nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception

verfasst von : Teryl Taylor, Frederico Araujo, Anne Kohlbrenner, Marc Ph. Stoecklin

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Cybercrime has become a big money business with sensitive data being a hot commodity on the dark web. In this paper, we introduce and evaluate a filesystem (DcyFS) capable of curtailing data theft and ensuring file integrity protection by providing subject-specific views of the filesystem. The deceptive filesystem transparently creates multiple levels of stacking to protect the base filesystem and monitor file accesses, hide and redact sensitive files with baits, and inject decoys onto fake system views purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. A novel security domain model groups applications into filesystem views and eliminates the need for filesystem merging. Our prototype implementation leverages a kernel hot-patch to seamlessly integrate the new filesystem module into live and existing environments. We demonstrate the utility of our approach through extensive performance benchmarks and use cases on real malware samples, including ransomware, rootkits, binary modifiers, backdoors, and library injectors. Our results show that DcyFS adds no significant performance overhead to the filesystem, preserves the filesystem data, and offers a potent new tool to characterize the impact of malicious activities and expedite forensic investigations.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel No Random, No Ransom: A Key to Stop Cryptographic Ransomware

Nächstes Kapitel Knockin’ on Trackers’ Door: Large-Scale Automatic Analysis of Web Tracking

Thinkst Canary: Canarytokens (2017). https://goo.gl/UcwrPB. Accessed 22 Aug 2017

Artz, D., Gil, Y.: A survey of trust in computer science and the semantic web. Web Semant. 5, 58–71 (2007)CrossRef

Baumgartner, K.: The ‘penquin’ turla (2014). https://goo.gl/6wAiSo. Accessed 24 Sept 2017

Bell, D., LaPadula, L.: Secure computer systems: mathematical foundations. Technical report. MITRE Corporation (1973)

Blaze, B.: Notes on Linux/Xor.DDoS (2015). https://goo.gl/RkzNkT. Accessed 24 Sept 2017

Bonicontro, G.T.: Linux.Zariche: a Vala Virus (2014). https://goo.gl/6mTCJP. Accessed 24 Sept 2017

Bowen, B., Salem, M.B., Hershkop, S., Keromytis, A., Stolfo, S.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7, 22–29 (2009)CrossRef

Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4CrossRef

Brown, N.: Overlay filesystem (2017). https://goo.gl/Fsge3b. Accessed 24 Sept 2017

10.

Carbone, R.: Malware memory analysis of the Jynx2 Linux rootkit. Technical report, Defence Research and Development Canada (2014)

11.

Chang, Z., Sison, G., Jocson, J.: Erebus resurfaces as Linux ransomware (2017). https://goo.gl/5pJ3yQ. Accessed 12 Jul 2017

12.

Continella, A., Guagnelli, A., Zingaro, G., Pasquale, G.D., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the Annual Computer Security Applications Conference (2016)

13.

Crowe, J.: 2017 ransomware trends and forecasts (2017). https://goo.gl/S6BRjx. Accessed 10 Aug 2017

14.

FFSB: Flexible filesystem benchmark (2017). https://goo.gl/Qp56Au. Accessed 20 Sept 2017

15.

Gammons, B.: 4 surprising backup failure statistics that justify additional protection (2017). https://goo.gl/H3xrPT. Accessed 10 Aug 2017

16.

Goodin, D.: Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware (2017). https://goo.gl/TwYyzN. Accessed 22 Aug 2017

17.

Granville, K.: 9 recent cyberattacks against big businesses (2015). https://goo.gl/LPSWh5. Accessed 22 Aug 2017

18.

Information Security Newspaper: FakeFile Trojan opens backdoors on Linux computers, except openSUSE (2016). https://goo.gl/rYfESR. Accessed 24 Sept 2017

19.

Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: Proceedings of the USENIX Security Symposium (2016)

20.

Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNSC, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5CrossRef

21.

Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (2017)

22.

Linux Programmer’s Manual: mount_namespaces - overview of Linux mount namespaces (2017). https://goo.gl/ghK9QQ. Accessed 20 Sept 2017

23.

Linux Programmer’s Manual: namespaces: overview of Linux namespaces (2017). https://goo.gl/djnDWn. Accessed 20 Sept 2017

24.

McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: a system for distributed mandatory access control. In: Proceedings of the Annual Computer Security Applications Conference (2006)

25.

Mercês, F.: Pokémon-themed Umbreon Linux rootkit hits x86, ARM systems (2016). https://goo.gl/te9PBF. Accessed 24 Sept 2017

26.

Moore, H.N.: Why didn’t equifax protect your data? Because corporations have all the power (2017). https://goo.gl/PWQvVa. Accessed 21 Sept 2017

27.

Paganini, P.: Linux.Ekoms.1 the Linux Trojan that takes screenshots (2016). https://goo.gl/NuRC8G. Accessed 24 Sept 2017

28.

Poimboeuf, J.: kpatch - dynamic kernel patching (2017). https://goo.gl/p1VzMu. Accessed 24 Sept 2017

29.

Rutkowska, J., Wojtczuk, R.: Qubes OS architecture v0.3 (2010)

30.

Ben Salem, M., Stolfo, S.J.: Decoy document deployment for effective masquerade attack detection. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 35–54. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22424-9_3CrossRef

31.

Sandboxie Holdings: Sandboxie (2018). https://goo.gl/8EBR7J. Accessed 27 Apr 2018

32.

Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)CrossRef

33.

Sandro, A.: Backdoor.Linux.Tsunami.gen or Tsunami is a Linux backdoor that allows remote access to infected machines (2016). https://goo.gl/vzcTNw. Accessed 24 Sept 2017

34.

Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: Proceedings of the IEEE Conference on Distributed Computing Systems (2016)

35.

Sophos: Troj/Fkit-A (2017). https://goo.gl/5Va1Ld. Accessed 24 Sept 2017

36.

t0n1: ELF prepender in python (2015). https://goo.gl/LDepMX. Accessed 24 Sept 2017

37.

Tarasov, V., Bhanage, S., Zadok, E., Seltzer, M.: Benchmarking file system benchmarking: it *is* rocket science. In: Proceedings of the USENIX Conference on Hot Topics in Operating Systems (2011)

38.

The MITRE Corporation: The ATT&CK matrix for enterprise (2017). https://goo.gl/EHrkZ5. Accessed 24 Sept 2017

39.

The New Yort Times: Cyberattack hits ukraine then spreads internationally (2017). https://goo.gl/Av7Hxb. Accessed 24 Sept 2017

40.

TMZ: Linux.Liora ELF prepender (2015). https://goo.gl/snRnev. Accessed 24 Sept 2017

41.

Trend Micro Solutions: Erebus Linux ransomware: impact to servers and countermeasures (2017). https://goo.gl/o2k84s. Accessed 24 Sept 2017

42.

VirusTotal: TrojanDownloader detection results (2017). https://goo.gl/pBNR4M. Accessed 24 Sept 2017

43.

Voris, J., Jermyn, J., Boggs, N., Stolfo, S.: Fox in the trap: thwarting masqueraders via automated decoy document deployment. In: Proceedings of the European Workshop on System Security (2015)

44.

Welivesecurity: KillDisk now targeting Linux: demands $250K ransom, but can’t decrypt (2017). https://goo.gl/paiyvm. Accessed 24 Sept 2017

45.

Whitham, B.: Automating the generation of fake documents to detect network intruders. Int. J. Cyber-Secur. Digit. Forensics 2(1), 103–118 (2013)

46.

Whitham, B.: Canary files: generating fake files to detect critical data loss from complex computer networks. In: Proceedings of the International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (2013)

47.

Whitham, B.: Design requirements for generating deceptive content to protect document repositories. In: Proceedings of the Australian Information Warfare Conference (2014)

48.

Wired: The biggest cybersecurity disasters of 2017 so far (2017). https://goo.gl/GoLpLR. Accessed 24 Sept 2017

49.

Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the Annual IEEE SMC Information Assurance Workshop (2004)

Titel: Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception
verfasst von: Teryl Taylor
Frederico Araujo
Anne Kohlbrenner
Marc Ph. Stoecklin
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-93410-5

Electronic ISBN: 978-3-319-93411-2

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-93411-2_12

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"