Towards Better Kernel and Network Monitoring of Software Actions

Lei, Yunsen

Etd

Towards Better Kernel and Network Monitoring of Software Actions

Public

Monitoring software actions is one of the most studied approaches to help security researchers understand how software interacts with the system or network. In many cases, monitoring is an important component to help detect attacks that use software vulnerabilities as a vector to compromise endpoints. Attacks are becoming more sophisticated and network use is growing dramatically. Both host-based and network-based monitoring are facing different challenges. A host-based approach has more insight into software's actions but puts itself at the risk of compromise. When deployed on the server endpoint, the lack of separation between different clients only further complicates the monitoring scope. Compared to network-based approaches, host-based monitoring usually loses control of a software's network trace once the network packet leaves the endpoint. On the other hand, network-based monitoring usually has full control of a software's network packets but confronts scalability problems as the network grows. This thesis focuses on the limitations of the current monitoring approaches and technologies and proposes different solutions to mitigate the current problem.\r\rFor software-defined networking, we design and implement a host-based SDN system that achieves the same forwarding path control and packet rewriting functionality as a switch-based SDN. Our implementation empower the host-based SDN with more control in the network even without using any SDN-enabled middleboxes, allowing SDN adoption in large-scale deployments. We further corroborate flow reports from different host SDN agents to address the endpoint compromise problem. On the server endpoint, we leverage containers as a light-weight environment to separate different clients and build monitoring infrastructures to narrow down the monitoring scope that have the potential to facilitate further forensic analysis.

Creator