DOCSLIB.ORG

A Modular Architecture for Security Tools (MAST)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Modular Architecture for Security Tools (MAST) Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 1-1-2005 A modular architecture for security tools (MAST) Pascal Openshaw Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Recommended Citation Openshaw, Pascal, "A modular architecture for security tools (MAST)" (2005). Retrospective Theses and Dissertations. 19204. https://lib.dr.iastate.edu/rtd/19204 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A Modular Architecture for Security Tools {MAST) by Pascal Openshaw A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Co-majors: Computer Engineering; Information Assurance Program of Study Committee: Doug Jacobson, Major Professor Yong Guan Adrian Sannier Iowa State University Ames, Iowa 2005 Copyright @Pascal Openshaw, 2005. All rights reserved. ii Graduate College Iowa State University This is to certify that the Master's thesis of Pascal Openshaw has met the thesis requirements of Iowa State University Signatures have been redacted for privacy lll TABLE OF CONTENTS CHAPTER 1. Overview . 1 1.1 Introduction . 1 1.2 History 2 1.2.1 Common areas 2 1.2.2 Additional security tools . 3 1.2.3 Putting them all together 3 1.3 The MAST solution 4 1.3.l A voiding vendor lock-in 6 1.3.2 Tradeoffs 6 1.3.3 Information collection 7 1.4 Sample scenarios 9 1.5 Potential modules 9 1.5.1 Application profiles . 9 1.5.2 File integrity checking 11 1.5.3 Antivirus integration . 12 1.5.4 Firewall integration 13 1.5.5 File access . 13 1.5.6 Registry access 14 1.5.7 Event logs . 14 1.6 Multiple computers . 14 1.6.1 Compiled information 15 1.6.2 Shared configurations 15 iv CHAPTER 2. MAST configuration ....... 16 2.1 Webmin modules . 16 2.2 Central repository 17 2.2.1 Configuration 18 2.2.2 Analysis 19 2.2.3 Alerts . 19 2.3 Plugin architecture 21 2.4 Database layout . 21 2.4.1 By program 22 2.4.2 By type . 22 2.4.3 Program analysis 22 CHAPTER 3. File monitoring ........ 24 3.1 Programs ..... 24 3.1.1 Tripwire, Inc 24 3.1.2 I3FS .. 25 3.1.3 AFICK 26 3.1.4 Samhain . 26 3.2 Webmin module 26 3.3 MAST plugin . 27 CHAPTER 4. Antivirus integration . ........ 30 4.1 Programs 30 4.1.1 Clam antivirus 30 4.1.2 Commercial options 31 4.1.3 F-Prot . 32 4.1.4 Spyware 33 4.2 Webmin module 33 4.3 MAST plugin 34 4.3.l Analysis 34 v 4.3.2 Table layout ......... 35 CHAPTER 5. Network integration ........ 36 5.1 Programs . 36 5.1.l Network intrusion detection 36 5.1.2 Firewalls 37 5.2 Webmin module 39 5.3 MAST plugin . 39 CHAPTER 6. Additional applications . ........ 42 6.1 Analysis 42 6.2 Normalizing across applications 43 6.3 Related products 43 6.3.1 Nagios . 44 6.3.2 Entercept 44 6.3.3 Webmin . 44 6.4 Related research 45 6.5 Future work . 45 6.5.l Plugin development 45 6.5.2 Data analysis . 46 6.5.3 Configuration management 46 6.6 Measuring success 46 6. 7 Conclusion . 47 APPENDIX . MAST database 48 BIBLIOGRAPHY ........ 51 vi LIST OF TABLES Table 2.1 Webmin standard modules for security . 17 Table 2.2 Webmin third party modules for security 17 Table 3.1 Layout for file integrity checking . 28 Table 4.1 Layout for antivirus reports 35 Table 5.1 Layout for Snort reports . 40 Table 5.2 Layout for firewall configuration changes 40 1 CHAPTER 1. Overview Desktop computer security is a growing problem with the many viruses, network attacks, trojans, and other malicious programs that can affect a system. Trying to track down what has happened on a computer, remove problems, and prevent future intrusions can be very problematic. The solution proposed in this thesis is to have a modular architecture for security tools (MAST). MAST consists of three components: A database containing security information, programs to interact with the database, and patches to security tools so that they can interact with the database and each other. The expert tools are responsible for analyzing data from their realms of expertise and reporting relevant information to the database. They should also be capable of sharing elements of functionality with other security applications through documented commands or interfaces. In return the programs may also be set up to utilize the functionality of other programs if installed. This kind of information and functionality sharing has the potential of increasing the quality of programs and reducing duplication of effort. 