network security today finding complex attacks at 100gb s
play

Network Security Today: Finding Complex Attacks at 100Gb/s Robin - PowerPoint PPT Presentation

Jun 07, 2023 •329 likes •1.27k views

Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU Mnchen, September 2012

  1. Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU München, September 2012 Informatik-Kolloquium, TU München

  2. Outline 2 Informatik-Kolloquium, TU München

  3. Outline Today’s Threats. Deep Packet Inspection at High Speed. Collective Intelligence. 2 Informatik-Kolloquium, TU München

  4. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections 600M 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  5. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections Successful connections 600M Attempted connections 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  6. The Old Days ... 1300M Border Traffic Conficker.B Lawrence Berkeley National Lab (Today) Conficker.A 10GE upstream, 4,000 user, 12,000 hosts Santy 1000M Mydoom.O Sasser #connections/month 800M Total connections Sobig.F Successful connections Welchia 600M Attempted connections Blaster 400M Slapper Nimda 200M CodeRed2 CodeRed 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  7. Trend 1: Commercialization of Attacks 4 Informatik-Kolloquium, TU München

  8. Trend 1: Commercialization of Attacks Attacks aimed at making a profit. Selling (illegal) goods and services. Exfiltrating information. Thriving underground economy. Empowered by virtually endless supply of “bots”. Everything is on sale (“crime-as-a-service”). 4 Informatik-Kolloquium, TU München

  9. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  10. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  11. Crime Economics 6 Informatik-Kolloquium, TU München

  12. Crime Economics Accelerated arms race. Innovative, fast moving attackers. 6 Informatik-Kolloquium, TU München

  13. Crime Economics Accelerated arms race. Bear race. Innovative, fast moving attackers. If attack pays, it’s good enough. 6 Informatik-Kolloquium, TU München

  14. Trend 2: Highly Targeted Attacks 7 Informatik-Kolloquium, TU München

  15. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. 7 Informatik-Kolloquium, TU München

  16. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. “Advanced Persistent Threats”. 7 Informatik-Kolloquium, TU München

  17. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. Advanced Persistent Threat (APT). MANDIANT defines “Advanced Persistent Threats”. the APT as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of Source: MANDIANT 7 Informatik-Kolloquium, TU München

  18. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE STEP 1 Reconnaissance STEP 2 Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network STEP 4 Obtain User Credentials STEP 5 Install Various Utilities STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  19. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE APT MALWARE COMMUNICATION STEP 1 100% of APT backdoors made only outbound connections Reconnaissance Used another STEP 2 port 17% Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network Used TCP port 80 or 443 83% STEP 4 Obtain User Credentials STEP 5 Install Various Utilities In no instance was any APT malware written or configured to listen for STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration inbound connections. STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  20. Challenges for Defenders 9 Informatik-Kolloquium, TU München

  21. Challenges for Defenders Varying threat models. No ring rules them all. 9 Informatik-Kolloquium, TU München

  22. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. 9 Informatik-Kolloquium, TU München

  23. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. Semantic complexity. The action is really at the application-layer. 9 Informatik-Kolloquium, TU München

  24. Analyzing Semantics 10 Informatik-Kolloquium, TU München

  25. Analyzing Semantics Internal Tap Internet Network IDS 10 Informatik-Kolloquium, TU München

  26. Analyzing Semantics Internal Tap Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 10 Informatik-Kolloquium, TU München

  27. Deep Packet Inspection at High Speed 11 Informatik-Kolloquium, TU München

  28. Back in 2005 ... 12 Informatik-Kolloquium, TU München

  29. Back in 2005 ... Munich Scientific Network (Today) Total bytes 80 3 major universities, 2x10GE upstream Incoming bytes ~100,000 Users ~65,000 Hosts 60 Total upstream bytes Incoming bytes TBytes/month 40 20 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 Data: Leibniz-Rechenzentrum, München 12 Informatik-Kolloquium, TU München

