Outline. Introduction. State-of-the-art Forensic Methods. Hardware-based Workload Forensics. Experimental Results. Summary. OS level Hypervisor level



Similar documents
A Study on Detection of Hacking and Malware Codes in Bare Metal Hypervisor for Virtualized Internal Environment of Cloud Service

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Architecting for the next generation of Big Data Hortonworks HDP 2.0 on Red Hat Enterprise Linux 6 with OpenJDK 7

Windows Server Virtualization & The Windows Hypervisor

Intel Virtualization Technology Overview Yu Ke

Virtualization and Cloud Computing. The Threat of Covert Channels. Related Work. Zhenyu Wu, Zhang Xu, and Haining Wang 1

Before we can talk about virtualization security, we need to delineate the differences between the

Cloud Computing through Virtualization and HPC technologies

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

PFP Technology White Paper

Technical Investigation of Computational Resource Interdependencies

Performance Monitoring of the Software Frameworks for LHC Experiments

WIND RIVER SECURE ANDROID CAPABILITY

Under the Hood: How Actaeon Unveils Your Hypervisor

Virtualization. Types of Interfaces

Networking Virtualization Using FPGAs

Survey On Hypervisors

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Secure cloud access system using JAR ABSTRACT:

Virtualization. Michael Tsai 2015/06/08

Virtual Hosting & Virtual Machines

Virtualization for Cloud Computing

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

Application Performance Analysis of the Cortex-A9 MPCore

SUSE Linux Enterprise 10 SP2: Virtualization Technology Support

Trust based Peer-to-Peer System for Secure Data Transmission ABSTRACT:

Run-time Resource Management in SOA Virtualized Environments. Danilo Ardagna, Raffaela Mirandola, Marco Trubian, Li Zhang

Client-aware Cloud Storage

Building Blocks Towards a Trustworthy NFV Infrastructure

Virtualization Technology

Virtualization. Dr. Yingwu Zhu

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

Frontiers in Cyber Security: Beyond the OS

Cloud Operating Systems for Servers

Cloud Simulator for Scalability Testing

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

PERFORMANCE ANALYSIS OF KERNEL-BASED VIRTUAL MACHINE

Intelligent End User Compute Strategy. Ted Smith Nigel Brown

Virtual Machines. COMP 3361: Operating Systems I Winter

Total Defense Endpoint Premium r12

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

9/26/2011. What is Virtualization? What are the different types of virtualization.

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Datacenter Operating Systems

GPU Accelerated Signal Processing in OpenStack. John Paul Walters. Computer Scien5st, USC Informa5on Sciences Ins5tute

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

White Paper. Recording Server Virtualization

GURLS: A Least Squares Library for Supervised Learning

Data Protection: From PKI to Virtualization & Cloud

Stephen Coty Director, Threat Research

McAfee Server Security

FORENSIC ANALYSIS Aleš Padrta

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

Virtualization. Jia Rao Assistant Professor in CS

Assessing the Performance of Virtualization Technologies for NFV: a Preliminary Benchmarking

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Rackspace Cloud Databases and Container-based Virtualization

x86 Virtualization Hardware Support Pla$orm Virtualiza.on

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Building Docker Cloud Services with Virtuozzo

Virtual Switching Without a Hypervisor for a More Secure Cloud

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Full System Emulation:

Dynamic Load Balancing of Virtual Machines using QEMU-KVM

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Protecting Corporate Data from Mobile Threats. And the emerging role for microsd-based security Art Swift CEO, CUPP Computing

Intro to Virtualization

Scaling in a Hypervisor Environment

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Very Large Enterprise Network, Deployment, Users

Analysis of advanced issues in mobile security in android operating system

Efficient Load Balancing using VM Migration by QEMU-KVM

A Survey on Virtual Machine Security

Attacking Hypervisors via Firmware and Hardware

High-performance vnic framework for hypervisor-based NFV with userspace vswitch Yoshihiro Nakajima, Hitoshi Masutani, Hirokazu Takahashi NTT Labs.