1.1 Introduction As a computer is running, many things are happening at the same time. Network services are responding to traffic, programs are accessing files, and system changes are being made periodically. Unfortunately there are no easy ways to view or even record most of this infor­ mation. A typical security administrator might have network alerts, a few event log entries, and not much else to work with. The key is to record all the information that the security administrator needs without being overwhelmed with too much information. A modular architecture fits this need by enabling or 2 disabling various portions based on requirements. At the moment there are many specialized utilities for security. The plethora of security software companies are each trying to establish their niche in a particular area, and a select few are attempting to expand their areas of expertise to everything that concerns computer security. The goal of MAST is to combine the expertise of security companies in each product area into one global package that is capable of monitoring various critical events for a computer system. 1.2 History Intrusion detection systems (IDS) have been an important topic for many years. Ever since the first security vulnerability was found and exploited, computer administrators have been looking for ways to find out about and prevent such exploits. Various tactics have been taken in order to do this. Of course, the best way to ensure good computer security is to not have any vulnerabilities in the software to begin with. Unfortunately software flaws are a continuing problem that is not going away anytime soon. Even if software is assumed to be perfect there are still potential problems such as accidentally installing viruses, spyware, using poor passwords, and so on. In these cases the IDS software is capable of mitigating the damage by detecting problems early on. 1.2.1 Common areas Three of the main angles taken by IDS products have been in the areas of file integrity checking, network monitoring, and antivirus. These make intuitive sense in that certain files should never change and finding out when they have is an important step in making sure that the system is secure. The network IDS (NIDS) is important because network traffic is ever-changing and presents potential pitfalls for the computer that is trying to interpret that traffic. 3 The most well-known program for file integrity checking is Tripwire, which has been around since the early 1990's. The open-source Snort has been the standard bearer for NIDS products and has also turned into a commercial product more recently. As for antivirus systems the major vendors at the moment are Symantec, Network Associates, and Trend Micro. 1.2.2 Additional security tools As it turns out, however, there are a multitude of security programs and checking mech­ anisms. Spyware has become a much greater problem with the increase in Internet traffic, web browsing, and e-mail. AdAware and Spybot Search & Destroy are two common pro­ grams that are capable of removing malicious software. Vulnerability assessment tools such as Nessus, SATAN, SAINT, and nmap are capable of finding potential remote compromises on computer systems. Numerous studies have been done looking for efficient artificial intelligence algorithms which can use intelligent agents to collect information and determine intrusions with the highest accuracy. The various approaches that are possible have led to a plethora of various software applications ranging from anomaly detection, event log monitoring, root kit detection, and so on. 1.2.3 Putting them all together Clearly a solution must be found for the typical computer administrator so that the se­ curity situation can cover all the various aspects yet still be usable. All the various products available can be confusing at times, which is where the big-name companies usually take to the forefront with the easier to use software suites. Network Associates has been moving to have more comprehensive solutions by including firewalls, spyware detection, and so on into their products. In the same way Tripwire has become an overall change monitoring solution rather than just simple file integrity checking. The problem, though, is that few companies can yet claim to have outstanding systems for each aspect of security. 4 1.3 The MAST solution Many companies attempt to create a global tool that is capable of doing everything. The program collects information from all the log files, network traffic, file access, virus detections, integrity checking, user behaviour, network statistics, and so on. By parsing through all this information the program attempts to find the patterns and reach conclusions about what is going on.
