TY - GEN
T1 - Discover and tame long-running idling processes in enterprise systems
AU - Wang, Jun
AU - Qian, Zhiyun
AU - Li, Zhichun
AU - Wu, Zhenyu
AU - Rhee, Junghwan
AU - Ning, Xia
AU - Liu, Peng
AU - Jiang, Guofei
N1 - Publisher Copyright:
Copyright © 2015 ACM.
PY - 2015/4/14
Y1 - 2015/4/14
N2 - Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.
AB - Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.
UR - http://www.scopus.com/inward/record.url?scp=84942525152&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84942525152&partnerID=8YFLogxK
U2 - 10.1145/2714576.2714613
DO - 10.1145/2714576.2714613
M3 - Conference contribution
AN - SCOPUS:84942525152
T3 - ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
SP - 543
EP - 554
BT - ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
PB - Association for Computing Machinery
T2 - 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015
Y2 - 14 April 2015 through 17 April 2015
ER -