omegalog high fidelity attack investigation via
play

OmegaLog: High-Fidelity Attack Investigation via Transparent - PowerPoint PPT Presentation

Aug 20, 2022 •364 likes •767 views

OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul Hassan , Mohammad A. Noureddine, Pubali Datta, Adam Bates Network and Distributed System Security Symposium (NDSS) 2020 26 February 2020 . 1 State

  1. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul Hassan , Mohammad A. Noureddine, Pubali Datta, Adam Bates Network and Distributed System Security Symposium (NDSS) 2020 26 February 2020 . 1

  2. State of Data Breaches According to a survey by RSA 73% of cyber analysts have inadequate levels of capability to detect/respond 2 to attack [1] [1] Infographic from: https://link.medium.com/5Omijdiyg4 [2] Survey and image from: https://www.rsa.com/content/dam/en/infographic/rsa-poverty-index-2016-update.pdf 2

  3. Threat Investigation • Audit logs • Maintain a history of events that occur during system execution • System-Level Logs (e.g., Linux Audit) record events at the system call granularity System-level Log Process 1234 created from firefox.exe …… Process 1234 reads from IP y.y.y.y Process 1234 writes file ~\Downloads\A.pdf …… Process 1234 reads from IP z.z.z.z Process 1234 writes file ~\Downloads\Mal.exe …… 3

  4. Data Provenance Z.Z.Z.Z • To simplify investigation, we can parse system logs into data provenance graphs Firefox ○ Vertex : File, Socket, Process, etc. ○ Edge : Causal event (i.e., syscall) ~\Downloads\Mal.exe • Find root cause of the attack symptom ■ Backward Tracing Mal.exe • Find the ramification of the attack ■ Forward Tracing X.X.X.X 4

  5. Case Study: SQL Injection Attack • A simple WordPress website hosted on a web server Input Requests Httpd Instance PostgreSQL Database Httpd Instance HAProxy • In addition to system logs, the different components (load balancer, server, database) also log application events . • Attacker performed SQL injection to steal credentials and used Wordpress file plugin to change website content. 5

  6. Investigation using Application Logs • Investigator knows that “accounts” table was accessed by attack • Grep PostgreSQL query logs to find out which query read the “accounts” table content. • It returned the following query from the PostgreSQL logs: PostgreSQL … SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; … • Query indicates SQL injection attack 6

  7. Investigation using Application Logs • However, admin is unable to proceed further in the investigation using application event logs alone. • HAProxy and Apache logs contain important evidence related to SQL injection attack • Cannot associate with PostgreSQL log • Do not capture workflow dependencies between applications • Grep will not work on these logs because SQL query was not in URL 7

  8. Investigation using Application Logs • However, admin is unable to proceed HAProxy … further in the investigation using haproxy[30291]: x.x.x.x:45292 [TIME REMOVED] app- http-in~app-bd/httpd-2 10/0/30/69/109 200 2750 POST /wordpress/ wp-admin/admin-ajax.php 200 application event logs alone. … ??? • HAProxy and Apache logs contain Apache Httpd important evidence related to SQL … y.y.y.y POST /wordpress/wp-admin/admin- ajax.php 200 - http://shopping.com/wordpress/ injection attack wp-admin/ admin.php?page=file-manager_setting … • Cannot associate with PostgreSQL log ??? PostgreSQL • Do not capture workflow dependencies between … applications SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; • Grep will not work on these logs because SQL … query was not in URL 8

  9. Investigation using System Logs • To proceed investigation, now admin uses a system-level provenance graph • It allows admin to trace dependencies across applications. • Malicious query read database file: / usr/local/db/datafile.db • Admin issues backward tracing query from that file • Return provenance graph 9

  10. Investigation using System Logs False Dependencies v v • Dependency Explosion: One v output event depends on all the preceding input events on the HAProxy same process v v Two Challenges: • There is only one root- cause (web request) of sql 1) Dependency Explosion injection attack index.html Apache Httpd 2) Semantic Gap user.php • Semantic Gap: Lacks v semantic information v present in application logs /usr/local/db/datafile.db PostgreSQL 10

