eu fp6 lobster
play

EU FP6 LOBSTER European Infrastructure for accurate network - PowerPoint PPT Presentation

Aug 19, 2022 •351 likes •661 views

EU FP6 LOBSTER European Infrastructure for accurate network monitoring An IST Project http://www.ist-lobster.org/ personal view on the future of ero-day Worm Containment Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl

  1. EU FP6 LOBSTER European Infrastructure for accurate network monitoring An IST Project http://www.ist-lobster.org/ personal view on the future of ero-day Worm Containment Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl http://www.ist-lobster.org/ 1 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  2. What is LOBSTER? An IST Project http://www.ist-lobster.org/ • FP6 Specific Support Activity (SSA) • Duration: 09/2004 – 12/06 • Partners – FORTH – Vrije Universiteit Amsterdam – TNO ICT – CESNET – UNINETT – FORTHnet – ALCATEL – TERENA – Symantec? 2 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  3. What is LOBSTER? An IST Project http://www.ist-lobster.org/ • European Infrastructure for accurate network monitoring • Allows one to perform pan-European monitoring – across organisations • High-speed – specialised network cards – also: common NICs • Why? – traffic classification – security • worms • DDoS – performance – billing – management 3 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  4. Privacy An IST Project http://www.ist-lobster.org/ ? e r u c t u r t s a r f n i g n i r o t i n o m d e r a h ! ? s y a c a v • i r p t u o b a t a h � w 4 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  5. What is LOBSTER? An IST Project http://www.ist-lobster.org/ • Data owners control – which users may access which data – very flexible 5 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  6. Passive Monitoring and Security An IST Project http://www.ist-lobster.org/ • Intrusion Detection – Are any of my computers compromised? – Is there any attacker trying to intrude into my network? • Large-scale Attack Detection – Detection of Epidemics – DoS Attack detection (e.g., detect sharp increases in TCP/SYN packets) – Zero-day worm detection • e.g., detect lots of identical packets, never seen before, from several sources to several destinations • e.g., unusual no. of connections from a single port to unique destinations • e.g., detect worm characteristics – such as NOP sleds: long sequences of executable code • Network Telescopes – monitor unused IP addresses – observe victims of DoS attacks • “back-scatter” traffic – observe infected hosts – port scans 6 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  7. Zero-day worm containment An IST Project http://www.ist-lobster.org/ • Why do we need it? – detect something new is on the loose – worms spread too fast for human intervention • Different worms in different forms – fast �� slow – polymorphic �� immutable – wide spread �� narrow spread – stealth �� plain – multi-vector �� uni-vector • Worm structure exploit payload 7 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  8. • can be fast (certainly flow-based) Two tasks • protects many hosts An IST Project http://www.ist-lobster.org/ • Spot the bad guys • handles polymorphism – network-based • content-based: EarlyBird • can be very accurate • flow-based: VirusThrottling (no false positives) – host-based • may handle polymorphism • honeypots • handles polymorphism • end-users (systrace) • Stop them! • protects many hosts – filters for networks • snort • polymorphism • VirusThrottle – filters for hosts • few false positives • some polymorphism? • Self-Certifying Alerts 8 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  9. • false positives Two tasks • what to do with encryption? An IST Project http://www.ist-lobster.org/ • Spot the bad guys • false positives – network-based • content-based: EarlyBird • slow • flow-based: VirusThrottling • needs a certain amount of luck – host-based • need real services for accuracy • honeypots • false positives • end-users (systrace) • Stop them! • encryption/polymorphism will kill us – filters for networks • snort • false positives • VirusThrottle – filters for hosts • pretty slow • can we rely on end-users? • Self-Certifying Alerts 9 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  10. My conclusion (1/4) An IST Project http://www.ist-lobster.org/ • detection – network-based • behaviour-based – first indication • content-based: – weed out known and old threats – first indication for new threats – host-based • inaccurate behaviour based: first indication • accurate behaviour based: – zero-day detection – verification • should not handle full streams 10 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  11. My conclusion (2/4) An IST Project http://www.ist-lobster.org/ • blocking – network-based • behaviour-based: – no (unless exceptional circumstances) • content-based: – weed out known and old threats – first indication for new threats – host-based • good place for filtering, but scope of protection limited • end-host, so filtering should be fairly efficient 11 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  12. My conclusion (3/4) An IST Project http://www.ist-lobster.org/ • future of network-based content inspection for zero-day worm detection 12 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  13. My conclusion (4/4) An IST Project http://www.ist-lobster.org/ • passive monitoring still needed, but role is changing – redirect traffic – sample traffic – first-pass detection – first-pass filtering – behaviour-based detection • explore – multi-tier detection – multi-tier filtering – integrated approaches – cocktail-drugs for Internet diseases? 13 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  14. Argos Emulator noah An IST Project http://www.ist-lobster.org/ Fingerprinting zero-day attacks and using advertised honeypots (or: guarding the heifer without falling asleep) 14 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  15. Argos Overview noah An IST Project http://www.ist-lobster.org/ • Platform for next generation honeypots – High-interaction, advertised, safe • Detection of most common vulnerabilities – Control, code injection, function argument attacks • Emulate + protect entire PC systems – OS agnostic, run on commodity hardware • Generate host and network intrusion prevention signatures – Protect even uncooperative users • Joint development with Dutch DeWorm project (VU) 15 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  16. Argos Overview noah An IST Project http://www.ist-lobster.org/ Applications Forensics Guest OS Argos emulator Detect attack Host OS and log state Signature NIC Signature Correlate post-processing data Log 16 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  17. Argos Overview noah An IST Project http://www.ist-lobster.org/ Applications Forensics Guest OS Argos emulator Detect attack Host OS and log state Signature NIC Signature Correlate post-processing data Log 17 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  18. Development up to Present noah An IST Project http://www.ist-lobster.org/ • Based on the Qemu emulator • Track network data throughout execution • Detect illegal uses of network data – Jump targets, function pointers, instructions, system call arguments • Forensics to generate signatures – Export emulator state, inject “forensics” shellcode skip boring details 18 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  19. Network Data Tracking noah An IST Project http://www.ist-lobster.org/ • Tagging network data as “tainted” EAX EBX EBX ECX EDX RAM PORT I/O Virtual NIC 19 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  20. Network Data Tracking noah An IST Project http://www.ist-lobster.org/ • Tagging network data as “tainted” EAX EBX EAX EBX ECX EDX RAM • Tracking “tainted” data – ALU operations ADD EAX, EBX 20 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  21. Network Data Tracking noah An IST Project http://www.ist-lobster.org/ • Tagging network data as “tainted” EAX EBX EAX EBX ECX EDX RAM • Tracking “tainted” data – ALU operations ADD EAX, EBX XOR EBX, EBX 21 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  22. Network Data Tracking noah An IST Project http://www.ist-lobster.org/ • Tagging network data as “tainted” EAX EAX EBX ECX EDX RAM • Tracking “tainted” data – ALU operations – MMU operations A ADD EAX, EBX XOR EBX, EBX ST A, EAX 22 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  23. Identifying Attacks noah An IST Project http://www.ist-lobster.org/ • Jump targets EAX EAX EBX ECX EDX RAM JMP EAX A STACK ALERT 23 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  24. Identifying Attacks noah An IST Project http://www.ist-lobster.org/ • Jump targets • Function calls EAX EAX EBX ECX EDX RAM JMP EAX CALL EAX A STACK ALERT 24 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  25. Identifying Attacks noah An IST Project http://www.ist-lobster.org/ • Jump targets • Function calls EAX EAX EBX ECX EDX RAM • Returns JMP EAX CALL EAX RET A STACK ALERT 25 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

