NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish Gehani and Gershon Kedem Duke University Computer Science
Introduction • Internet survivability design ≠ Security of single node • Growth of Internet ! More attacks • Valuable resources online ! More sophisticated attacks • Forensics increasingly required • Incidental evidence insufficient ! Proactive surveillance
Motivation • Automated intrusion response • Common occurrence – Partial signature match – Mild anomalous activity • Avoid high false positive rate ! No alarm • Precautionary measures: – Protect system – Repair preparation – Increased auditing
Goals • Preserve evidence before attack • Store evidence safely • No network dependence • Capture multiple timeframes • Flexible choice of evidence • Repeatable analysis of gathered data
Architecture - Managing Data • Implemented in noscam_db • Use SQL database backend – Handles concurrency, sorting, indexing • Commit baseline during initialization • Batch copy of records to immutable form • Recover audit trail by copy from immutable form to database
Architecture - Audit Generation • Implemented in noscam_audit • Proactively invokes other utilities • Configurable with respect to: – Frequency of sampling – Priority level at which to activate – Whether to copy to immutable form – Whether to store deltas – Labeling for query organization
Architecture - Forensic Querying • Implemented in noscam_run • Simulate command execution • Allow time of execution to be specified
Architecture - Overview
Implementation - Platform • CD writer required • Built on Redhat Linux 7.3 • Borland JDK 1.3 • MySQL • No special features used ! Earlier versions should work • No cdrecord ! No Windows
Implementation - ID Interface • Uses a ‘priority’ file • Contains a single integer • Pro: Simplicity • Con: Collapses n dimensions to 1 • Change in value ! noscam_audit starts/stops threads
Implementation - Threading • noscam_audit creates a thread per command–parameters pair • Holds a synchronization lock per thread • Thread’s outer loop waits on this lock – Start/stop thread when priority changes • Inner loop periodically invokes command • Constant size thread pool drops overhead
Implementation - Scope • Flexible • Examples: – Running processes with parameters – Creation, access, modification times, cryptographic hashes, contents of files – Routing table entries – Open files / network connections – Disk usage – Traces of routes to hosts – Port / vulnerability scans of hosts – Inserted kernel modules – Firewall rules
Implementation – Querying • Audit trail listing – Input: • Date, Begin Time, End Time – Output – List of events in format: • Record ID, Date, Time, Command, Parameters • Simulated Execution – Input: • Record ID – Output: • Date, Time, Command, Parameters, Standard Output/Error • Transparently executes – Output = Baseline + Delta
Implementation – Immutables • Database insertion keyed monotonically • noscam_db tracks last commit to CD-R • Periodically: – Selects all new records – Sub-selects those with immutable field set – Compresses results – Writes to CD-R in new ‘session’ • Recovery: – Read all files from all sessions of all CD-R’s – Decompress all files – Insert into new NOSCAM database
Implementation – Storage Needs Growth of Noscam Database 4500 4000 3500 Size (in KB) 3000 Uncompressed 2500 2000 Compressed 1500 1000 500 0 1 2 3 4 5 6 7 8 9 10 11 12 Time (in 10 min units) • 2 hours data in 4 MB • 4 MB ! Compression ! 1.3 MB • 6 weeks data on single 700 MB CD-R
Implementation – Audit Config # Format: <Frequency> <Priority> <Immutable> <Category> <Delta> <Command> <Options> 60 5 0 cpu 1 lastcomm 60 3 1 cpu 0 ps auxw 600 1 0 net 1 last 14400 1 0 file 0 stat /etc/passwd 600 7 0 file 0 ls -l /tmp 14400 1 0 file 1 strings /bin/login 120 3 1 net 0 netstat -a -A inet 14400 9 0 file 0 md5sum /root/.ssh2/authorization 300 3 0 net 0 route 600 5 0 net 0 arp 3600 5 0 cpu 0 dmesg 3600 5 0 cpu 1 ksyms 3600 5 0 cpu 1 sysctl -a 300 5 0 cpu 1 lsof -U 600 4 1 file 0 lsof 14400 6 0 hw 1 lspci 14400 6 0 hw 1 lsusb 14400 4 0 hw 1 lsdev 14400 4 0 cpu 1 lsmod 14400 6 0 cpu 1 procinfo 14400 6 0 cpu 1 rpm -qa 14400 4 0 hw 1 cdrecord -scanbus 300 4 0 net 1 findsmb 300 4 0 file 1 mount 14400 7 0 net 1 ifconfig 3600 6 0 net 1 iwconfig 300 4 0 file 1 df 3600 4 0 file 1 du -hs /tmp 900 4 0 net 1 ipchains -L 14400 6 0 file 0 find / -name core
Future Work • Tool to automate: – Runtime sampling rate – Priority matching with intrusion detector • Will monitor: – Runtime environment load, variation – Extent of: • Signature matching • Anomalous activity detection • Alters ‘Frequency’ and ‘Priority’ fields
Related Work – Forensics • Data copier – dd • Free/slack space reader - graverobber • Keyword index/search – glimpse • Integrity checker – md5sum, tripwire
Related Work - Auditing • Large set of actions, limited temporally (Unlike NIST Spec) • Prevents audit trail modification (Unlike Crypto Hash Chains) • Proactive invocation of system utilities (Unlike Syslog) • No dependence on network (Unlike Syslog and RAS)
Recommend
More recommend