COS 318: Operating Systems. Virtual Machine Monitors

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

Compromise-as-a-Service

Secure In-VM Monitoring Using Hardware Virtualization

Introduction to Cyber Security / Information Security

International Journal of Computer & Organization Trends Volume20 Number1 May 2015

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Analyzing HTTP/HTTPS Traffic Logs

Topic 5a Operating System Fundamentals

Virtual Desktops Security Test Report

Performance monitoring at CERN openlab. July 20 th 2012 Andrzej Nowak, CERN openlab

Abstract. 1. Introduction. 2. Threat Model

OVA KVM THE SOLUTION. Virtually Unmatched. Get to know KVM. Low cost, super secure and infinitely scalable. JOIN WHAT IS GET SECURITY LOW COST

<Insert Picture Here> Introducing Oracle VM: Oracle s Virtualization Product Strategy

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

Transcription:

Outline Introduction State-of-the-art Forensic Methods OS level Hypervisor level Hardware-based Workload Forensics Process Reconstruction Experimental Results Setup Result & Overhead Summary 1

Introduction Motivation Vast amount of sensitive information is stored, processed and communicated in electronic form Intensified malicious efforts à unauthorized access Retroactive investigation needed Workload Forensics Collect data related to past execution of computer programs Analyze data to understand and/or reconstruct corresponding events 2

Outline Introduction State-of-the-art Forensic Methods OS level Hypervisor level Hardware-based Workload Forensics Process Reconstruction Experimental Results Setup Result & Overhead Summary 3

OS-level Forensic Methods Forensic module resides at the same level with applications/os kernel Signature comparison Memory image Commercial products (i.e. EnCase, FTK, etc.) Program behavior modeling System call pattern Involve machine learning/statistics OS app. app. Forensics app. While OS-level Forensic methods benefit from semantic-rich information, they are vulnerable to software attacks at the same level! C. Kolbitsch, et al. Effective and efficient malware detection at the end, USENIX, 2009 4

Hypervisor-level Forensic Methods Forensic module resides at Hypervisor level Hypervisor Virtualization for OS Isolated management core provides better security Bridge semantic gap Process à dedicated addr. space & page table Page table base addr. (CR3 in x86) à process Similar methods as at OS-level can be performed Hypervisor OS OS Forensics OS Hypervisor-level Forensic methods are immune to OS-level attacks. Unfortunately, the hypervisor itself can be the attack surface! *D. Perez-Botero et al. Characterizing hypervisor vulnerabilities in cloud computing servers, SCC, 2013 5

Outline Introduction State-of-the-art Forensic Methods OS level Hypervisor level Hardware-based Workload Forensics Process Reconstruction Experimental Results Setup Result & Overhead Summary 6

Why Hardware-based Forensics? user environment analysis environment software analysis module hardware Download data bus logging module Upload data bus A logging module at hardware level is expected to be immune to software-based tampering! 7

Process Reconstruction Challenge Three main questions: Data in HW à I.D.? Data in HW à behavior? process Analysis in SW à distinguish different processes? 8

Logging Module Logging Object CR3 value Identifier of the process Phase 1 Phase 2 Phase 3 Phase 2 Phase 3 Phase 1 User-space instruction raising itlb miss Behavior of the process Why TLB profile? CR3 change à TLB flush Accurate association between TLB events and CR3 value Mitigation of the effect of different program execution order T. Sherwood et al. Discovering and exploiting program phases, IEEE Micro, 2003 9

CR3 value Instruction 1 Instruction 2 Instruction 100 Instruction 1 Instruction 2 Instruction 100 Logging Module Feature Extraction 10

Logging Module Feature Extraction CR3 value Instruction 1 Instruction 2 Instruction 100 update feature vector for each partition Operator counters Instruction 1 Instruction 2 Instruction 100 6-class operators 1) Data manipulation operator 2) Stack manipulation operator 3) Arithmetic/logic calculation 4) Control flow operation 5) I/O operation 6) Floating point operation 11

Logging Module Feature Extraction CR3 value Instruction 1 Instruction 2 Instruction 100 update feature vector for each partition Operator counters Operand counters Instruction 1 Instruction 2 Instruction 100 6-class operators 12-class operands 1) Data manipulation operator 2) Stack manipulation operator 3) Arithmetic/logic calculation 4) Control flow operation 5) I/O operation 6) Floating point operation 1-8) General purpose registers 9) Memory reference 10) XMM registers/floating point stack 11) All segment registers 12) Immediate value 12

Logging Module Feature Extraction CR3 value Instruction 1 Instruction 2 Instruction 100 Instruction 1 Instruction 2 Instruction 100 update feature vector for each partition Operator counters 6-class operators final feature vector list attached to this CR3 Operand counters 12-class operands F.V. 1 F.V. 2 F.V. end 1) Data manipulation operator 2) Stack manipulation operator 3) Arithmetic/logic calculation 4) Control flow operation 5) I/O operation 6) Floating point operation 1-8) General purpose registers 9) Memory reference 10) XMM registers/floating point stack 11) All segment registers 12) Immediate value 13