  26. Identifying Attacks noah An IST Project http://www.ist-lobster.org/ • Jump targets • Function calls EAX EAX EBX ECX EDX RAM • Returns JMP EAX CALL EAX • Code injection RET JMP A A STACK ALERT 26 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Recommend

Our Lobster, Our Communities Sheila Bird The $1.7Billion Lobster Industry Without the lobster

Our Lobster, Our Communities Sheila Bird The $1.7Billion Lobster Industry Without the lobster

Our Lobster, Our Communities Sheila Bird The $1.7Billion Lobster Industry Without the lobster industry our rural coastal communities would not survive. Fishing is the lifeblood and economic cornerstone of many of our rural communities.

232 views • 9 slides
Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos

Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos

The LOBSTER project An IST Project http://www.ist-lobster.org/ Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology

335 views • 22 slides
Sound Growth Strategy for the Quiet Achievers Matt Taylor WRL CEO Western Rock Lobster Council

Sound Growth Strategy for the Quiet Achievers Matt Taylor WRL CEO Western Rock Lobster Council

LOBSTER SUCCESS Sound Growth Strategy for the Quiet Achievers Matt Taylor WRL CEO Western Rock Lobster Council Who are we? Who are we? Peak industry body representing the interests of the western rock lobster fishery Strive to

455 views • 23 slides
Chedabucto Bay Trap-Caught Shrimp Alen Newell April 2015 The Vision Tuna Lobster Trap Shrimp

Chedabucto Bay Trap-Caught Shrimp Alen Newell April 2015 The Vision Tuna Lobster Trap Shrimp

Chedabucto Bay Trap-Caught Shrimp Alen Newell April 2015 The Vision Tuna Lobster Trap Shrimp Trap Research Remembrance Lobster Bait Trap History 1993 permission granted for exploratory 1991 Early 90s Still fishing 1998-5

513 views • 13 slides
COMMERCIAL LOBSTER SECTOR CARES ACT FISHERIES (Sec. 12005 of the Coronavirus Aid, Relief,

COMMERCIAL LOBSTER SECTOR CARES ACT FISHERIES (Sec. 12005 of the Coronavirus Aid, Relief,

COMMERCIAL LOBSTER SECTOR CARES ACT FISHERIES (Sec. 12005 of the Coronavirus Aid, Relief, and Economic Security Act) CARES ACT CRITERIA (clarifying information) Cannot compensate, state, local, or tribe for lost municipal or government

437 views • 18 slides
Cross Video Days 2015 APPLICATION FOR INTERACTIVE DOCUMENTARY Submitted by: Marjito Gunawan

Cross Video Days 2015 APPLICATION FOR INTERACTIVE DOCUMENTARY Submitted by: Marjito Gunawan

Cross Video Days 2015 APPLICATION FOR INTERACTIVE DOCUMENTARY Submitted by: Marjito Gunawan TITLE Sharp Edge: The Ironic Chronicles of Lobster Fishermen (Nelayan Lobster di antara Himpitan Karang) GENRE Documentary PLATFORMS OF

147 views • 3 slides
LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb arneos@uninett.no UNINETT Evangelos Markatos & Panos Trimintzios markatos@ics.forth.gr ptrim@ics.forth.gr FORTH Broadband Europe 8-10 December, Brugge

97 views • 8 slides
Shag interactions with commercial rock lobster pots in the Chatham Islands MIKE BELL Wildlife

Shag interactions with commercial rock lobster pots in the Chatham Islands MIKE BELL Wildlife

Shag interactions with commercial rock lobster pots in the Chatham Islands MIKE BELL Wildlife Management International Limited, PO Box 45, Spring Creek, Marlborough 7244, New Zealand, mike@wmil.co.nz Shag interactions with pot fishing Methods

335 views • 15 slides
2019 National Sea Grant American Lobster Research Program Federal Funding Opportunity (FFO) What

2019 National Sea Grant American Lobster Research Program Federal Funding Opportunity (FFO) What

National Sea Grant Office February 14, 2019 Photo credit: Rebecca Irelan, NH Sea Grant 2019 National Sea Grant American Lobster Research Program Federal Funding Opportunity (FFO) What is Sea Grant? Based at universities across the country,

493 views • 16 slides
PROPOSAL Project Leads: Paul Bentzen, Sharen Bowman, Daniel Ruzzante October 5, 2010

PROPOSAL Project Leads: Paul Bentzen, Sharen Bowman, Daniel Ruzzante October 5, 2010

GENOMIC TOOLS FOR TRACEABILITY AND SUSTAINABILITY OF LOBSTER ( AND SOME OTHER SPECIES ) : A RESEARCH PROPOSAL Project Leads: Paul Bentzen, Sharen Bowman, Daniel Ruzzante October 5, 2010 Traceability and Certification of the Lobster

850 views • 22 slides
Rapidly changing water temperatures Rapidly changing lobster population density Kelp farm in

Rapidly changing water temperatures Rapidly changing lobster population density Kelp farm in

Rapidly changing water temperatures Rapidly changing lobster population density Kelp farm in South Korea Keith Millers Farm, Spruce Head, Maine kelp yourself - kelp the earth

207 views • 10 slides
Steak & Lobster: Creating a Paradigm Shift 02/15/2019 Career & Technical Education We

Steak & Lobster: Creating a Paradigm Shift 02/15/2019 Career & Technical Education We

2/14/19 Steak & Lobster: Creating a Paradigm Shift 02/15/2019 Career & Technical Education We Welcome Just a little background info 1 2/14/19 We Welcome Just a little background info How do you get to Jacksonville? Is

240 views • 22 slides
Steak and Lobster: Creating a Paradigm Shift February 16, 2018 Michael Armbruster, Ed.D. The

Steak and Lobster: Creating a Paradigm Shift February 16, 2018 Michael Armbruster, Ed.D. The

Orange County Public Schools Steak and Lobster: Creating a Paradigm Shift February 16, 2018 Michael Armbruster, Ed.D. The Tech Center Experience Orange County Public Schools Welcome Just a little background info The Tech Center

450 views • 44 slides
Quality Assurance Assurance in Learning in Learning Quality Organization in the Banking and in

Quality Assurance Assurance in Learning in Learning Quality Organization in the Banking and in

Quality Assurance Assurance in Learning in Learning Quality Organization in the Banking and in the Banking and Organization Financial SecTor SecTor in in EuRope EuRope Financial QUA.LOBSTER Project Project QUA.LOBSTER th 2008 January 9

628 views • 21 slides
Creating Custom Work Queue Applications Nicholas Hazekamp

Creating Custom Work Queue Applications Nicholas Hazekamp

Creating Custom Work Queue Applications Nicholas Hazekamp Nanoreactor MD Simulations Scalable Assembler at Notre Dame Lobster HEP ForceBalance Adaptive Weighted Ensemble Replica

414 views • 29 slides
Stanford Rebuild: An Entrepreneurial Path Forward Stefanos Zenios Entrepreneurs adapt Sams

Stanford Rebuild: An Entrepreneurial Path Forward Stefanos Zenios Entrepreneurs adapt Sams

Stanford Rebuild: An Entrepreneurial Path Forward Stefanos Zenios Entrepreneurs adapt Sams famous Lobster Rolls were selected by the Food Editor of the Today Show as one of the five Best Sandwiches in America Entrepreneurs Facing a

850 views • 21 slides
State of the Seafood Industry Looking to 2021 John Sackton Seafood Datasearch Fisheries Council

State of the Seafood Industry Looking to 2021 John Sackton Seafood Datasearch Fisheries Council

State of the Seafood Industry Looking to 2021 John Sackton Seafood Datasearch Fisheries Council of Canada Ottawa October 2020 1 Background 40+ Years in Seafood Industry Crab, shrimp, lobster and cod market analyst since 1997

933 views • 68 slides
Northern Shrimp Outlook 2018 John Sackton Seafood Datasearch Oregon March 8, 2018 1

Northern Shrimp Outlook 2018 John Sackton Seafood Datasearch Oregon March 8, 2018 1

Northern Shrimp Outlook 2018 John Sackton Seafood Datasearch Oregon March 8, 2018 1 Background 40 Years in Seafood Industry Crab, shrimp and lobster market analyst since 1997 Preseason price and market outlooks on shrimp,

758 views • 47 slides
OUTLOOK FOR JOHN SACKTON DUNGENESS CRAB NEWPORT, OR NOV 2, 2017 IN 2018 13 TH PRE-SEASON

OUTLOOK FOR JOHN SACKTON DUNGENESS CRAB NEWPORT, OR NOV 2, 2017 IN 2018 13 TH PRE-SEASON

OUTLOOK FOR JOHN SACKTON DUNGENESS CRAB NEWPORT, OR NOV 2, 2017 IN 2018 13 TH PRE-SEASON DUNGENESS CRAB PRESENTATION Crab, shrimp and lobster market analyst since 1997 Preseason price and market outlooks on shrimp and crab for 20

852 views • 61 slides
Ca Canadian l lobst ster t tails a s and l lobst ster m meat 1 Ca Canadian lobst ster

Ca Canadian l lobst ster t tails a s and l lobst ster m meat 1 Ca Canadian lobst ster

Ca Canadian l lobst ster t tails a s and l lobst ster m meat 1 Ca Canadian lobst ster bisq sque and claws/a s/arms ms 2 Canadian whole cooke ked lobster 3 Ca Canadian live ve lobst ster 4 Canadian live lob obster in Dubai

295 views • 8 slides
RELIABLE. EASY. EFFICIENT. FAST. FLEXIBLE. CONNECTED. DATA INTEGRATION AT ITS BEST. DATA

RELIABLE. EASY. EFFICIENT. FAST. FLEXIBLE. CONNECTED. DATA INTEGRATION AT ITS BEST. DATA

RELIABLE. EASY. EFFICIENT. FAST. FLEXIBLE. CONNECTED. DATA INTEGRATION AT ITS BEST. DATA INTEGRATION AT ITS BEST. WITH OUR INNOVATIVE SOFTWARE SOLUTION LOBSTER_DATA. WITH OUR INNOVATIVE SOFTWARE SOLUTION. LOBSTER_DATA. LOBSTER AT FOUNDED

573 views • 18 slides

More recommend