  30. Today ... 13 Informatik-Kolloquium, TU München

  31. Today ... Munich Scientific Network (Today) Total bytes 3 major universities, 2x10GE upstream Incoming bytes 800 ~100,000 Users ~65,000 Hosts Total upstream bytes 600 Incoming bytes TBytes/month 400 200 Oct 2005 0 1996 1998 2000 2002 2004 2006 2008 2010 Data: Leibniz-Rechenzentrum, München 13 Informatik-Kolloquium, TU München

  32. Traditional Gap: Research vs. Operations 14 Informatik-Kolloquium, TU München

  33. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. 14 Informatik-Kolloquium, TU München

  34. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. We focus on working with operations. Close collaborations with several large sites. Extremely fruitful for both sides. 14 Informatik-Kolloquium, TU München

  35. Research Platform: Bro 15 Informatik-Kolloquium, TU München

  36. Research Platform: Bro Originally developed by Vern Paxson in 1996. Open-source, BSD-license, maintained at ICSI. In operational use since the beginning. Conceptually very different from other IDS. http://www.bro-ids.org 15 Informatik-Kolloquium, TU München

  37. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 16 Informatik-Kolloquium, TU München

  38. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 16 Informatik-Kolloquium, TU München

  39. “Who’s Using It?” Installations across the US Universities Research Labs Supercomputer Centers Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research ... and many more sites Recent User Meetings Bro Workshop 2011 at NCSA Fully integrated into Security Onion Bro Exchange 2012 at NCAR Popular security-oriented Linux distribution Each attended by about 50 operators from from 30-35 organizations 17 Informatik-Kolloquium, TU München

  40. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vern writes 1st line of code 18 Informatik-Kolloquium, TU München

Recommend

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

729 views • 37 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020

CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020

CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020 Material from Nadia Heninger, Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

585 views • 36 slides
CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020

CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020

CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020 Material from Nadia Heninger, Stefan Savage, David Wagner, and Nick Weaver Threat modeling for network attacks Basic security goals:

1.11k views • 39 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 15, 2011 Goals For Today Review

825 views • 53 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today Due April 2 nd Online classes going forward Testing out BBCollaborate Ultra today Recordings should be available Might use different

1.19k views • 27 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

699 views • 58 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network Security Chapter 17: 2 Agenda Net adversary TCP attacks DNS attacks Firewalls Intrusion detection Honeypots Chapter 17: 3

792 views • 62 slides
REANNZ Network SYDNEY 10Gb/s ladder design AUCKLAND soon: upgrade to 100Gb/s TAURANGA

REANNZ Network SYDNEY 10Gb/s ladder design AUCKLAND soon: upgrade to 100Gb/s TAURANGA

LOS ANGELES Lies, Damn Lies and Statistics REANNZ Network SYDNEY 10Gb/s ladder design AUCKLAND soon: upgrade to 100Gb/s TAURANGA HAMILTON International connections to AU and US ROTORUA NEW PLYMOUTH 40Gb/s R&E NAPIER

436 views • 16 slides
Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1 Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a single subnetwork

809 views • 54 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Computer and Network Security: Network Attacks Kameswari Chebrolu All the figures used as part

Computer and Network Security: Network Attacks Kameswari Chebrolu All the figures used as part

Computer and Network Security: Network Attacks Kameswari Chebrolu All the figures used as part of the slides are either self created or from the public domain with either 'creative commons' or 'public domain dedication' licensing. The public

914 views • 26 slides
11/10/08 Today P561: Network Systems Finding content and services Week 7: Finding content

11/10/08 Today P561: Network Systems Finding content and services Week 7: Finding content

11/10/08 Today P561: Network Systems Finding content and services Week 7: Finding content Infrastructure hosted (DNS) Peer-to-peer hosted (Napster, Gnutella, DHTs) Multicast Multicast: one to many content dissemination

368 views • 14 slides
Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC Wei Song State Key Laboratory of Information Security Institute of Information Engineering, CAS, Beijing, China Peng Liu The

274 views • 25 slides

More recommend