Processes Feature Vector Sample 1 Feature 1 Feature 2 Feature... Sample 2 Feature 1 Feature 2 Feature... Sample 3 Feature 1 Feature 2 Feature... Sample 4 Feature 1 Feature 2 Feature... Feature Matrix Analysis Module 14

Processes Feature Vector Sample 1 Feature 1 Feature 2 Feature... Sample 2 Feature 1 Feature 2 Feature... Sample 3 Feature 1 Feature 2 Feature... Sample 4 Feature 1 Feature 2 Feature... Feature Matrix Analysis Module? unseen process seen process 15

Processes Feature Vector Sample 1 Feature 1 Feature 2 Feature... Sample 2 Feature 1 Feature 2 Feature... Sample 3 Feature 1 Feature 2 Feature... Sample 4 Feature 1 Feature 2 Feature... Feature Matrix Analysis Module? unseen process seen process? process 1 process 2 process n 16

Processes Feature Vector Sample 1 Feature 1 Feature 2 Feature... Sample 2 Feature 1 Feature 2 Feature... Sample 3 Feature 1 Feature 2 Feature... Sample 4 Feature 1 Feature 2 Feature... Feature Matrix Analysis Module? Prob. estimates unseen process seen process Support Vector Machine (SVM)? process 1 process 2 process n k-nearest Neighbors (knn) 17

Outline Introduction State-of-the-art Forensic Methods OS level Hypervisor level Hardware-based Workload Forensics Process Reconstruction Experimental Results Setup Result & Overhead Summary 18

Experimental Setup Simulator Simics 4.86 Target Platform 32-bit x86 with single Intel Pentium 4 core, 2Ghz 4GB RAM Simulated Operating System (OS) Minimum installation Ubuntu server (Linux 2.6 kernel) Workload Benchmark Mibench 50% training, 50% validation Analysis Software Matlab 19

Results Outlier Detection Outlier Detection Accuracy 14% 12% 10% 8% 6% 4% 2% 0% FP rate FN rate test 1 test 2 test 3 test 4 average Test FP: seen process classified as unseen FN: unseen process classified as seen 20

Results Outlier Detection Outlier Detection Accuracy 14% 12% 10% 8% 6% 4% 2% 0% FP rate FN rate test 1 test 2 test 3 test 4 average Test FP: seen process classified as unseen FN: unseen process classified as seen Average FP rate: 12.31%; average FN rate: 5.13% 21

Results Workload Classification 100% Classification Accuracy 80% 60% 40% 20% 0% knn SVM Average classification accuracy: 96.97% for knn and 96.93% for SVM 22

Results Workload Classification 80% 60% 40% 20% 0% Classification Accuracy100% knn SVM benchmark Classification accuracy for some classes reaches 100% 23

Results Workload Classification knn SVM 80% 60% 40% 20% 0% Classification Accuracy100% benchmark Classification accuracy for some classes reaches 100% rawcaudio (ADPCM encoding algorithm) rawdaudio (decoding algorithm) à reduced classification efficiency due to similarity 24

Logging Overhead Steps to compute logging overhead: Feature Vector Size = 18 log 5 partition size itlb miss rate Partition generation rate = partition size Instruction 1 Instruction 2 Instruction 100 bits per instruction = Feature Vector size Partition generation rate esitimated logging rate(bits/second) = bits per instruction clock frequency CPI (assumed = 1) 25

Logging Overhead Steps to compute logging overhead: Feature Vector Size = 18 log 5 partition size itlb miss rate Partition generation rate = partition size Instruction 1 Instruction 2 Instruction 100 bits per instruction = Feature Vector size Partition generation rate esitimated logging rate(bits/second) = bits per instruction clock frequency CPI (assumed = 1) Computation result: Average itlb miss rate for user space instructions is 0.0016% This leads to an estimated logging rate of only 5.17 KB/s 26

Outline Introduction State-of-the-art Forensic Methods OS level Hypervisor level Hardware-based Workload Forensics Process Reconstruction Experimental Results Setup Result & Overhead Summary 27

Contributions Summary First hardware-based method for workload forensics analysis Addresses the weakness of OS-level/hypervisor-level methods Demonstrates process reconstruction feasibility via TLB profiling Implementation Complete Hardware-to-Software logging-analysis flow Results High workload-classification accuracy Low logging overhead Future Work Investigate information theoretic content of other features Experiment with more advanced machine learning models 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information