ground truth driven cyber security research some examples
play

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque - PowerPoint PPT Presentation

May 01, 2023 •133 likes •554 views

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu Dhabi and Pindrop Paul Royal, Georgia Tech Terry Nelms, Georgia Tech & Damballa Roberto Perdisci, University of Georgia Page 1 Background

  1. Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu Dhabi and Pindrop Paul Royal, Georgia Tech Terry Nelms, Georgia Tech & Damballa Roberto Perdisci, University of Georgia Page 1

  2. Background • Georgia Tech Information Security Center – Founded in 1998 – About a dozen faculty, 30+ PhD students – MS degree program in cyber security • Research philosophy – Data-driven and high impact research • Research thrusts – Understanding emerging threats, mobile security, converged networks security & crypto Page 2

  3. Data Driven Cyber Security Research • Security is about assumptions and guarantees • What assumptions can we make about the nature of threats? – Evolution from hackers and criminals to nation-states • Ground-truth based approach – Observe, understand and defend • Allows validation in a realistic setting Page 3

  4. Agenda: Examples of Data-Driven Research • GTISC MTrace System – Scalable malware analysis • ExecScent – Malware family attribution via communication templates • Data sharing and coordination challenges Page 4

  5. Example 1: Mtrace: Malware Analysis (Paul Royal) • Malware is the centerpiece of current threats on the Internet – Botnets (spamming, DDOS, etc.) – Information Theft – Financial Fraud • Used by Real Criminals – Criminal Infrastructure – Domain of Organized Crime

  6. Malware Cont ’ d • There is a pronounced need to understand malicious software behavior • Malware analysis is the basis for understanding the intentions of malicious programs – Threat Discovery and Analysis – Compromise Detection – Forensics and Asset Remediation

  7. Malware Analysis Challenges • DIY kits, packing tools, server-side polymorphism vastly increase volume of samples • GTISC collects over 250,000 new samples each day - Collected from crawlers, mail filters, honeypots, user submissions, and malware exchanges • Volume makes manual analysis untenable

  8. Malware Analysis - Transparency • Analysis tool/environment detection is a standard malware feature

  9. Transparency Cont ’ d • GTISC ’ s Idea: Use Intel VT as a malware analysis technology • External - No in-guest components to detect • Capable - Functionality sufficient to build analysis tools • “ Equivalent ” - Hardware-assisted nature offers same instruction-execution semantics • Created tools supporting multiple tracing granularities - Coarse-grained tracing via SYSENTER_EIP_MSR displacement • e.g., System call tracing - Fine-grained tracing via TF injection • e.g., Precision automated unpacking

  10. GTISC’s Mtrace System • GTISC has built a horizontally scalable, automated malware analysis framework - Each sample executed in a sterile, isolated environment - Intel VT used to ensure transparency - Structured representations of network actions placed inside intelligence database - C&C domains, anomalous outbound netflow, malicious download URLs, malware-generated email subjects, etc. • Database used by corporate security groups, hosting providers, domain registrars, and law enforcement

  11. Leveraging Intelligence - Mariposa • Case Study: Mariposa – Large, data-stealing botnet • Used to steal credit card, banking information • Compromises in half of Fortune 1000 – Before takedown, over 1M members

  12. Mariposa Cont ’ d • Takedown Timeline – Spring 2009: Mariposa discovery – Fall 2009: International Mariposa Working Group (MWG) formed • Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO) – December 2009: All C&C domains shutdown and sinkholed within hours of the first • Operators panic; log into domain management services from home systems – Warrants issued to operators ’ ISP – January 2010: Operators arrested • 800,000 financial credentials found on one operator ’ s home systems

  13. Example 2: ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates Terry Nelms , Roberto Perdisci and Mustaque Ahamad Appeared in Usenix Security Symposium, August 2013.

  14. Modern Malware Networking C&C Web Proxy badguy.com Enterprise Network 192.168.1.2 4/22/14 14

  15. ExecScent Goals & Observations • Goals: – Network detection domains & hosts. – Malware family attribution. • Observations: – C&C protocol changes infrequently. – HTTP C&C application layer protocol. 4/22/14 15

  16. Adaptive Control Protocol Templates • Structure of the protocol. • Self-tuning. • Entire HTTP request. 4/22/14 16

  17. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Background Network Traffic Enterprise Network 4/22/14 17

  18. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Background template Network Traffic matching HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 18

  19. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Similarity Background template Network Traffic matching Specificity HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 19

  20. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Infected Hosts Background template Network Traffic matching C&C Domains HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 20

  21. Template Learning Process Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 21

  22. Malware C&C Traces Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 22

  23. Request Generalization Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 23

  24. Request Generalization (a) Request 1 : GET /Ym90bmV0DQo=/cnc.php?v=121&cc=IT Host: www.bot.net User-Agent: 680e4a9a7eb391bc48118baba2dc8e16 ... Request 2 : GET /bWFsd2FyZQ0KDQo=/cnc.php?v=425&cc=US Host: www.malwa.re User-Agent: dae4a66124940351a65639019b50bf5a ... (b) Request 1 : GET /<Base64;12>/cnc.php?v=<Int;3>&cc=<Str;2> Host: www.bot.net User-Agent: <Hex;32> ... Request 2 : GET /<Base64;16>/cnc.php?v=<Int;3>&cc=<Str;2> Host: www.malwa.re User-Agent: <Hex;32> ... 4/22/14 24

