[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10885))

Abstract

Cybercrime has become a big money business with sensitive data being a hot commodity on the dark web. In this paper, we introduce and evaluate a filesystem (DcyFS) capable of curtailing data theft and ensuring file integrity protection by providing subject-specific views of the filesystem. The deceptive filesystem transparently creates multiple levels of stacking to protect the base filesystem and monitor file accesses, hide and redact sensitive files with baits, and inject decoys onto fake system views purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. A novel security domain model groups applications into filesystem views and eliminates the need for filesystem merging. Our prototype implementation leverages a kernel hot-patch to seamlessly integrate the new filesystem module into live and existing environments. We demonstrate the utility of our approach through extensive performance benchmarks and use cases on real malware samples, including ransomware, rootkits, binary modifiers, backdoors, and library injectors. Our results show that DcyFS adds no significant performance overhead to the filesystem, preserves the filesystem data, and offers a potent new tool to characterize the impact of malicious activities and expedite forensic investigations.

T. Taylor and F. Araujo—Both authors contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 47.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 59.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Thinkst Canary: Canarytokens (2017). https://goo.gl/UcwrPB. Accessed 22 Aug 2017

  2. Artz, D., Gil, Y.: A survey of trust in computer science and the semantic web. Web Semant. 5, 58–71 (2007)

    Article  Google Scholar 

  3. Baumgartner, K.: The ‘penquin’ turla (2014). https://goo.gl/6wAiSo. Accessed 24 Sept 2017

  4. Bell, D., LaPadula, L.: Secure computer systems: mathematical foundations. Technical report. MITRE Corporation (1973)

    Google Scholar 

  5. Blaze, B.: Notes on Linux/Xor.DDoS (2015). https://goo.gl/RkzNkT. Accessed 24 Sept 2017

  6. Bonicontro, G.T.: Linux.Zariche: a Vala Virus (2014). https://goo.gl/6mTCJP. Accessed 24 Sept 2017

  7. Bowen, B., Salem, M.B., Hershkop, S., Keromytis, A., Stolfo, S.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7, 22–29 (2009)

    Article  Google Scholar 

  8. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4

    Chapter  Google Scholar 

  9. Brown, N.: Overlay filesystem (2017). https://goo.gl/Fsge3b. Accessed 24 Sept 2017

  10. Carbone, R.: Malware memory analysis of the Jynx2 Linux rootkit. Technical report, Defence Research and Development Canada (2014)

    Google Scholar 

  11. Chang, Z., Sison, G., Jocson, J.: Erebus resurfaces as Linux ransomware (2017). https://goo.gl/5pJ3yQ. Accessed 12 Jul 2017

  12. Continella, A., Guagnelli, A., Zingaro, G., Pasquale, G.D., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the Annual Computer Security Applications Conference (2016)

    Google Scholar 

  13. Crowe, J.: 2017 ransomware trends and forecasts (2017). https://goo.gl/S6BRjx. Accessed 10 Aug 2017

  14. FFSB: Flexible filesystem benchmark (2017). https://goo.gl/Qp56Au. Accessed 20 Sept 2017

  15. Gammons, B.: 4 surprising backup failure statistics that justify additional protection (2017). https://goo.gl/H3xrPT. Accessed 10 Aug 2017

  16. Goodin, D.: Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware (2017). https://goo.gl/TwYyzN. Accessed 22 Aug 2017

  17. Granville, K.: 9 recent cyberattacks against big businesses (2015). https://goo.gl/LPSWh5. Accessed 22 Aug 2017

  18. Information Security Newspaper: FakeFile Trojan opens backdoors on Linux computers, except openSUSE (2016). https://goo.gl/rYfESR. Accessed 24 Sept 2017

  19. Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: Proceedings of the USENIX Security Symposium (2016)

    Google Scholar 

  20. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNSC, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5

    Chapter  Google Scholar 

  21. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (2017)

    Google Scholar 

  22. Linux Programmer’s Manual: mount_namespaces - overview of Linux mount namespaces (2017). https://goo.gl/ghK9QQ. Accessed 20 Sept 2017

  23. Linux Programmer’s Manual: namespaces: overview of Linux namespaces (2017). https://goo.gl/djnDWn. Accessed 20 Sept 2017

  24. McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: a system for distributed mandatory access control. In: Proceedings of the Annual Computer Security Applications Conference (2006)

    Google Scholar 

  25. Mercês, F.: Pokémon-themed Umbreon Linux rootkit hits x86, ARM systems (2016). https://goo.gl/te9PBF. Accessed 24 Sept 2017