Load more

Recommended publications
  • Mcafee Epolicy Orchestrator DATA SHEET
    DATA SHEET McAfee ePolicy Orchestrator Centrally get, visualize, share, and act on security insights Security management requires cumbersome juggling between tools and data. This puts the adversary at an advantage by offering more time to exploit the gap not seen between the tools and do damage. In addition, the cybersecurity workforce is limited and needs to be empowered to manage cybersecurity complexity. The McAfee® ePolicy Orchestrator® (McAfee ePO™) management platform removes the time-consuming and potential human error effort and inspires those responsible to manage security quicker and with higher efficacy. Fundamental Security Proven Advanced Security Management Start with the fundamentals. Core to any security More than 30,000 businesses and organizations trust architecture is the ability to monitor and control the the McAfee ePO console to manage security, streamline health of endpoints and systems. Industry standards and automate compliance processes, and increase such as Center for Internet Security (CIS) Controls and overall visibility across endpoint, network, and security National Institute of Standards Technology (NIST) SP operations. Big companies rely on the McAfee ePO 800 153 security and privacy controls call this out as console’s highly scalable architecture, allowing large a must. The McAfee ePO console allows you to gain enterprises to manage hundreds and thousands of critical visibility and set and automatically enforce nodes from a single console. The McAfee ePO console policies to ensure a healthy security posture across provides an enterprise security administrator with the your enterprise. Policy management and enforcement opportunity to simplify policy maintenance, pull in third- across security products for your entire enterprise party threat intelligence leveraging Data Exchange Layer is accomplished from a single console, removing the (DXL), and integrate policies bi-directionally with an array complexity of managing multiple products.
    [Show full text]
  • Personal Firewalls Are a Necessity for Solo Users
    Personal firewalls are a necessity for solo users COMPANY PRODUCT PLATFORM NOTES PRICE Aladdin Knowledge Systems Ltd. SeSafe Desktop Windows Combines antivirus with content filtering, blocking and $72 Arlington Heights, Ill. monitoring 847-808-0300 www.ealaddin.com Agnitum Inc. Outpost Firewall Pro Windows Blocks ads, sites, programs; limits access by specific times $40 Nicosia, Cyprus www.agnitum.com Computer Associates International Inc. eTrust EZ Firewall Windows Basic firewall available only by download $40/year Islandia, N.Y. 631-342-6000 my-etrust.com Deerfield Canada VisNetic Firewall Windows Stateful, packet-level firewall for workstations, mobile $101 (Canadian) St. Thomas, Ontario for Workstations users or telecommuters 519-633-3403 www.deerfieldcanada.ca Glucose Development Corp. Impasse Mac OS X Full-featured firewall with real-time logging display $10 Sunnyvale, Calif. www.glu.com Intego Corp. NetBarrier Personal Firewall Windows Full-featured firewall with cookie and ad blocking $50 Miami 512-637-0700 NetBarrier 10.1 Mac OS X Full-featured firewall $60 www.intego.com NetBarrier 2.1 Mac OS 8 and 9 Full-featured firewall $60 Internet Security Systems Inc. BlackIce Windows Consumer-oriented PC firewall $30 Atlanta 404-236-2600 RealSecure Desktop Windows Enterprise-grade firewall system for remote, mobile and wireless users Varies blackice.iss.net/ Kerio Technologies Inc. Kerio Personal Firewall Windows Bidirectional, stateful firewall with encrypted remote-management option $39 Santa Clara, Calif. 408-496-4500 www.kerio.com Lava Software Pty. Ltd. AdWare Plus Windows Antispyware blocks some advertiser monitoring but isn't $27 Falköping, Sweden intended to block surveillance utilities 46-0-515-530-14 www.lavasoft.de Network Associates Inc.
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual
    The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ......................................................................................
    [Show full text]
  • DEFINICIÓN Un Antivirus
    ANTIVIRUS DEFINICIÓN Un antivirus es un programa de computadora cuyo propósito es combatir y erradicar los virus informáticos. Para que el antivirus sea productivo y efectivo hay que configurarlo cuidadosamente de tal forma que aprovechemos todas las cualidades que ellos poseen. Hay que saber cuales son sus fortalezas y debilidades y tenerlas en cuenta a la hora de enfrentar a los virus. Un antivirus es una solución para minimizar los riesgos y nunca será una solución definitiva, lo principal es mantenerlo actualizado. Para mantener el sistema estable y seguro el antivirus debe estar siempre actualizado, tomando siempre medidas preventivas y correctivas y estar constantemente leyendo sobre los virus y nuevas tecnologías. ¿CÓMO FUNCIONA? Básicamente, un antivirus compara el código de cada archivo con una base de datos de los códigos (también conocidos como firmas o vacunas) de los virus conocidos, por lo que es importante actualizarla periódicamente a fin de evitar que un virus nuevo no sea detectado. También se les ha agregado funciones avanzadas, como la búsqueda de comportamientos típicos de virus (técnica conocida como Heurística) o la verificación contra virus en redes de computadores. Normalmente un antivirus tiene un componente que se carga en memoria y permanece en ella para verificar todos los archivos abiertos, creados, modificados y ejecutados en tiempo real. Es muy común que tengan componentes que revisen los adjuntos de los correos electrónicos salientes y entrantes, así como los scripts y programas que pueden ejecutarse en un navegador web (ActiveX, Java, JavaScript). ALGUNOS ANTIVIRUS 1 CLAM ANTIVIRUS Comodo AntiVirus FProt Antivirus FSecure AntiVirus ZoneAlarm Antivirus ANTIVIRUS HEURISTICOS Los heurísticos analizan el código de cada archivo con métodos genéricos y detectan virus nuevos que todavía no se han incluido en la base de datos de virus del programa antivirus.