  25. Request Clustering Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 25

  26. Labeled C&C Domains Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 26

  27. Labeled C&C Domains Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 27

  28. Generating CPTs Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 28

  29. Generating CPTs Malware-A Unlabeled Unlabeled Unlabeled Unlabeled Malware-C Malware-F Malware-D Malware-B Malware-E Unlabeled Unlabeled 4/22/14 29

  30. Labeled CPTs Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 30

  31. Labeled CPT 1 ) Median URL path : /<Base64;14>/cnc.php 2 ) URL query component : {v=<Int,3>, cc=<String;2>} 3 ) User Agent : {<Hex;32>} 4 ) Other headers : {(Host;13), (Accept-Encoding;8)} 5 ) Dst nets : {172.16.8.0/24, 10.10.4.0/24, 192.168.1.0/24} Malware family : { Trojan-A , BotFamily-1 } URL regex : GET /.*\?(cc|v)= Background traffic profile : specificity scores used to adapt the CPT to the deployment environment 4/22/14 31

  32. Template Matching • Similarity Input: req, CPT – Measures likeness Similarity: s (req i , CPT i ), – Components for each component i – Weighted average – Match threshold Specificity: δ (req i , CPT i ), for each component i • Specificity Match-Score: f (sim, spec) – Measures uniqueness – Dynamic weights If Match-Score > Θ : return C&C Request – Self-tuning 4/22/14 32

  33. Evaluation Deployment Networks UNetA UNetB FNet Distinct Src IPs 7 , 893 27 , 340 7 , 091 HTTP Requests 34 , 871 , 003 66 , 298 , 395 58 , 019 , 718 Distinct Domains 149 , 481 238 , 014 113 , 778 • Evaluation ran for two weeks. • CPTs updated daily beginning two weeks prior to evaluation. 4/22/14 33

Recommend

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael Assante President, NBISE David H. Tobey, Ph.D. Director of Research The Need for Cyber Defenders &quot;Everywhere I go, across the country, CEOs and

595 views • 27 slides
Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research

Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research

Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research Officer Ground Truth Data Definition : The term &quot;ground truthing&quot; refers to the process of gathering the proper objective data to prove or

658 views • 38 slides
Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

495 views • 20 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security Research Scientist Oak Ridge National Laboratory Main Points Information Sharing Enable discovering and sharing information about real threats to

216 views • 6 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC Piracy and Sea Robbery Conference Agenda The regulatory framework Shipping industry guidance Cyber incident examples from real life

355 views • 10 slides
Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1 Will the followings only be seen in movies? Movies: Cyber

510 views • 28 slides
An Update from Washington: Whats Happening in the World of Cyber Security and Critical

An Update from Washington: Whats Happening in the World of Cyber Security and Critical

Homeland Security Advanced Research Projects Agency An Update from Washington: Whats Happening in the World of Cyber Security and Critical Infrastructure Douglas Maughan Division Director November 12, 2014 http://www.dhs.gov/cyber-research

489 views • 31 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos National Laboratory LA-UR-17-27644 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA A Cyber-Physical Model

837 views • 7 slides
CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019 INTRODUCTION Cyber Security The activity or process, ability or capability, or state whereby information and

735 views • 24 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with Real-World Impact! April 20, 2010 To: Julian Thrash From: Jeff Reich, Director of Operations for the Institute for Cyber Security Subject:

176 views • 3 slides
Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

16 Oct 2012 Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford Willke Cyber Security Advisor, MidAtlantic Region National Cyber Security Division (NCSD) Office of Cybersecurity and Communications

443 views • 20 slides
Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System Dr. Igor Nai Fovino Head of the Research Department Global Cyber Security Center The Global Cyber Security Center, is an International not-for-profit

615 views • 33 slides
Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs ! 3 properties ... Confidentiality (including personal data) Integrity Availability 2 -Sminaire LIRIMA: Cyber security: current

876 views • 64 slides
Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation Hongzhi Wang PhD, Prasanth Prasanna MD, Jose Morey MD, Tanveer F. Syeda-Mahmood PhD Medical Sieve Group, IBM Almaden Research Center Anatomy

469 views • 18 slides
Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Politecnico di Torino Seminario su Traffic Classification - 10/2009 Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information Truth Information Niccolo' Cascarano, Politecnico di Torino Joint work with

479 views • 16 slides
2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor, Region VII Office of Cybersecurity and Communications (CS&amp;C) National Protection and Programs Directorate (NPPD) FOUO / UNCLASS Cyber Security

333 views • 12 slides
Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques (NIT-K) S. K. Pal Defence Research &amp; Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

App Engine A Practical Approach To Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and Examples Protecting digital data and assets (a subset of information security) Confidentiality 1 Integrity 2

421 views • 21 slides

More recommend