nCircle.com >> 360 Security

« cansecwest/core06: "Stunt Profiling: Securing a system while you wait" | Main | SCADAGard SIG To Be Established »

cansecwest/core06: "Next Gen Kernel activity monitoring"

Edward Balas – University of Indiana
Michael Davis – Savid Technologies
Title: Next Generation Kernel Activity Monitoring

Talk was about Sebek (kernel based activity monitoring)
The focus of the detection is on the intra-system domain: processes to process communication. Sebek is available for windows and linux (loadable module or kernel patch). Essentially, observational record of system calls for interesting stuff (keystrokes, file access, processes interaction, sockets, etc)

Look mom, I can capture all this data! Guess what, too much data. Sound familiar? Downing in data, thirsting for intelligence. The quantity of uninteresting data is blinding: 100k records/hour if machine is doing nothing: 1 million an hour in average use. Essentially, the problem is that at the observational stage where in this case you don’t have enough context to offer any criteria for discretion, you are basically screwed. OK, not screwed, just a heavy demand on resources.

Their proposed solution is to allow the configuration of static policy for “interesting” discretionary criteria. These rules can act as a trigger to follow the process tree. The luxury here is much like a motion sensor for a camera, recording begins with the triggered event and the events that follow can be associated via this process tree. Make sense to me.

Many times in the talk, they had to emphasize the fact that they are in a intellectual turn based game.
The game goes like this: Alice authors a detection method and its deterministic properties are learned by adversary Bob, Bob games the detection method to ultimately go undetected; Alice learns of how she is out gamed, new detection method; and so on and so on.

With this level of kernel monitoring, I can clearly see the value to the bad guys but limited value for the good guys. I guess the good guy’s usecase would be a nice tool for system analysis or application testing.
Just because I can’t see the value does not mean it is a bad tool. Heck, I can’t see the value in the electric tooth brush (prefer the manual model) but that does not mean it is bad.

--tk

Posted on April 6, 2006 10:17 PM |

Search


About

This page contains a single entry from the blog posted on April 6, 2006 10:17 PM.

The previous post in this blog was cansecwest/core06: "Stunt Profiling: Securing a system while you wait".

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]