    [Show full text]
  • Cloaker: Hardware Supported Rootkit Concealment
    Cloaker: Hardware Supported Rootkit Concealment Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave, Urbana, IL 61801 {fdavid,emchan,jcarlyle,rhc}@uiuc.edu Abstract signers resorted to more complex techniques such as modi- fying boot sectors [33, 51] and manipulating the in-memory Rootkits are used by malicious attackers who desire to image of the kernel. These rootkits are susceptible to de- run software on a compromised machine without being de- tection by tools that check kernel code and data for alter- tected. They have become stealthier over the years as a ation [43, 13, 42, 21]. Rootkits that modify the system consequence of the ongoing struggle between attackers and BIOS or device firmware [25, 26] can also be detected by system defenders. In order to explore the next step in rootkit integrity checking tools. More recently, virtualization tech- evolution and to build strong defenses, we look at this issue nology has been studied as yet another means to conceal from the point of view of an attacker. We construct Cloaker, rootkits [31, 44]. These rootkits remain hidden by running a proof-of-concept rootkit for the ARM platform that is non- the host OS in a virtual machine environment. To counter persistent and only relies on hardware state modifications the threat from these Virtual Machine Based Rootkits (VM- for concealment and operation. A primary goal in the de- BRs), researchers have detailed approaches to detect if code sign of Cloaker is to not alter any part of the host oper- is executing inside a virtual machine [20].
    [Show full text]
  • Q3 Consumer Endpoint Protection Jul-Sep 2020
    HOME ANTI- MALWARE PROTECTION JUL - SEP 2020 selabs.uk [email protected] @SELabsUK www.facebook.com/selabsuk blog.selabs.uk SE Labs tested a variety of anti-malware (aka ‘anti-virus’; aka ‘endpoint security’) products from a range of well-known vendors in an effort to judge which were the most effective. Each product was exposed to the same threats, which were a mixture of targeted attacks using well-established techniques and public email and web-based threats that were found to be live on the internet at the time of the test. The results indicate how effectively the products were at detecting and/or protecting against those threats in real time. 2 Home Anti-Malware Protection July - September 2020 MANAGEMENT Chief Executive Officer Simon Edwards CONTENTS Chief Operations Officer Marc Briggs Chief Human Resources Officer Magdalena Jurenko Chief Technical Officer Stefan Dumitrascu Introduction 04 TEstING TEAM Executive Summary 05 Nikki Albesa Zaynab Bawa 1. Total Accuracy Ratings 06 Thomas Bean Solandra Brewster Home Anti-Malware Protection Awards 07 Liam Fisher Gia Gorbold Joseph Pike 2. Threat Responses 08 Dave Togneri Jake Warren 3. Protection Ratings 10 Stephen Withey 4. Protection Scores 12 IT SUPPORT Danny King-Smith 5. Protection Details 13 Chris Short 6. Legitimate Software Ratings 14 PUBLICatION Sara Claridge 6.1 Interaction Ratings 15 Colin Mackleworth 6.2 Prevalence Ratings 16 Website selabs.uk Twitter @SELabsUK 6.3 Accuracy Ratings 16 Email [email protected] Facebook www.facebook.com/selabsuk 6.4 Distribution of Impact Categories 17 Blog blog.selabs.uk Phone +44 (0)203 875 5000 7.
