Computers continue
to get broken into, so intrusion analysis is a part of most system
administrators' job description. System administrators must answer two
main questions when analyzing intrusions: "how did the attacker gain
access to my system?", and "what did the attacker do after they broke
in?”. Current tools for analyzing intrusions fall short because they
have insufficient information to fully track the intrusion and because
they cannot separate the actions of attackers from the actions of
legitimate users.
This talk will focus
on how system administrators can use information flow graphs to help
analyze intrusions. BackTracker is used to help answer the question
"how did the attacker gain access to my system?". BackTracker starts
with a suspicious object (e.g., malicious process, trojaned executable
file) and follows the attack back in time, using causal OS events, to
highlight the sequence of events and objects that lead to the suspicious
state. Showing an information flow graph of these causally-connected
events and objects provides a system-wide view of the attack and
significantly reduces the amount of data an administrator must examine
in order to determine which application was originally exploited.
ForwardTracker helps answer the question "what did the attacker do after
they broke in?". ForwardTracker starts from the application which was
exploited and tracks causal events forward in time to display the
information flow graph of events and objects that result from the
intrusion. Finally, Bi-directional Distributed BackTracker (BDB)
continues the backward and forward information flow graphs across the
network to highlight the set of computers on a local network which are
likely to have been compromised by the attacker.
Bio: Sam King is a
PhD student in the CSE Division of the Department of Electrical
Engineering and Computer Science at the University of Michigan at Ann
Arbor and will be graduating in the summer of 2006. His research
interests include experimental software systems, computer security, and
operating systems. His dissertation work focuses on computer forensics,
and he has also explored various other topics while at Michigan
including advanced malware defenses, intrusion detection, and debugging
operating systems using time-traveling virtual machines. Before
arriving at Michigan, he received a BS from UCLA and an MS from Stanford
University. He also worked for two years as a software developer for an
embedded systems company in Santa Clara, CA. He is married (his wife's
name is also Sam) and has a son, Eli.