Countering evolving threats in distributed applications scientific principles
Download
1 / 13

Countering Evolving Threats in Distributed Applications: Scientific Principles - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Saurabh Bagchi The Center for Education and Research in Information Assurance and Security (CERIAS) School of Electrical and Computer Engineering Purdue University. Countering Evolving Threats in Distributed Applications: Scientific Principles.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Countering Evolving Threats in Distributed Applications: Scientific Principles ' - taran


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Countering evolving threats in distributed applications scientific principles

Saurabh Bagchi

The Center for Education and Research in Information Assurance and Security (CERIAS)

School of Electrical and Computer Engineering

Purdue University

Countering Evolving Threats in Distributed Applications: Scientific Principles

Joint work with: Gaspar Howard, Chris Gutierrez, Jeff Avery, Alan Qi (Purdue); Guy Lebanon (Amazon);Donald Steiner (Northrop Grumman)

Work Supported By: Northrop Grumman, NSF


What is special about distributed system security
What is Special about Distributed System Security?

  • Most of our critical infrastructure is built out of careful orchestration of multiple distributed services

    • Banking, Military mission planning, Power grid, …

  • Distributed infrastructure means

    • Many machines, possibly under different admin domains

    • Many users, external and internal

    • Dynamic environment where software gets upgraded, new users are added, new machines are added

  • Attack surface is large and changing

    • All of the above dynamic factors cause this

    • Attack may originate from outside or inside


Three big trends in threats against distributed systems
Three Big Trends in Threats Against Distributed Systems

  • Attack at the point of least resistance

  • Find a vulnerable outward-facing service, OR

  • Initiate an insider attack

  • Exploit zero-day vulnerabilities in any constituent service

  • Thriving black market in zero-day vulnerabilities

  • Tweak existing attack vectors to bypass rigid defense systems

  • Set up a covert channel for leaking sensitive information

  • Relevant for systems with highly sensitive but low volume data

  • Timing channels, storage channels


Current approaches against these three threat vectors
Current Approaches against These Three Threat Vectors

  • Attack at the point of least resistance

  • Create an ever more rigid perimeter

  • Improve the IDS alerting mechanisms, built alert correlation

  • Exploit zero-day vulnerabilities in any constituent service

  • Hope white hats (vendors, open source devs) find these before the black hats

  • Some impactful work in detecting metamorphic malware

  • Set up a covert channel for leaking sensitive information

  • Only ad-hoc techniques leading to an arms race

  • Timing channels: perturb timing of actions indiscriminately

  • Storage channels: “null out” values of all unused storage elements


Desired characteristics of solutions
Desired Characteristics of Solutions

  • Clean slate design approach

    • Build individual services following secure design principles

    • Includes randomization, use of type safe programming languages, static vulnerability checking, dynamic taint analysis

OR

  • Bolt security on

    • Embed secure layer on constituent services, not relying only on an impenetrable perimeter

    • Use the power of big data – lots of users, lots of machines, lots of workloads

    • Learn from mistakes, i.e., the attacks that succeed – allow expert security admins to provide input to automated system




Automatic generation and update of ids signatures sqli
Automatic Generation and Update of IDS Signatures: SQLi

  • Firstfor SQL injectionattacks

  • A generalizedsignatureiscreatedforeachcluster, usinglogisticregressionmodeling

  • Crawlsmultiplepublic cybersecurity portalstocollectattacksamples

  • Extracts a rich set of featuresfromtheattacksamples

  • Applies a clusteringtechniquetothesamples, givingthedistinctivefeaturesforeachcluster


Automatic general and update of signatures phishing
Automatic General and Update of Signatures: Phishing

  • Next for phishing attacks

  • Phishing specific features are created

    • Word features determined using word frequency counting

    • Based on common phishing features, e.g., # links, # image tags

    • Sentiment analysis for determining words conveying sense of change and urgency that attackers attempt to portray to the user

  • Parsing phishing emails (corpus from Purdue’s IT organization) input as mbox files


Phishing preliminary results
Phishing: Preliminary Results

  • Each cluster forms a general story about the emails contained within it from which the basis of the attack can be deduced

    • For example, for cluster 4, the attack is trying to get the user to update information for their banking account.

  • It is much easier training the user based on the attack signature for clusters, than the mass of individual emails

This cluster includes features such as: "below ,need, dear, update, customer, account, bank"


Covert timing channels
Covert Timing Channels

  • Designed a covert network timing channel imitating long range dependent (LRD) legitimate traffic

    • Can be hidden in the Web traffic, the most observed traffic on Internet today

    • Statistically indistinguishable from real traffic

    • Evades the best available detection methods.

  • Data Rate: 2 – 6 bits/second

  • Decoding Error: 3% – 6 %

  • Solution approach

    • Look for autocorrelation function values

    • Look for Hurst value that characterizes LRD traffic


Take aways
Take Aways

  • Distributed applications need to be protected

  • Three emerging trends

    • Attack at the point of least resistance

    • Exploit zero-day vulnerabilities in any constituent service

    • Set up a covert channel for leaking sensitive information

  • Lessons in solving these trends

    • If clean slate design is possible for some services, use a comprehensive set of secure design principles: randomization, use of type safe programming languages, static vulnerability checking, dynamic taint analysis

    • If security needs to be bolted on, look at internal security, not just perimeter security

    • Big data advances can enable learning from large volumes of existing data to extrapolate to new attack types


Presentation available at:Dependable Computing Systems Lab (DCSL) web siteengineering.purdue.edu/dcsl


ad