Discover and tame long-running idling processes in enterprise systems

Jun Wang, Zhiyun Qian, Zhichun Li, Zhenyu Wu, Junghwan Rhee, Xia Ning, Peng Liu, Guofei Jiang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.

Original languageEnglish (US)
Title of host publicationASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages543-554
Number of pages12
ISBN (Electronic)9781450332453
DOIs
StatePublished - Apr 14 2015
Event10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015 - Singapore, Singapore
Duration: Apr 14 2015Apr 17 2015

Publication series

NameASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Other

Other10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015
CountrySingapore
CitySingapore
Period4/14/154/17/15

Fingerprint

Autocorrelation
Industry
Feedback

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Wang, J., Qian, Z., Li, Z., Wu, Z., Rhee, J., Ning, X., ... Jiang, G. (2015). Discover and tame long-running idling processes in enterprise systems. In ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (pp. 543-554). (ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/2714576.2714613
Wang, Jun ; Qian, Zhiyun ; Li, Zhichun ; Wu, Zhenyu ; Rhee, Junghwan ; Ning, Xia ; Liu, Peng ; Jiang, Guofei. / Discover and tame long-running idling processes in enterprise systems. ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. Association for Computing Machinery, Inc, 2015. pp. 543-554 (ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security).
@inproceedings{272e074cc5614005afb308d9abdb88d4,
title = "Discover and tame long-running idling processes in enterprise systems",
abstract = "Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5{\%} of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6{\%} of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a{"}smaller{"}OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.",
author = "Jun Wang and Zhiyun Qian and Zhichun Li and Zhenyu Wu and Junghwan Rhee and Xia Ning and Peng Liu and Guofei Jiang",
year = "2015",
month = "4",
day = "14",
doi = "10.1145/2714576.2714613",
language = "English (US)",
series = "ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security",
publisher = "Association for Computing Machinery, Inc",
pages = "543--554",
booktitle = "ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security",

}

Wang, J, Qian, Z, Li, Z, Wu, Z, Rhee, J, Ning, X, Liu, P & Jiang, G 2015, Discover and tame long-running idling processes in enterprise systems. in ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Association for Computing Machinery, Inc, pp. 543-554, 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015, Singapore, Singapore, 4/14/15. https://doi.org/10.1145/2714576.2714613

Discover and tame long-running idling processes in enterprise systems. / Wang, Jun; Qian, Zhiyun; Li, Zhichun; Wu, Zhenyu; Rhee, Junghwan; Ning, Xia; Liu, Peng; Jiang, Guofei.

ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. Association for Computing Machinery, Inc, 2015. p. 543-554 (ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Discover and tame long-running idling processes in enterprise systems

AU - Wang, Jun

AU - Qian, Zhiyun

AU - Li, Zhichun

AU - Wu, Zhenyu

AU - Rhee, Junghwan

AU - Ning, Xia

AU - Liu, Peng

AU - Jiang, Guofei

PY - 2015/4/14

Y1 - 2015/4/14

N2 - Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.

AB - Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. Interestingly, such unused services are known to exist and summarized by security best practices, yet such solutions require significant manual effort. We propose an automated approach to accurately detect the idling (most likely unused) services that are in either blocked or bookkeeping states. The idea is to identify repeating events with perfect time alignment, which is the indication of being idling. We implement this idea by developing a novel statistical algorithm based on autocorrelation with time information incorporated. From our measurement results, we find that 88.5% of the detected idling services can be constrained with a simple syscall-based policy, which confines the process behaviors within its bookkeeping states. In addition, working with two IT departments (one of which is a cross validation), we receive positive feedbacks which show that about 30.6% of such services can be safely disabled or uninstalled directly. In the future, the IT department plan to incorporate the results to build a"smaller"OS installation image. Finally, we believe our measurement results raise the awareness of the potential security risks of idling services.

UR - http://www.scopus.com/inward/record.url?scp=84942525152&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84942525152&partnerID=8YFLogxK

U2 - 10.1145/2714576.2714613

DO - 10.1145/2714576.2714613

M3 - Conference contribution

T3 - ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

SP - 543

EP - 554

BT - ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

PB - Association for Computing Machinery, Inc

ER -

Wang J, Qian Z, Li Z, Wu Z, Rhee J, Ning X et al. Discover and tame long-running idling processes in enterprise systems. In ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. Association for Computing Machinery, Inc. 2015. p. 543-554. (ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2714576.2714613