Discover and Tame Long-running Idling Processes in Enterprise Systems Jun Wang1, Zhiyun Qain2, Zhichun Li3, Zhenyu Wu3, Junghwan Rhee3, Xia Ning4, Peng Liu1, Guofei Jiang3 1Penn State University, 2University of California, Riverside, 3NEC Labs America, Inc. 4IUPUI 1{jow5222, pliu}@ist.psu.edu,
[email protected], 3{zhichun, adamwu, rhee, gfj}@nec-labs.com,
[email protected] ABSTRACT day's enterprise systems are so complex that it is hard to un- Reducing attack surface is an effective preventive measure to derstand which program/process can be the weakest links. strengthen security in large systems. However, it is challeng- Many security breaches start with the compromise of pro- ing to apply this idea in an enterprise environment where cesses running on an inconspicuous workstation. Therefore, systems are complex and evolving over time. In this pa- it is beneficial to turn off unused services to reduce their cor- per, we empirically analyze and measure a real enterprise to responding attack surface. Anecdotally, many security best identify unused services that expose attack surface. Inter- practice guidelines [12,9] suggest system administrators to estingly, such unused services are known to exist and sum- reduce attack surface by disabling unused services. How- marized by security best practices, yet such solutions require ever, such knowledge needs to be constantly updated and it significant manual effort. is unfortunate that no formal approach has been studied to We propose an automated approach to accurately detect automatically identify such services. the idling (most likely unused) services that are in either Prior research has mostly focused on the line of anomaly blocked or bookkeeping states.