  11. OmegaLog A provenance tracker that transparently solves both the dependency explosion and semantic gap problems 11

  12. OmegaLog • Solves dependency explosion problem by identifying event-handling loop through the application log sequences • Each iteration of event-handling loop is considered one semantically independent execution unit (BEEP NDSS’13)… • But unlike BEEP, no instrumentation or training is required! • Tackles semantic gap problem by grafting application event logs onto the system-level provenance graphs 12

  13. Do applications log inside the event-handling loop? • 15 applications with no logging: • Light-weight apps • GUI apps 13

  14. Consist of 3 Phases: Static Binary Runtime OmegaLog Analysis Phase Phase Workflow Investigation Phase 14

  15. Static Binary Analysis Phase 1. Identify log message printing functions App • Separate normal file writes from log file writes Binary e.g., logMsg(…); ap_log_error(…); • Used heuristics to find them • Well-known logging libraries (log4c) functions • Functions writing to /var/log/ 15

  16. Static Binary Analysis Phase 2. Find call sites to those functions and concretize log message string (LMS) passed App Binary as argument • Use symbolic execution Static Analysis “Opened file “%s”” “Accepted connection with id %d” 16

  17. Static Binary Analysis Phase 2. Find call sites to those functions and concretize log message string (LMS) passed App Binary as argument • Use symbolic execution Static Analysis “Opened file “%s”” “Accepted connection with id %d” 3. Build regex from concretized log message strings for runtime matching “Opened file “.*”” “Accepted connection with id [0-9]+” 17

  18. Static Binary Analysis Phase 4. Perform control flow analysis App Generate a set of all valid log message control flow • Binary paths that can occur during execution Control Code Snippet flow paths Static Analysis log(“Server started”); // log1 log1 while(...) { log1 log(“Accepted Connection”); // log2 log2 ... /*Handle request here*/ LMS log(“Closed Connection”); // log3 log3 Paths DB } log4 log(“Server stopped”); // log4 log4 Log message control flow paths will guide OmegaLog to identify event- handling loop and partition execution of application into execution units 18

  19. Runtime Phase • We collect whole-system logs using Linux Audit space User- App Process Module App kernel Binary Linux LKM Audit • A custom Linux Kernel Module (LKM) Static • Intercepts write system calls System Analysis Enhanced Log LMS • Catch application log messages LMS • Add PID/TID to log message Paths DB • Allow us to combine log message with corresponding system-level log entry. 19

  20. Runtime Phase • We collect whole-system logs using Linux Audit space User- App Process Module App kernel Binary Linux LKM • A custom Linux Kernel Module (LKM) Audit • Intercepts write system calls Static System Analysis Enhanced Log LMS • Catch application log messages LMS • Add PID/TID to log message Universal Paths DB Provenance Log • Allow us to combine log message with corresponding system-level log entry. • Unify system logs and runtime log messages into universal provenance log 20

  21. Investigation Phase • Given a symptom of an attack, OmegaLog uses space User- App Process App • Log message control flow paths database kernel Binary Linux LKM Audit • Universal provenance log Static • Log parser partitions the system log into units System Analysis Enhanced Log LMS • By matching application log messages in universal provenance log with log message string control flow paths LMS Universal Paths DB • Generates execution partition graph Provenance Log Log Parser Symptom 21

  22. Investigation Phase • Given a symptom of an attack, OmegaLog uses space User- App Process App • Log message control flow paths database kernel Binary Linux LKM Audit • Universal provenance log Static • Log parser partitions the system log into units System Analysis Enhanced Log LMS • By matching application log messages in universal provenance log with log message string control flow paths LMS Universal Paths DB • Generates execution partition graph Provenance Log • Then add application log messages vertices to Log Parser Symptom execution-partitioned provenance graph • Final output: universal provenance graph Universal Provenance Graphs 22

