Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

backtracking summary

advertisement 
Dalia Solomon
BackTracker Summary
In today society computer intrusion has been increasing. Thus this paper addresses the method and tools that the administrator
can use to understand how the system was hacked into. The first step in an intrusion is for the administrator to detect an
intrusion, there are tools that are available such as TripWire. The next step is to investigate how an intrusion takes place. This
can be done by using logs, SNORT, Ethereal, etc. However, there are limitations to the software that are currently available.
The author proposes Backtracking Intrusions, a program that identifies the potential sequence of steps that is in an intrusion.
This program serves to address the shortcomings of current tools. The backtracking tool has two component, online and offline.
The online log events and the offline will graph the events relating to an attack.
The goal of the BackTracker is to reconstruct a time-line of events involved in an attack. Backtracking works by observing OSlevel objects and events. BackTracker keeps track of a process from the time it is created. BackTracker log dependency
relationships, events when one object affects the state of another. Some of the dependency relationships are: process/process,
process/files, and process/filename dependency.
BackTracker saved enough information from objects and dependency causing events to build a graph that shows the
dependency relationships that occur during an intrusion. The tool that the administrator used to generate the dependency graph
is called GraphGen. This application is run offline after an attack. GraphGen construct the dependency graph by reading the log
of events, starting from the last event.
BackTracker focuses on tracking high-control events; events that are easiest for an attacker to use to accomplish a task.
BackTracker log and analyze process creation, load and store, read and write, receiving data from socket, execution of file, and
opening a file.
EventLogger is the part of BackTracker that logs events. The current strategy for BackTracker is to run a virtual machine and
have the virtual machine call a kernel procedure (EventLogger) at certain time.
Dependency graph are usually too large to be analyze, thus filtering is required. Administrator uses prioritization to filter out parts
that help them understand an intrusion. There are several methods of filtering; administrator could ignore certain objects, filter
out certain type of event, hides file that have been read but not written, filter out helper processes, choose several detection
points and take the intersection.
BackTracker is evaluated on three real attacks and one simulated attack. In these attacks EventLogger logged the events that
occur. With filtering and GraphGen the administrator can get a good dependency graph of these attacks to analyze.
There are ways for an intruder to hide his action from the BackTracker. An attacker can attack the layer where BackTracker is
built, use events that BackTracker doesn’t monitor, or hide his action in large dependency graph. Thus it is possible to hide
actions from BackTracker, but the goal of this paper is to analyze a fraction of the current attack and make it more difficult for an
intruder to launch attacks that cannot be track.
Questions:
1) Can we use this system effectively on a real world server or just on a honeypot machine?
2) Is there any scheme to make the event logger more effective, and not use 1.2 GB a day without losing important record?
3) Do we need to recode the backtracker if we want to support other virtual machines? Is the porting process of it to other virtual
machine complicated?
4) Does this backtracker handle hack where a user does not read or write to a file but overflow the buffer using exploits?
5) On a system with many operations isn’t the graph generated by the GraphGen too complicated for an average administrator
to understand in limited time?
Suggestion
1) The graph should be coded or created to be more understandable.
2) Discuss other methods in which the hacker hacks into the machine.
3) Some hackers will hack into the computer and never write to any file, but just look at sensitive information in the computer,
author should address these type of hacking. (reading files)
4) Discuss more about Backtracker and VMware. The author briefly discusses but doesn’t go into a good discussion about how
Backtracker uses the VMware kernel.
5) Discuss more about the honeypot machine that is used in this paper. What are the services that the author runs on this
honeypot machine?
Related documents
D-BP01-Employee Communications and Levels of Authority
D-BP01-Employee Communications and Levels of Authority
List of program outcomes
List of program outcomes
Legal Issues in the Classroom (PowerPoint)
Legal Issues in the Classroom (PowerPoint)
Elementary General Music
Elementary General Music
Ethics and Social Welfare
Ethics and Social Welfare
Dependency Property
Dependency Property
Patient Renewal Leaflet - Oxford Health NHS Foundation Trust
Patient Renewal Leaflet - Oxford Health NHS Foundation Trust
The Neoclassical and the Dependency Perspectives
The Neoclassical and the Dependency Perspectives
Population 3 - Taylor High School
Population 3 - Taylor High School
Intrusion Detection
Intrusion Detection
ABSTRACT
ABSTRACT
Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage
Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage
Download
advertisement