Discover and Tame Long-Running Idling Processes in Enterprise Systems

Discover and Tame Long-Running Idling Processes in Enterprise Systems

Discover and Tame Long-running Idling Processes in Enterprise Systems Jun Wang1, Zhiyun Qain2, Zhichun Li3, Zhenyu Wu3, Junghwan Rhee3, Xia Ning4, Peng Liu1, Guofei Jiang3 1Penn State University, 2University of California, Riverside, 3NEC Labs America, Inc. 4IUPUI 1{jow5222, pliu}@ist.psu.edu, [email protected], 3{zhichun, adamwu, rhee, gfj}@nec-labs.com, [email protected] ABSTRACT day's enterprise systems are so complex that it is hard to un- Reducing attack surface is an effective preventive measure to derstand which program/process can be the weakest links. strengthen security in large systems. However, it is challeng- Many security breaches start with the compromise of pro- ing to apply this idea in an enterprise environment where cesses running on an inconspicuous workstation. Therefore, systems are complex and evolving over time. In this pa- it is beneficial to turn off unused services to reduce their cor- per, we empirically analyze and measure a real enterprise to responding attack surface. Anecdotally, many security best identify unused services that expose attack surface. Inter- practice guidelines [12,9] suggest system administrators to estingly, such unused services are known to exist and sum- reduce attack surface by disabling unused services. How- marized by security best practices, yet such solutions require ever, such knowledge needs to be constantly updated and it significant manual effort. is unfortunate that no formal approach has been studied to We propose an automated approach to accurately detect automatically identify such services. the idling (most likely unused) services that are in either Prior research has mostly focused on the line of anomaly blocked or bookkeeping states. The idea is to identify re- detection to learn the normal behavior of processes and peating events with perfect time alignment, which is the then constrain them, e.g., by limiting accessible IP/port indication of being idling. We implement this idea by devel- ranges [32, 31, 33] or the system calls that are allowed to oping a novel statistical algorithm based on autocorrelation be made [20, 29, 22, 18]. with time information incorporated. From our measurement While such approaches may detect abnormal behaviors of results, we find that 88.5% of the detected idling services can a process (e.g., possibly attacks), they belong to reactive be constrained with a simple syscall-based policy, which con- approaches rather than preventive ones. Obviously, reduc- fines the process behaviors within its bookkeeping states. In ing attack surface is a preventive measure that complements addition, working with two IT departments (one of which is anomaly detection. The strong semantic of idling services a cross validation), we receive positive feedbacks which show enables more specific treatments (e.g., disable or even unin- that about 30.6% of such services can be safely disabled or stall them) as opposed to the general treatments to anoma- uninstalled directly. In the future, the IT department plan lies, e.g., raising a security alert. Unfortunately, the frequent to incorporate the results to build a\smaller"OS installation false alerts in anomaly detection make it rarely deployed in image. Finally, we believe our measurement results raise the practice. Identifying idling services, on the other hand, rep- awareness of the potential security risks of idling services. resent a much more cost effective solution where each service only needs to be examined mostly once (e.g., to determine Categories and Subject Descriptors if it can be safely uninstalled). Once a positive decision is made, it completely eliminates the entire attack surface of a K.6 [Management of computing and information sys- process before an attack could ever happen. Unfortunately, tems]: Security and Protection due to lack of formal methods, in state-of-the-art practice, Keywords system administrators today could only depend on practical wisdoms from Internet forums [10], and their own experi- Idling service detection; Attack surface reduction; Enter- ence. prise systems; Autocorrelation One might argue that system administrators or end-users should setup their servers and desktop machines to only run 1. INTRODUCTION useful services and applications in the first place. However, Managing the security of enterprise systems is always a in practice, this is a daunting task. The modern OS vendors challenging task, because the overall security of the entire tend to stuff more and more functionalities into their dis- enterprise is usually determined by the weakest link and to- tributions, and provide a \one size fits all" system. Thus, many services might not be useful for a particular user. Even worse, today's enterprises typically run a variety of Permission to make digital or hard copies of all or part of this work for personal or OS