Thesis proposal
Upcoming SlideShare
Loading in...5

Thesis proposal






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Thesis proposal Thesis proposal Presentation Transcript

  • A multilayer frameworkproposal to catch data exfiltration Puneet Sharma
  • Agenda Introduction to the problem  What is data exfiltration?  Why is it more difficult to catch than regular network based intrusions? Hardware based Trojans  Huawei case  Greek phone tapping case Software based trojans  Rootkits Proposed approach  Multiple stacks/layered detection  Parameters to watch Challenges
  • What is data exfiltration? Unauthorized extraction of data from a system Can be locally or remotely initiated Is hard to catch because:  May leave no fingerprint  Insider attack  Can go at great lengths to hide itself using kernel level device drivers View slide
  • Hardware based trojans Use cases:  Huawei case  Greek phone tapping case Special challenges in catching HW Trojans  Special circuits with an extremely small footprint  Most come shipped with their own software  Most circuit based testing methods too expensive and impractical to check for each possible circuit flow View slide
  • Rootkits and other Trojans Device driver way to get in Kernel mode access Can hide processes Can auto run on restart Stuxnet: the most famous example
  • Multi layered approach • Hidden processes • New hardware insertion eventApplication layer • New device driver registration • Change in outgoing packet patterns Network layer • Connection to an unknown address • Change in the power consumption patterns • Change in the instruction set patternsHardware layer
  • Justification for a multi stacked solution No such thing as the perfect defense Idea is to make it really hard for the attacker to avoid detection Certain techniques on the network and application layer are state of the art, just never used together Sophisticated hardware Trojans not just sections of mala fide circuits, but come with their own custom software
  • Parameters to monitor New Hardware detection New device driver registration Sudden increase in packet size going out Type of data going out Key file hashes being changed
  • Parameters to monitor Memory traces CPU utilization Hidden processes Power pattern changes Instruction set pattern changes
  • Relevance of parameters matrixParameter/Alar Ways to monitor reliable reliable reliablem on its with a few with many own? other other alarms? alarms?New hardware lsusb, udevd, No Yes Yesdetection udevadm, lshwNew device Lspci, lsmod, No Yes Yesdriver detection modprobeIncrease in Wire shark, tcpdump No Yes Yesoutgoing packetsizeChange in type Wireshark, tcpdump No No Yesof data going outChange in file tripwire No Yes Yeshashes
  • Relevance of parameters matrixParameter/Alar Ways to monitor reliable reliable reliablem on its with a with many own? few other other alarms? alarms?Memory traces /proc file system No No YesCPU utilization mpstat, top, sysstat No No YesHidden unhide, proc/exe Yes Yes YesprocessesPower pattern Yes Yes YeschangesInstruction set Yes Yes Yeschanges
  • Challenges Most Metasploit exploits on windows Exploits to test all alarms/parameters Creating a hardware exploit which involves minimum user interaction Detecting the system parameters on windows
  • Thank you