logging in or signing up "Binary Instrumentation of Apache Server to Cluster Malicoius Attacks" hofstrauniversity Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 25 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: May 28, 2013 This Presentation is Public Favorites: 0 Presentation Description Computer Science Spring 2013 Student Research Presentation by Cynthia Cheng Comments Posting comment... Premium member Presentation Transcript Binary Instrumentation of Apache Server to Cluster Malicious Attack Strings: Binary Instrumentation of Apache Server to Cluster Malicious Attack Strings Presented by: Cynthia Cheng Advisor: Dr. Xiang FuBackground: Background More than 90 million unique strands of malware 1 of 14 downloads is Malware Companies that have suffered security breach incidents: Sony PlayStation Network RSA Google References: http://www.pcmag.com/article2/0,2817,2385541,00.asp http://money.cnn.com/2012/09/04/technology/malware-cyber-attacks/index.html http://money.cnn.com/galleries/2012/technology/1206/gallery.9-worst-security-breaches.fortune/4.html http://www.cioinsight.com/c/a/Security/Malicious-Attacks-Skyrocket-As-Hackers-Explore-New-Targets-356545/HTTP Attack: HTTP Attack Directory Traversal Attack PHP Servlet … Given file name, reads that file name … / var /www/notification.php http://chikarauniversity.php?page=../etc/ passwd /etc/ passwd Reference : http://www.explorehacking.com/2011/01/directory-transversal-vulnerability.html http://chikarauniversity.php?page=notification.php PHP Servlet … Given file name, reads that file name … But didn’t check the validity – did not remove “../”Goal: Goal Cluster malicious attack strings Assumption: Majority of the REQUESTS are benign BAD REQUESTS look different Our Approach Intercept ALL open requests Cluster good and bad requestsTools: Tools Oracle VM VirtualBox Intel Pin Apache HTTP ServerINTEL Pin Introduction: INTEL Pin Introduction Binary instrumentation tool – allows us to insert extra code into a program Reference: www.jaleels.org/ajaleel/ Pin /slides/1_Intro.ppt Example: Inject Logic at Each Instruction Call: Example: Inject Logic at Each Instruction Call itrace.cpp file – modified from Pin Example Function called when a new instruction call is encountered If open is the instruction call, print register value ESP+4, content of this location and the string capturedChallenges: Challenges Dynamic Linking Dummy function for system call open Apache has its own versions to REALLY call the open OS system callImprovements: Improvements Find real entry address of open system callGOT Entry Dynamic Linking: GOT Entry Dynamic Linking When you call Open, you are not shown the real address of system call Open Demo using GNU Debugger show how to find GOT Entry and then find the real Open addressCode of READING Entry: Code of READING Entry http_request.c file – located in files for apache_1.3.41 Multiple printf calls so shortcut to real entry is stored and will utilized in First find plt address and GOT address. Then find actual open address of Apache serverResult: Result itrace.outFuture Work: Future Work Given the string convert them into numbers Use Classroom package and cluster data Unclustered data Clustered data Reference: http://www.codeproject.com/Articles/369387/Data-Clustering-Simulation-in-Python-and-PyGame You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.