Discover and tame long-running idling processes in enterprise systems

Jun Wang, Zhiyun Qian, Zhichun Li, Zhenyu Wu, Junghwan Rhee, Xia Ning, Peng Liu, Guofei Jiang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.

Original languageEnglish (US)
Title of host publicationASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages543-554
Number of pages12
ISBN (Electronic)9781450332453
DOIs
StatePublished - Apr 14 2015
Event10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015 - Singapore, Singapore
Duration: Apr 14 2015Apr 17 2015

Publication series

NameASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Other

Other10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015
Country/TerritorySingapore
CitySingapore
Period4/14/154/17/15

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Discover and tame long-running idling processes in enterprise systems'. Together they form a unique fingerprint.

Cite this