  26. Moore, H.N.: Why didn’t equifax protect your data? Because corporations have all the power (2017). https://goo.gl/PWQvVa. Accessed 21 Sept 2017

  27. Paganini, P.: Linux.Ekoms.1 the Linux Trojan that takes screenshots (2016). https://goo.gl/NuRC8G. Accessed 24 Sept 2017

  28. Poimboeuf, J.: kpatch - dynamic kernel patching (2017). https://goo.gl/p1VzMu. Accessed 24 Sept 2017

  29. Rutkowska, J., Wojtczuk, R.: Qubes OS architecture v0.3 (2010)

    Google Scholar 

  30. Ben Salem, M., Stolfo, S.J.: Decoy document deployment for effective masquerade attack detection. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 35–54. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22424-9_3

    Chapter  Google Scholar 

  31. Sandboxie Holdings: Sandboxie (2018). https://goo.gl/8EBR7J. Accessed 27 Apr 2018

  32. Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)

    Article  Google Scholar 

  33. Sandro, A.: Backdoor.Linux.Tsunami.gen or Tsunami is a Linux backdoor that allows remote access to infected machines (2016). https://goo.gl/vzcTNw. Accessed 24 Sept 2017

  34. Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: Proceedings of the IEEE Conference on Distributed Computing Systems (2016)

    Google Scholar 

  35. Sophos: Troj/Fkit-A (2017). https://goo.gl/5Va1Ld. Accessed 24 Sept 2017

  36. t0n1: ELF prepender in python (2015). https://goo.gl/LDepMX. Accessed 24 Sept 2017

  37. Tarasov, V., Bhanage, S., Zadok, E., Seltzer, M.: Benchmarking file system benchmarking: it *is* rocket science. In: Proceedings of the USENIX Conference on Hot Topics in Operating Systems (2011)

    Google Scholar 

  38. The MITRE Corporation: The ATT&CK matrix for enterprise (2017). https://goo.gl/EHrkZ5. Accessed 24 Sept 2017

  39. The New Yort Times: Cyberattack hits ukraine then spreads internationally (2017). https://goo.gl/Av7Hxb. Accessed 24 Sept 2017

  40. TMZ: Linux.Liora ELF prepender (2015). https://goo.gl/snRnev. Accessed 24 Sept 2017

  41. Trend Micro Solutions: Erebus Linux ransomware: impact to servers and countermeasures (2017). https://goo.gl/o2k84s. Accessed 24 Sept 2017

  42. VirusTotal: TrojanDownloader detection results (2017). https://goo.gl/pBNR4M. Accessed 24 Sept 2017

  43. Voris, J., Jermyn, J., Boggs, N., Stolfo, S.: Fox in the trap: thwarting masqueraders via automated decoy document deployment. In: Proceedings of the European Workshop on System Security (2015)

    Google Scholar 

  44. Welivesecurity: KillDisk now targeting Linux: demands $250K ransom, but can’t decrypt (2017). https://goo.gl/paiyvm. Accessed 24 Sept 2017

  45. Whitham, B.: Automating the generation of fake documents to detect network intruders. Int. J. Cyber-Secur. Digit. Forensics 2(1), 103–118 (2013)

    Google Scholar 

  46. Whitham, B.: Canary files: generating fake files to detect critical data loss from complex computer networks. In: Proceedings of the International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (2013)

    Google Scholar 

  47. Whitham, B.: Design requirements for generating deceptive content to protect document repositories. In: Proceedings of the Australian Information Warfare Conference (2014)

    Google Scholar 

  48. Wired: The biggest cybersecurity disasters of 2017 so far (2017). https://goo.gl/GoLpLR. Accessed 24 Sept 2017

  49. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the Annual IEEE SMC Information Assurance Workshop (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Research, Yorktown Heights, NY, 10598, USA

    Teryl Taylor, Frederico Araujo & Marc Ph. Stoecklin

  2. Carnegie Mellon University, Pittsburgh, PA, 15213, USA

    Anne Kohlbrenner

Authors
  1. Teryl Taylor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frederico Araujo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anne Kohlbrenner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marc Ph. Stoecklin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Teryl Taylor or Frederico Araujo .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Cristiano Giuffrida

  2. CEA, Palaiseau, France

    Sébastien Bardin

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Taylor, T., Araujo, F., Kohlbrenner, A., Stoecklin, M.P. (2018). Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93411-2_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93410-5

  • Online ISBN: 978-3-319-93411-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation