internet continuous situation awareness · internet situation awareness definition the term...
TRANSCRIPT
Prof. Dr.
Norbert Pohlmann
Institute for Internet Security - if(is)University of Applied Sciences Gelsenkirchenhttp://www.internet-sicherheit.de
Internet Continuous Situation Awareness
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
2
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
3
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
4
Structure of the Internet Example: Analysis „Internet Germany“
“Most important “Autonomous Systems
for Germany
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
5
Data volume / month in Germany Estimation (2007)
autonomousSystem (AS)
PUBLICPEERING30 Peta Byte (20%)
PRIVATEPEERING50 Peta Byte
(33%) TRANSIT (Customer) 150 Peta Byte (100%)
ASAS
TRANSIT (Global ISP) 40 Peta Byte (27%)
ASAS
ASAS
ASAS
INTERNAL30 Peta Byte
(20 %)
100 Peta Byte (66 %): private user50 Peta Byte (33 %): business customer 1 Peta Byte = 1.000.000 Giga Byte
A view on data streamsexchanged between the networks (AS)!
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
Structure of the Internet Conclusion
The Internet is more or less like a black box to the various stakeholders.
The Internet has become critical in some parts by now.
One reason is the lack of global monitoring and controlling for the distributed infrastructure.
When using the Internet today various stakeholders just need trust, that everything will be fine.
Situation awareness will help the various stakeholders during their decision-making-process.
+ = ?Various stakeholders
6
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
7
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
Internet Situation Awareness Definition
The term Situation Awareness (SA) comes from the area of air traffic control and military command & control.
Generic definition of the term Situation Awareness (SA) is:
Situation Awareness is “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning andthe projection of their status in the near future”.
(Defined by Endsly)
8
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
Internet Situation Awareness Added value
Situation Awareness (SA) is essential not just for the
home user to strengthen the trust in using the Internet, but also for
representatives of the government for Internet Governance to make strategies for the further development or for
enterprises planning to use the Internet as a reliable platform for business.
The understanding of the environment is crucial for process of decision making and a perfect Situation Awareness will reflect positively in the actions of the stakeholders.
This will already help to reduce the potential disaster risk.
9
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
10
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
11
Evaluation System
Internet Analysis System Idea
Internet
IAS
Observation of the critical infrastructure „Internet“.
Probes are placed in strategically selected spots of the internet communication infrastructure to gather the raw data, made up of counters of header information.
Only header information is counted, which is not considered as data privacy relevant.
The system gathers information over a long period of time!
A centrally managed Evaluation Systemis used to analyze the raw data and to display the detailed results in an intuitive manner.
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
12
Internet Analysis System Targets
Description of profiles, patterns and coherences, creation of a knowledge base.
Outline of the current state of the internet.
Detection of attacks and of deflections.
Forecast of patterns and attacks.
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
13
Internet Analysis System Counting of header information (1/2)
+1
+1
Number of Counters:- Max: 870.000
- Real-Ø: 60.000
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
14
Internet Analysis System Counting of header information (2/2)
All of this information is completely anonymous by design !
Time
Counter Value
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
15
IAS: Current State of Development Result: Knowledge base
TCP
ESP
IGMP
ICMP
GRE
UDP
Distribution of Transport Protocols
Profile shaping und trend development
TCP89%
UDP7%
weekend
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
16
IAS: Current State of Development Result: Knowledge base
SMTP Content Type
60% “text” Mails
33 % “attachments”
30%: multipart/alternative
33%: multipart/mixed
26%: text/plain
4%: text/html
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
17
IAS: Current State of Development Result: Detection of attacks (1/2)
SMTP Content TypeTemporarily more e-mails with attachments -> Mail-(Wurms/Virus)!
multipart/mixed
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
18
Knowledge Base - IAS Result: Detection of attacks (2/2)
PDF Spam Wave
Application/PDF
Port 25
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
19
IAS: Current State of Development Result: Technology trend
Distribution of browsers (Technology Trend)
Diurnal profile
Differences between manual use (e.g., Internet Explorer und Firefox) and automated use (e.g., wget) are detectable.
FirefoxOthers (wget, etc)
Internet Explorer
Firefox
InternetExplorer
Others
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
IAS: Current State of Development Result: Awareness (Crypto used TLS)
6 %: RSA AES / SHA1
33%: DHE_RSA AES / SHA1
60%: RSA / RC4 / MD5
!! 0.1 %: RSA / Export (40) / SHA1 and 0.01 %: RSA / NULL / SHA1 !!
20
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
IAS: Current State of Development Continuous Situation Awareness
21
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
22
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
23
Idea of the Global View Overview
local view P3
local view P2local view P1global view
global view
global viewvirtual probe
Generation ofglobal view
global view
local view local view
local view
probes
Central System
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
24
Idea of the Global View Relation of used protocols
Global representation of the relation of different protocols(Example: Web communication)
global viewlocal view
11% Port 443 (TLS/SSL) 13% Port 443 (TLS/SSL)
89 % Port 80 (HTTP) 87 % Port 80 (HTTP)
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
25
Anomaly detection Detection of Malware
Dangers on the internet (e.g.: attachment ZIP)
global view
local view
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
Internet Situation Awareness Project idea
Object: InternetCritical Assets
Internet
sensors
global data
statistics partners
...
PPP
26
This will help to:
improve the stability and trustworthiness of the Internet,
raise awareness for critical processes or components, and
find out more about the Internet and its users in order to better support to their needs and service demands
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
Internet Situation Awareness Related work
Sensor level:
Log-data based
Honeypot based
Netflow based…
Analysis level:
Pattern recognition
Neural network models
Data Mining algorithm
…
System level:
Symantec - DeepSight Theat Management System
DShield.org - Internet Storm Center of the SANS
MOMENT, LOBSTER - pan-European platform
CarmentiS project of the German CERTs
…27
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
28
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
Summary
P
rof.
Dr.
Norb
ert
Pohlm
ann,
Inst
itute
for
Inte
rnet
Secu
rity
-if(is)
, U
niv
ers
ity o
f A
pplie
d S
cience
s G
els
enki
rchen,
Germ
any
29
Internet Situation Awareness Summary
The internet is a critical infrastructure for our society.
We need a trusted infrastructure (Internet) to protect our future.
Analogical to natural disaster warning systems, like the Tsunami warning system, we need Situation Awareness and a Early Warning System for the Internet to be able to issue countermeasures before the actual threat strikes at us.
If you can‘t measure it, you can‘t manage it!
Let us start to measure the Internet together!
Prof. Dr.
Norbert Pohlmann
Institute for Internet Security - if(is)University of Applied Sciences Gelsenkirchenhttp://www.internet-sicherheit.de
Thank you for your attention!Questions?
Internet Continuous Situation Awareness