Syzygy - PowerPoint PPT Presentation

autumn-burke
syzygy n.
Skip this Video
Loading SlideShow in 5 Seconds..
Syzygy PowerPoint Presentation
play fullscreen
1 / 25
Download Presentation
Syzygy
92 Views
Download Presentation

Syzygy

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Syzygy Community Epidemic Detection Adam J. Oliner Naeim Semsarilar Alex Aiken

  2. Goal Detect bad behavior in homogenous software communities ALERT! Application

  3. Homogenous Communities • Bad News • Uniform • Large

  4. Homogenous Communities • Good News • Uniform • Large Bigger is Better

  5. Using the Community • More data • Rare data • Independent data • Heroes

  6. Today’s Menu • Bigger is Better • Syzygy • What’s New • What’s Next

  7. Syzygy • Model application • Report anomalies • Detect epidemic

  8. Syzygy: Key Idea • Clients should behave independently • Correlated anomalies unlikely • … unless shared dependence (exploit) • Flag Day in Fargo

  9. Model: Approach • Black box • Sequences of system calls • connect.gettimeofday.recv.gettimeofday.write.write • read.read.close.munmap.open.fcntl64

  10. The Model The model of an application is the set of all sequences of six consecutive system calls it has made 1 - A.A.A.A.A.A A A A A A A A B 2 - A.A.A.A.A.B

  11. Model: Dynamic Analysis

  12. Anomalies • Local violations of the model • New sequence • Rare

  13. Report Anomalies

  14. Detect Epidemic • Community event • Several local anomalies • Short window of time • Notify Vernier

  15. Detect Epidemic

  16. What’s New • Integration with Vernier • Wild exploit • Wild experiment

  17. Integration with Vernier

  18. Wild Exploit • Samba vulnerability • Buffer overflow in smbd • Execute remote shell • April 2003 Bugtraq advisory

  19. Wild Experiment • Train on six Vernier nodes • Samba and Syzygy inside Linux VM • Workload generator • Monitor under workload • Release exploit into community

  20. Experiment: Train Faster

  21. Experiment: Startup • [root@vernier3 vernier]# ./syzygy-server.py -p 5555 -n "shelves/samba.shelf" -m • Shelf 'shelves/samba.shelf' exists, resuming... • [1182536201.405299] VERNIER Server started on port 5555 in Monitoring mode. • [1182537150.093904] Client joined: 10.3.3.133:32770 • [1182537151.599924] Client joined: 10.3.3.134:32770 • [1182537153.184554] Client joined: 10.3.3.135:32770 • [1182537207.236289] Client joined: 10.3.3.137:32770 • [1182537208.789680] Client joined: 10.3.3.138:32770 • [1182537210.405664] Client joined: 10.3.3.139:32770

  22. Experiment: Quiet Time • … • [1182537582.204169] Local Anomaly: 10.3.3.133:32770, geteuid32.write.geteuid32.write.close.select • [1182537653.921447] Local Anomaly: 10.3.3.133:32770, wait4.sigreturn.stat64.accept.fork.wait4 • [1182537653.922954] Local Anomaly: 10.3.3.133:32770, sigreturn.stat64.accept.fork.wait4.wait4 • [1182537731.022635] Local Anomaly: 10.3.3.133:32770, write.geteuid32.write.close.select.close • …

  23. Experiment: Epidemic • [1182539016.398678] Local Anomaly: 10.3.3.134:32807, sigreturn.select.wait4.wait4.sigreturn.time • … • [1182539016.877422] Local Anomaly: 10.3.3.135:32807, select.wait4.wait4.sigreturn.time.accept • … • [1182539017.338386] Local Anomaly: 10.3.3.138:32805, write.geteuid32.write.geteuid32.write.socket • [1182539017.338450] Epidemic: ['10.3.3.138:32805', '10.3.3.135:32807', '10.3.3.134:32807']

  24. What’s Next • Quantify false positives • Desired dependence • Multi-user deployment

  25. Bigger is Better • More data • Rare data • Independent data • Heroes • Syzygy • Community epidemic detection • Correlated anomalies