distributions. As a result, it is not easy for system ad- classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- ministrators to keep up with the purpose of each and every tion on the first page. Copyrights for components of this work owned by others than service. Furthermore, systems keep evolving and users' de- ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- mands keep changing. Given the complex dependencies in- publish, to post on servers or to redistribute to lists, requires prior specific permission side enterprise, people tend to keep things as they are. Such and/or a fee. Request permissions from [email protected]. practice, therefore, negligibly leaves numerous idling services ASIA CCS’15, April 14–17, 2015, Singapore.. running, and thus exposes unnecessary attack surface. Copyright c 2015 ACM 978-1-4503-3245-3/15/04 ...$15.00. http://dx.doi.org/10.1145/2714576.2714613. In this paper, we propose an automated method to de- 100 tect \idle/idling" services and also provide ways to reduce or 90 80 minimize their attack surface. An idling service is a service 70 Ubuntu desktop 64bit 60 Red Hat server 6.x 64bit that does not serve real workload, but rather running in a 50 Ubuntu server 64bit 40 blocked or bookkeeping state. A simple example is that a 30 20 long-running service may listen on a certain port, while in 2009 2010 2011 2012 2013 reality no one has connected, or will connect to it. This default running processes versions over time service thus should be disabled to eliminate possible remote Figure 1: The number of default running processes exploits. In our study, we find 25% of long-running processes are idling services. a two-week evaluation, indicating that they are contin- In general, there are two types of idling services. The first uing to be idling. type is easy to detect { the service process is completely dormant, blocked waiting for events that would never ar- 2. MOTIVATION AND OVERVIEW rive. For the second type, the service processes regularly Our motivation comes from the following observations: wake up from blocked state and perform some \bookkeep- 1) Today's computer systems are equipped with an in- ing" tasks { simple operations not relevant to the service creasing number of functionalities (and thus also the attack they provide. The second type is more difficult to identify, surface) with newly developed technologies, perhaps much since the bookkeeping operations could make these processes more than necessary for everyday use. appear as active and truly performing services. In order to 2) Systems are constantly evolving; more applications or address the problem of identifying both types of idling ser- features are installed (or updated) over time but they are vices, we propose LIPdetect (Long-running Idling Process), left there even when no longer needed. an effective algorithm that is able to differentiate\bookkeep- 3) What makes the problem worse, in the Linux world, ing" activities from the ones resulted from real workload. there are a large number of different OS distributions which While LIPdetect could identify and report idling services to make the IT systems largely heterogeneous and fragmented. system administrators, working with IT department of our As a result, it is highly non-trivial to control or even un- company we find in some cases the system administrators derstand all the systems precisely, let alone knowing whether are not 100% sure whether certain services can be disabled a process is actually performing useful work or simply\idling". without negative consequences. It is therefore desirable to According to the IT department in our enterprise, they in- keep those services running while still reducing their attack deed do not keep track of what Linux distributions or ap- surface. In such cases, we fall back to the traditional wisdom plications are installed, the reason being that they do not to constrain the runtime behavior of a process. To this end, want to get in the way of users doing what they want to do. we design a simple tool named procZip that constrains the idling service's execution to previous known states. Com- 2.1 Measurement Study bining idling service detection (LIPdetect) and automated To understand to what extent each observation is true, process constraining (procZip), our system is therefore called we conduct the following measurements based on two data LIPzip. sources. First, we look into the historical Linux distributions We evaluate the results of idling service detection, and of Ubuntu and Red Hat from public images that are available perform a measurement study in an enterprise with both on the Amazon EC2 service. Second, we collect information desktop and server machines to show how much attack sur- about 67 hosts in a real enterprise. face can be possibly reduced. Meanwhile, we work with the Default long-running processes. We look into the IT department personnels to confirm our results.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us