  23. Back to our case study 23

  24. Provenance graph Application Logs v v HAProxy v … haproxy[30291]: x.x.x.x:45292 [TIME REMOVED] app- http-in~app-bd/httpd-2 10/0/30/69/109 200 2750 HAProxy POST /wordpress/ wp-admin/admin-ajax.php 200 … v v ??? Apache Httpd … y.y.y.y POST /wordpress/wp-admin/admin- index.html ajax.php 200 - http://shopping.com/wordpress/ Apache Httpd wp-admin/ admin.php?page=file-manager_setting … user.php ??? v v PostgreSQL … SELECT * FROM users WHERE user_id=123 UNION SELECT password FROM accounts; /usr/local/db/datafile.db PostgreSQL … 24

Recommend

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY EVALUATION AND TECHNICAL ASSISTANCE Lorna Moser, Ph.D. ACT TA Center Center for Excellence in Community Mental Health, UNC Department of Psychiatry

691 views • 46 slides
1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

INSTITUTIONEN FR SYSTEMTEKNIK LULE TEKNISKA UNIVERSITET High-Fidelity Prototyping and Flash SMD157 Human-Computer Interaction Fall 2005 1 L Nov-29-05 SMD157, High-Fidelity Prototyping Overview Prototyping revisited

689 views • 10 slides
High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin

High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin

High-fidelity Accelerated Design of High-performance Electrochemical Systems Rachel Kurchin Postdoctoral Fellow, Carnegie Mellon University 2 Our Team CMU Citrine Informatics Julia Computing MIT QuantumScape External

78 views • 6 slides
High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June

High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June

High Fidelity Imaging Rick Perley, NRAO-Socorro Twelfth Synthesis Imaging Workshop 2010 June 8-15 1 What is High Fidelity Imaging? Getting the Correct Image limited only by noise. The best dynamic ranges (brightness

595 views • 33 slides
AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AI AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng Xiao 2 , Zhichun Li 3 , Kangkook Jee 3 , Fengyuan Xu 4 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton University 2 Case Western Reserve

800 views • 34 slides
RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y. Ji, S. Lee, E. Downing, et.al. CCS17 Presented by: Mohammad A. Noureddine CS563 Fall 2018 No Shortage of Recent Breaches! 1 Investigating

804 views • 28 slides
Reproducible Network Research With High-Fidelity Emula<on Nikhil

Reproducible Network Research With High-Fidelity Emula<on Nikhil

Reproducible Network Research With High-Fidelity Emula<on Nikhil Handigol + , Brandon Heller + , Bob Lantz * , Vimal Jeyakumar + , Nick McKeown + + Stanford

813 views • 65 slides
Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation

Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation

Nursing Students Perceptions of Satisfaction and Self-Confidence with High Fidelity Simulation Geraldine M. Berkvam, MSN, RN, FNP, PHN Department of Nursing and Health Sciences California State University, East Bay, Hayward, CA, USA

351 views • 19 slides
AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications Myungjin Lee , Ramana Rao Kompella, Sumeet Singh Purdue University, Cisco Systems Wind of changes Asynchronous Javascript Migration

503 views • 22 slides
High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically

High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically

High-fidelity Numerical Simulations of Collapsing Cavitation Bubbles Near Solid and Elastically Deformable Objects Mauro Rodriguez 1 , Shahaboddin Beig 1 , Zhen Xu 2 , and Eric Johnsen 1 1 Department of Mechanical Engineering, University of

422 views • 26 slides
HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A.

HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A.

HIGH-FIDELITY AERO-STRUCTURAL DESIGN OPTIMIZATION OF A SUPERSONIC BUSINESS JET Joaquim R. R. A. Martins Juan J. Alonso James J. Reuther Department of Aeronautics and Astronautics Stanford University AIAA Structures, Structural Dynamics and

580 views • 28 slides
Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations

Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations

Electron Volt neutron spectroscopy at high- and low-q investigation of high energy excitations in condensed matter and detector development Antonino Pietropaolo 06-05-2004 OUTLINE Physical context Kinematical constraints

282 views • 24 slides
High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results

High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results

Reaction of Basaltic Materials under High-Fidelity Venus Surface Conditions using the Glenn Extreme Environment Rig: First Results Brandon Radoman-Shaw (CWRU) bgs21@case.edu Ralph Harvey (CWRU) Gustavo C. C. C. Costa (NASA-GRC) Leah Nakley

169 views • 15 slides
Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam

Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam

NAXOS 2018 Gasification of Plastic Waste: Kinetic Evaluation and High Fidelity Numerical Simulation Isam Janajreh Idowu Adeyemi Dept. Of Mechanical & Materials Engineering Khalifa University of Science & Technology, Masdar Campus Abu Dhabi,

714 views • 25 slides
AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R.

AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R.

AERO-STRUCTURAL WING DESIGN OPTIMIZATION USING HIGH-FIDELITY SENSITIVITY ANALYSIS Joaquim R. R. A. Martins Juan J. Alonso James Reuther Department of Aeronautics and Astronautics Stanford University CEAS Conference on Multidisciplinary

731 views • 26 slides
5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on

5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on

5/8/2018 The Journey to Implementation Fidelity in High School Settings The Boggs Center on Developmental Disabilities Rutgers, The State University of New Jersey In Partnership with the Offices of Special Education New Jersey Department of

227 views • 20 slides
Intension, Attitude, and Tense Annotation in a High-Fidelity Semantic Representation Gene Kim and

Intension, Attitude, and Tense Annotation in a High-Fidelity Semantic Representation Gene Kim and

Intension, Attitude, and Tense Annotation in a High-Fidelity Semantic Representation Gene Kim and Lenhart Schubert Presented by: Gene Kim April 2017 Project Overview Project: Annotate a large, topically varied dataset of sentences (e.g. Brown

531 views • 42 slides
The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions Tao Zhu

The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions Tao Zhu

The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions Tao Zhu Independent Researcher David Phipps Bowdoin College Adam Pridgen Rice University Jedidiah R. Crandall University of New Mexico Dan S. Wallach Rice University

547 views • 28 slides
High-Fidelity Image Generation With Fewer Labels Michael Tschannen* Mario Lucic* Marvin

High-Fidelity Image Generation With Fewer Labels Michael Tschannen* Mario Lucic* Marvin

High-Fidelity Image Generation With Fewer Labels Michael Tschannen* Mario Lucic* Marvin Rituer* Xiaohua Zhai Olivier Bachem Sylvain Gelly *equal contribution Generative Adversarial Networks (GANs): Recent Progress BigGAN (Brock,

811 views • 15 slides
High-Fidelity Augmented Reality Interactions Hrvoje Benko Researcher, MSR Redmond New generation

High-Fidelity Augmented Reality Interactions Hrvoje Benko Researcher, MSR Redmond New generation

High-Fidelity Augmented Reality Interactions Hrvoje Benko Researcher, MSR Redmond New generation of interfaces Instead of interacting through indirect input devices (mice and keyboard), the user is interacting directly with the content.

965 views • 77 slides
High Fidelity Simulations of Large-Scale Wireless Networks Bob Cole, Anand Ganti, Uzoma Onunkwo,

High Fidelity Simulations of Large-Scale Wireless Networks Bob Cole, Anand Ganti, Uzoma Onunkwo,

High Fidelity Simulations of Large-Scale Wireless Networks Bob Cole, Anand Ganti, Uzoma Onunkwo, Richard Schroeppel, Michael Scoggin, Brian Van Leeuwen June 17, 2016 Sandia National Laboratories is a multi-program laboratory managed and operated

134 views • 10 slides
Butter High-Fidelity Prototype 1 Our Team James Rose Elan Isha Schull Li Halpern Kumar

Butter High-Fidelity Prototype 1 Our Team James Rose Elan Isha Schull Li Halpern Kumar

Butter High-Fidelity Prototype 1 Our Team James Rose Elan Isha Schull Li Halpern Kumar 2 A farmers market in the palm of your hand. 3 The Problem The food sourcing supply chain is rife with ambiguity and inefficiency: the lack of

670 views • 32 slides
Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to

Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to

Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to Promote Growth in Tier 2 Implementation March 2020 Celeste Rossetto Dickey, M.Ed. University of Oregon Introductions and Welcome School Staff

865 views • 55 slides

About Us Focus on targeted attack investigation, incident response, and threat solution research for more than 15 years

1.03k views • 59 slides

More recommend