10/19/2010 15 — 20 years ago … • Internet starting to reach a wider audience – most people did not have emails Mitigating Cyber Attacks – computer security – an afterthought • The typical hacker, often portrayed as – teenager, Magnus Almgren – attack a ”chess game” Göteborg, 2010-10-19 – goal: some esoteric fame … • And today ? Postdoc, finansierad av MSB SVT Documentary oct-10, 2010: Att hacka en stormakt (http://goo.gl/1Zrd) 1
10/19/2010 Outline • Status today • Monitoring traffic • Research Activities – Reasoning with alerts from several sensors – Monitoring backbone traffic • European network: SysSec 2
10/19/2010 Health care Health care Transportation Transportation Financial Financial 3
10/19/2010 Health care Health care Transportation Transportation Financial Financial 4
10/19/2010 Malicious Code • Many users say: I would never download unsecure content! • But what type of content is safe? Targeted attacks Targeted attacks • • 48% of exploits target Adobe Acrobat / Adobe Reader • • Adobe begins a quarterly patch cycle • • Health Check statistics show that Adobe Reader is among the top unsecured applications 5
10/19/2010 http://home.mcafee.com/AdviceCenter/most-dangerous-celebrities Dangerous People (!!!) Cameron Diaz Searches Yield Ten Percent Cameron Diaz Searches Yield Ten Percent Chance of Landing on a Malicious Site Chance of Landing on a Malicious Site 6
10/19/2010 http://doi.ieeecomputersociety.org/10.1109/MC.2010.237 http://www.zdnetasia.com/malware-link-to-air-crash-inconclusive-62202513.htm 7
10/19/2010 8
10/19/2010 New Era 2010: Stuxnet • Advanced Malware – target specifically Programmable Logic Controllers: Siemens SIMATIC Step 7 software – Lots of rumors of goal and who creators • designed and released by a government – the U.S. or Israel ??? • Target : Bushehr nuclear power plant in Iran (60% of infected hosts in Iran) Symantec oct-2010: W32.Stuxnet Dossier (http://goo.gl/pP7S) 9
10/19/2010 Health care Transportation Stuxnet: Pandora’s box ? – Stuxnet is advanced and one of the first wild malware’s targeting PLCs. Financial • 6 — 8 people about 6 months to create. Status today Status today – PLCs exists in many industries Monitoring traffic: Intrusion Detection Systems Monitoring traffic: Intrusion Detection Systems • factory assembly lines, amusement rides, Research Activities Research Activities or lighting fixtures. now blueprint to create malware targeting PLCs now blueprint to create malware targeting PLCs • Compare this with the Loveletter virus (2000) – 2003/11 there existed 82 different variants of Loveletter. – It is claimed that more than 5,000 attacks are carried out every day. 10
10/19/2010 Health care Health care Transportation Transportation Financial Financial 11
10/19/2010 Health care Health care Normal behavior Normal behavior Transportation Transportation Number Number Financial Financial 12
10/19/2010 Health care Health care Normal behavior Transportation Transportation Number Financial Financial ???????? This is an ”Attack.” A A Ѧ B B ℬ β fl A B ʙ “A” “B” 13
10/19/2010 Health care Health care Normal behavior Normal behavior Transportation Transportation Number Number Financial Financial Status today Status today Monitoring traffic Monitoring traffic Research Activities: Research Activities: 1. Reasoning with alerts from several sensors 2. Monitoring backbone traffic ? No Attack Attack Attack 14
10/19/2010 Scenario multiple sensors (1) Scenario multiple sensors (2) webIDS webIDS r 0 1 A 2 A 2 encrypted request w 1 inv-A w 2 Snort Snort a 1 a 2 A 1 A 1 1 1 Snort webIDS • Normal phf access (no attack) • Normal phf access (no attack) valid? – P(inv-A | …) = 0.20 = don’t investigate – P(inv-A | …) = 0.20 = don’t investigate 15
10/19/2010 Scenario multiple sensors (3) Analysis of malicious backbone traffic webIDS • Looking for attacks on encrypted r 0 1 A 2 a backbone network – 10 Gbps (=fast!) w 1 inv-A w 2 Snort – Problems: a 1 a 2 A 1 1 1 • speed of network link Snort webIDS • amount of data • Normal phf access (no attack) • routing – P(inv-A | …) = 0.20 = don’t investigate • user privacy – anonymize data • Snort sensor defunct, this may be an attack! – P(inv-A | …) = 0.54 = investigate (key feature!) – P(w 1 | …) = 0.01 = sensor broken 16
10/19/2010 Measurement Setup (simplified) Measurement Setup (simplified) Backbone network Backbone network Router Router Router Measure Measure the rest of the world the rest of the world 17
10/19/2010 Measurement Setup (simplified) Measurement Setup (simplified) Backbone network Backbone network Router Router Router Router Measure Measure the rest of the world the rest of the world 18
10/19/2010 Measurement Setup (simplified) Statistics • 23,600 inside hosts initiating communication with Backbone network 18,780,894 on the outside. Router Router Measure • 24,587,096 outside hosts trying to reach (scan) 970,149 inside hosts. the rest of the world 19
10/19/2010 Analysis of backbone data Analysis of backbone data 20
10/19/2010 Analysis of backbone data Analysis of backbone data 21
10/19/2010 Timing Behavior of Malicious Hosts Timing Behavior of Malicious Hosts 22
10/19/2010 Timing Behavior of Malicious Hosts Timing Behavior of Malicious Hosts Simple refresh: once every 43min (once every 30 min) Exponential backoff: 111s, 222s, 333s, 666s, 1332s, 2664s 23
10/19/2010 Identifying SPAM from data traffic A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet Legitimate email (Ham) Unsolicited email (Spam) • a Network of Excellence (2010-2014) • To work towards solutions and collaborate Node in- and out-degree distribution Node in- and out-degree distribution Node in- and out-degree distribution Node in- and out-degree distribution 0 0 0 0 10 10 10 10 In-degree In-degree In-degree In-degree – At a European level Out-degree Out-degree Out-degree Out-degree -1 -1 10 10 -1 -1 10 10 Poli. di Milano (IT) IPP (Bulgaria) UEKAE (Turkey) -2 -2 10 10 Vrije Uniivesriteit (NL) TU Vienna (Austria) FORTH – ICS (Greece) -2 -2 10 10 -3 -3 Institute Eurecom (FR) Chalmers U (Sweden) 10 10 Frequency Frequency Frequency Frequency -3 -3 10 10 – and with international colleagues around the world -4 -4 10 10 -4 -4 10 10 -5 -5 10 10 -5 -5 10 10 -6 -6 10 10 -6 -6 -7 -7 10 10 10 10 0 0 1 1 2 2 3 3 4 4 5 5 0 0 1 1 2 2 3 3 4 4 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 Degree Degree Degree Degree http://www.syssec-project.eu/ 24
10/19/2010 Links • SVT Documentary oct-2010: – Att hacka en stormakt (http://goo.gl/1Zrd) • Symantec oct-2010: – W32.Stuxnet Dossier (http://goo.gl/pP7S) • Uppdrag granskning oct-2010: – Kapade nätverk (http://svt.se/granskning) – SysSec: http://www.syssec-project.eu/ 25
Recommend
More recommend