Fine-Grained Tracking of Grid Infections – p. 10/18
Anomaly Tracking Synthetic attack #11+/7#0/,(*/(/ Unexpected write !"#$ of dump.log ?@ABCDEA*FGF3DH4@I;;J*12 /"=1+,'"*"=" .'/0" !"#$ 6',7"&&89'"#0" .'/0" ?L?9MN;<*FGF3<F;O<MII*12 &$K,0DEK*"=" 1'"2&34*5& %&"'"()*+,- !"#$ .'/0" 6',7"&&89'"#0" 0#'-"0&*0=0 7,(P-*/(/ &:&72-;<*"="8 &:&72-;<*"=" !"#$ !"#$ 6',7"&&89'"#0" K,/(7*"=" .'/0" $%>1*+,- Fine-Grained Tracking of Grid Infections – p. 11/18
Evaluation Platform Microsoft Windows XP (SP3) BOINC 6.10.43 volunteer Grid application Process Monitor 2.7 tool Open Bloom Filter library Synthetic infection Internet Explorer vulnerability Windows CreateRemoteThread() MailBoy 2004 injected Fine-Grained Tracking of Grid Infections – p. 12/18
Workload 24 hours 20 minutes 1.5 million events Raw log: 216 MB / Grid node Anomaly detection with 11-tuples MailBoy 2004 as spam relay 20 threads 30 second timeout 1,700 email addresses Fine-Grained Tracking of Grid Infections – p. 13/18
Storage 1e+06 100000 10000 Storage Space Used (KB) 1000 Disk Storage 4000-bit Bloom filter 2000-bit Bloom filter 100 10 1 0.1 0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 Number of Events Fine-Grained Tracking of Grid Infections – p. 14/18
Normal Operation 1 0.9 False Positives Normalized by Anomalous Sequences 0.8 0.7 0.6 500-bit Bloom filter 1000-bit Bloom filter 0.5 2000-bit Bloom filter 4000-bit Bloom filter 0.4 0.3 0.2 0.1 0 0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 1.6e+06 Total Number of Events Fine-Grained Tracking of Grid Infections – p. 15/18
Malware Injected 1 0.9 False Positives Normalized by Anomalous Sequences 0.8 0.7 0.6 500-bit Bloom filter 1000-bit Bloom filter 0.5 2000-bit Bloom filter 4000-bit Bloom filter 0.4 0.3 0.2 0.1 0 0 200000 400000 600000 800000 1e+006 1.2e+006 1.4e+006 1.6e+006 1.8e+006 Total Number of Events Fine-Grained Tracking of Grid Infections – p. 16/18
Provenance Database 2500 File Identifiers in Normal Data File Identifiers in Attack Data Process Identifiers in Normal and Attack Data 2000 Number of Unique Identifiers 1500 1000 500 0 0 200 400 600 800 1000 1200 1400 1600 Time (minutes) Fine-Grained Tracking of Grid Infections – p. 17/18
Conclusion Apparent tension Fine-grained anomaly detection Grid-wide monitoring Solution Audit provenance on Grid nodes Compress event stream Map anomalies to provenance Acknowledgement NSF Grant OCI-0722068 Fine-Grained Tracking of Grid Infections – p. 18/18
Recommend
More recommend