Operating Systems 2017F Lecture 23: Difference between revisions

From Soma-notes
Rquaium (talk | contribs)
No edit summary
Line 1: Line 1:
==Video==


== Additional Notes ==
[http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec23-07Dec2017.mp4 Lecture 23 Video]
 
==Notes==
 
===In Class===
<pre>
Lecture 23
----------
 
How can you tell when a process has been compromised?
- from outside the process
 
Classic: signatures
- is it running "bad code"
- is it doing "bad things"
  - bad system calls
 
For a process to do damage, it has to make "bad" system calls
 
How can I tell if a process is making bad system calls?
 
I want to be lazy
- complex rules are a pain
- and, they don't work well either
 
Make the computer solve the problem for me of determining what is good and bad
- use machine learning
 
But I can't teach good versus bad because I don't know bad very well
 
But...I do know how systems "normally" behave
 
How about teaching the system to differentiate normal from abnormal?
- normal is "good"
- abnormal may be bad
 
abnormal but not bad => false positive
 
 
How do we detect abnormal system calls?
 
Learn normal patterns of system calls over time
once you've learned enough, watch for abnormal system calls
 
Since I'm lazy, I want it to learn as it runs
- and automatically decide when it has learned enough
 
Could I do the learning in a process (or set of processes)?
- you could, but all data would have to come from the kernel
 
Want something fast and simple
- implement in the kernel
 
How simple could it be?
 
First assumption: ignore arguments
 
 
Second assumption: look at ordering of systems calls on a per-thread, per-process basis
 
Third assumption: characterize processes based on the executable they are running
 
- model per executable, each trained on multiple processes
 
How to model the trace of system calls coming from a process?
 
* frequency analysis?
  - on a system call basis
  - high variance
 
* what system calls are made (and not made)?
 
* short sequences of system calls?
  6-10
</pre>
 
 
===Additional Notes===
Written solutions for midterm exam are on the course webpage <br>
Written solutions for midterm exam are on the course webpage <br>
Assignment 4 <br>
Assignment 4 <br>

Revision as of 02:16, 8 December 2017

Video

Lecture 23 Video

Notes

In Class

Lecture 23
----------

How can you tell when a process has been compromised?
 - from outside the process

Classic: signatures
 - is it running "bad code"
 - is it doing "bad things"
   - bad system calls

For a process to do damage, it has to make "bad" system calls

How can I tell if a process is making bad system calls?

I want to be lazy
 - complex rules are a pain
 - and, they don't work well either

Make the computer solve the problem for me of determining what is good and bad
 - use machine learning

But I can't teach good versus bad because I don't know bad very well

But...I do know how systems "normally" behave

How about teaching the system to differentiate normal from abnormal?
 - normal is "good"
 - abnormal may be bad

abnormal but not bad => false positive


How do we detect abnormal system calls?

Learn normal patterns of system calls over time
once you've learned enough, watch for abnormal system calls

Since I'm lazy, I want it to learn as it runs
 - and automatically decide when it has learned enough

Could I do the learning in a process (or set of processes)?
 - you could, but all data would have to come from the kernel

Want something fast and simple
 - implement in the kernel

How simple could it be?

First assumption: ignore arguments


Second assumption: look at ordering of systems calls on a per-thread, per-process basis

Third assumption: characterize processes based on the executable they are running

 - model per executable, each trained on multiple processes

How to model the trace of system calls coming from a process?

* frequency analysis?
  - on a system call basis
  - high variance

* what system calls are made (and not made)?

* short sequences of system calls?
  6-10


Additional Notes

Written solutions for midterm exam are on the course webpage
Assignment 4
Q2: SSH keygen generates the secret key and the public key file. The private key is stored in the private key file: .ssh/id_rsa
Q4: Both lines because first you start from 1 and then increment from there.
Q11: Only bs because it is write. Would be ibs and bs if it was read.
Q12: Local kernel forwards the write system call but doesn't actually make the system call. Kernels don't make system calls.
Lecture 23 Prof Notes


How can you tell when a process has been compromised.
- from outside the process
Use signatures
- is it running "bad code"
- is it doing "bad things"
-- For example: password program start modifying files other than etc/password. You could specify rules to prevent this.
-- bad system calls
For a process to do damage, it has to make "bad" system calls
I want to be lazy
- complex rules are a pain
- and they don't work well either
Make the computer solve this problem
- Use Machine Learning
I can't teach good versus bad if I don't know what is bad
But I know how systems behave normally
How about teaching the system to differentiate normal from abnormal
- normal is good
- abnormal may be bad
abnormal but not bad => false positive
False positives can be a big issue because they may cause ppl to not trust the machine's detection capabilities

How can we detect abnormal system calls?
Learn normal patterns of system calls over time
Once you've learned enough, watch for abnormal system calls
Since I'm lazy, I want to learn it as it runs
- and automatically decide when it has learned enough

Could I do the learning in a process (or set of processes)?
you could, but all data would have to come from the kernel
Want something fast and simple
- implement in the kernel
How simple could it be?

First assumption: ignore arguments
Second assumption: look at ordering of system calls on a per-thread, per-process basis
Third Assumption: characterize processes based on the executable they are running
model per executable, each trained on multiple processes
How to model the trace of system calls coming from a procesd

  • frequency analysis?

- on a system call basis
- high variance

  • what system calls are made (and not made)?
  • short sequence of system calls? 6-10 calls