    [Show full text]
  • Consumer Security Products Performance Benchmarks (Edition 2) Antivirus & Internet Security Windows 10
    Consumer Security Products Performance Benchmarks (Edition 2) Antivirus & Internet Security Windows 10 January 2020 Document: Consumer Security Products Performance Benchmarks (Edition 2) Authors: J. Han, D. Wren Company: PassMark Software Date: 13 January 2020 Edition: 2 File: Consumer_Security_Products_Performance_Benchmarks_2020_Ed_2.docx Consumer Security Performance Benchmarks 2019 PassMark Software Table of Contents TABLE OF CONTENTS ......................................................................................................................................... 2 REVISION HISTORY ............................................................................................................................................ 3 REFERENCES ...................................................................................................................................................... 3 EXECUTIVE SUMMARY ...................................................................................................................................... 4 OVERALL SCORE ................................................................................................................................................ 5 PRODUCTS AND VERSIONS ............................................................................................................................... 6 PERFORMANCE METRICS SUMMARY ................................................................................................................ 7 TEST RESULTS ................................................................................................................................................
    [Show full text]
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools
    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
    [Show full text]
  • Clam Antivirus: Open-Source Virus Protection
    Clam Antivirus: Open-Source Virus protection Michaël Van Canneyt March 16, 2014 Abstract Protecting your precious PC against email and other viruses doesn’t have to cost a lot of money: Clam Antivrus is an open source virus scanner which can be installed on Unix machines (suitable for integration in mail server’s MTAs) but which also has a Windows version for those that are not fortunate enough have a Unix at hand. Introducing Clam Antivirus Clam Antivirus is an open-source implementation of a virus scanner which does 1 thing only: it scans a file for known viruses. The virus scanner consists of 2 parts: One is the actual scanner, clamscan: It scans a file to see whether it is infected with a known virus. It reports on the found viruses. The known viruses are kept in a database file. The second part (freshclam) serves to keep this database up-to-date: new viruses are born every day, and existing viruses mutate to more dangerous forms regularly, it is therefore of the utmost importance to keep the database with virus definitions up-to-date. The freshclam program should be run on a regular basis, for instance in a cron job on Unix. The Unix version features also a client/server model: The scanner runs as a daemon. The clamscan program then sends the file to be scanned to the daemon, for inpection. This reduces startup time and system load, which is quite important on servers than run a heavy- load MTA service. On Windows, a small GUI frontend exists which allows to perform and schedule scans, and to perform and schedule the virus database update.
    [Show full text]
  • Linux Security Review 2015
    Linux Security Review 2015 www.av-comparatives.org AV-Comparatives Linux Security Review Language: English May 2015 Last revision: 26 th May 2015 www.av-comparatives.org -1- Linux Security Review 2015 www.av-comparatives.org Contents Introduction ....................................................................................................................... 3 Reviewed products ............................................................................................................... 4 Malware for Linux systems ..................................................................................................... 5 Linux security advice ............................................................................................................ 6 Items covered in the review .................................................................................................. 7 Avast File Server Security ...................................................................................................... 8 AVG Free Edition for Linux.................................................................................................... 11 Bitdefender Antivirus Scanner for Unices ................................................................................ 13 Clam Antivirus for Linux ....................................................................................................... 17 Comodo Antivirus for Linux .................................................................................................. 20 Dr.Web Anti-virus for
    [Show full text]
  • The Forseti Distributed File Integrity Checker
    Cluster Security with NVisionCC: The Forseti Distributed File Integrity Checker Adam J. Lee†‡, Gregory A. Koenig†‡, and William Yurcik† †National Center for Supercomputing Applications ‡Department of Computer Science University of Illinois at Urbana-Champaign {adamlee, koenig, byurcik}@ncsa.uiuc.edu Abstract for a number of malicious actions. In many cases, the password used to log into a single node can be used Attackers who are able to compromise a single node to access a large number of nodes in the system, al- in a high performance computing cluster can use that lowing the attacker to utilize the vast computing and node as a launch point for a number of malicious ac- storage capabilities of the compromised cluster to carry tions. In many cases, the password used to log into out brute-force password cracking, launch distributed a single node can be used to access a large number of denial of service attacks, or serve illegal digital content. nodes in the system, allowing the attacker to utilize the Additionally, an attacker can listen to network traffic vast computing and storage capabilities of the compro- for other users to log into their compromised nodes in mised cluster to sniff network traffic, carry out brute- hopes of learning passwords for other accounts on these force password cracking, launch distributed denial of systems. service attacks, or serve illegal digital content. Often, The recent rise in popularity of grid computing has these types of attackers modify important system files exacerbated this problem by increasing the amount to collect passwords to other accounts, disable certain of damage that can be caused with a single compro- logging facilities, or create back-doors into the system.
    [Show full text]