A multilayer frameworkproposal to catch data      exfiltration        Puneet Sharma
Agenda Introduction to the problem   What is data exfiltration?   Why is it more difficult to catch than regular networ...
What is data exfiltration? Unauthorized extraction of data from a system Can be locally or remotely initiated Is hard t...
Hardware based trojans Use cases:   Huawei case   Greek phone tapping case Special challenges in catching HW Trojans  ...
Rootkits and other Trojans Device driver way to get in Kernel mode access Can hide processes Can auto run on restart ...
Multi layered approach                    • Hidden processes                    • New hardware insertion eventApplication ...
Justification for a multi           stacked solution No such thing as the perfect defense Idea is to make it really hard...
Parameters to monitor New Hardware detection New device driver registration Sudden increase in packet size going out T...
Parameters to monitor Memory traces CPU utilization Hidden processes Power pattern changes Instruction set pattern ch...
Relevance of parameters              matrixParameter/Alar      Ways to monitor       reliable   reliable     reliablem    ...
Relevance of parameters               matrixParameter/Alar    Ways to monitor        reliable   reliable   reliablem      ...
Challenges Most Metasploit exploits on windows Exploits to test all alarms/parameters Creating a hardware exploit which...
Thank you
Upcoming SlideShare
Loading in …5
×

Thesis proposal

411 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
411
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Thesis proposal

  1. 1. A multilayer frameworkproposal to catch data exfiltration Puneet Sharma
  2. 2. Agenda Introduction to the problem  What is data exfiltration?  Why is it more difficult to catch than regular network based intrusions? Hardware based Trojans  Huawei case  Greek phone tapping case Software based trojans  Rootkits Proposed approach  Multiple stacks/layered detection  Parameters to watch Challenges
  3. 3. What is data exfiltration? Unauthorized extraction of data from a system Can be locally or remotely initiated Is hard to catch because:  May leave no fingerprint  Insider attack  Can go at great lengths to hide itself using kernel level device drivers
  4. 4. Hardware based trojans Use cases:  Huawei case  Greek phone tapping case Special challenges in catching HW Trojans  Special circuits with an extremely small footprint  Most come shipped with their own software  Most circuit based testing methods too expensive and impractical to check for each possible circuit flow
  5. 5. Rootkits and other Trojans Device driver way to get in Kernel mode access Can hide processes Can auto run on restart Stuxnet: the most famous example
  6. 6. Multi layered approach • Hidden processes • New hardware insertion eventApplication layer • New device driver registration • Change in outgoing packet patterns Network layer • Connection to an unknown address • Change in the power consumption patterns • Change in the instruction set patternsHardware layer
  7. 7. Justification for a multi stacked solution No such thing as the perfect defense Idea is to make it really hard for the attacker to avoid detection Certain techniques on the network and application layer are state of the art, just never used together Sophisticated hardware Trojans not just sections of mala fide circuits, but come with their own custom software
  8. 8. Parameters to monitor New Hardware detection New device driver registration Sudden increase in packet size going out Type of data going out Key file hashes being changed
  9. 9. Parameters to monitor Memory traces CPU utilization Hidden processes Power pattern changes Instruction set pattern changes
  10. 10. Relevance of parameters matrixParameter/Alar Ways to monitor reliable reliable reliablem on its with a few with many own? other other alarms? alarms?New hardware lsusb, udevd, No Yes Yesdetection udevadm, lshwNew device Lspci, lsmod, No Yes Yesdriver detection modprobeIncrease in Wire shark, tcpdump No Yes Yesoutgoing packetsizeChange in type Wireshark, tcpdump No No Yesof data going outChange in file tripwire No Yes Yeshashes
  11. 11. Relevance of parameters matrixParameter/Alar Ways to monitor reliable reliable reliablem on its with a with many own? few other other alarms? alarms?Memory traces /proc file system No No YesCPU utilization mpstat, top, sysstat No No YesHidden unhide, proc/exe Yes Yes YesprocessesPower pattern Yes Yes YeschangesInstruction set Yes Yes Yeschanges
  12. 12. Challenges Most Metasploit exploits on windows Exploits to test all alarms/parameters Creating a hardware exploit which involves minimum user interaction Detecting the system parameters on windows
  13. 13. Thank you

×