Prof. Dr.

Norbert Pohlmann

Institute for Internet Security - if(is)University of Applied Sciences Gelsenkirchenhttp://www.internet-sicherheit.de

Internet Continuous Situation Awareness

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

2

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

3

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

4

Structure of the Internet Example: Analysis „Internet Germany“

“Most important “Autonomous Systems

for Germany

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

5

Data volume / month in Germany Estimation (2007)

autonomousSystem (AS)

PUBLICPEERING30 Peta Byte (20%)

PRIVATEPEERING50 Peta Byte

(33%) TRANSIT (Customer) 150 Peta Byte (100%)

ASAS

TRANSIT (Global ISP) 40 Peta Byte (27%)

ASAS

ASAS

ASAS

INTERNAL30 Peta Byte

(20 %)

100 Peta Byte (66 %): private user50 Peta Byte (33 %): business customer 1 Peta Byte = 1.000.000 Giga Byte

A view on data streamsexchanged between the networks (AS)!

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

Structure of the Internet Conclusion

The Internet is more or less like a black box to the various stakeholders.

The Internet has become critical in some parts by now.

One reason is the lack of global monitoring and controlling for the distributed infrastructure.

When using the Internet today various stakeholders just need trust, that everything will be fine.

Situation awareness will help the various stakeholders during their decision-making-process.

+ = ?Various stakeholders

6

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

7

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

Internet Situation Awareness Definition

The term Situation Awareness (SA) comes from the area of air traffic control and military command & control.

Generic definition of the term Situation Awareness (SA) is:

Situation Awareness is “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning andthe projection of their status in the near future”.

(Defined by Endsly)

8

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

Internet Situation Awareness Added value

Situation Awareness (SA) is essential not just for the

home user to strengthen the trust in using the Internet, but also for

representatives of the government for Internet Governance to make strategies for the further development or for

enterprises planning to use the Internet as a reliable platform for business.

The understanding of the environment is crucial for process of decision making and a perfect Situation Awareness will reflect positively in the actions of the stakeholders.

This will already help to reduce the potential disaster risk.

9

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

10

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

11

Evaluation System

Internet Analysis System Idea

Internet

IAS

Observation of the critical infrastructure „Internet“.

Probes are placed in strategically selected spots of the internet communication infrastructure to gather the raw data, made up of counters of header information.

Only header information is counted, which is not considered as data privacy relevant.

The system gathers information over a long period of time!

A centrally managed Evaluation Systemis used to analyze the raw data and to display the detailed results in an intuitive manner.

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

12

Internet Analysis System Targets

Description of profiles, patterns and coherences, creation of a knowledge base.

Outline of the current state of the internet.

Detection of attacks and of deflections.

Forecast of patterns and attacks.

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

13

Internet Analysis System Counting of header information (1/2)

+1

+1

Number of Counters:- Max: 870.000

- Real-Ø: 60.000

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

14

Internet Analysis System Counting of header information (2/2)

All of this information is completely anonymous by design !

Time

Counter Value

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

15

IAS: Current State of Development Result: Knowledge base

TCP

ESP

IGMP

ICMP

GRE

UDP

Distribution of Transport Protocols

Profile shaping und trend development

TCP89%

UDP7%

weekend

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

16

IAS: Current State of Development Result: Knowledge base

SMTP Content Type

60% “text” Mails

33 % “attachments”

30%: multipart/alternative

33%: multipart/mixed

26%: text/plain

4%: text/html

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

17

IAS: Current State of Development Result: Detection of attacks (1/2)

SMTP Content TypeTemporarily more e-mails with attachments -> Mail-(Wurms/Virus)!

multipart/mixed

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

18

Knowledge Base - IAS Result: Detection of attacks (2/2)

PDF Spam Wave

Application/PDF

Port 25

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

19

IAS: Current State of Development Result: Technology trend

Distribution of browsers (Technology Trend)

Diurnal profile

Differences between manual use (e.g., Internet Explorer und Firefox) and automated use (e.g., wget) are detectable.

FirefoxOthers (wget, etc)

Internet Explorer

Firefox

InternetExplorer

Others

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

IAS: Current State of Development Result: Awareness (Crypto used TLS)

6 %: RSA AES / SHA1

33%: DHE_RSA AES / SHA1

60%: RSA / RC4 / MD5

!! 0.1 %: RSA / Export (40) / SHA1 and 0.01 %: RSA / NULL / SHA1 !!

20

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

IAS: Current State of Development Continuous Situation Awareness

21

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

22

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

23

Idea of the Global View Overview

local view P3

local view P2local view P1global view

global view

global viewvirtual probe

Generation ofglobal view

global view

local view local view

local view

probes

Central System

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

24

Idea of the Global View Relation of used protocols

Global representation of the relation of different protocols(Example: Web communication)

global viewlocal view

11% Port 443 (TLS/SSL) 13% Port 443 (TLS/SSL)

89 % Port 80 (HTTP) 87 % Port 80 (HTTP)

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

25

Anomaly detection Detection of Malware

Dangers on the internet (e.g.: attachment ZIP)

global view

local view

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

Internet Situation Awareness Project idea

Object: InternetCritical Assets

Internet

sensors

global data

statistics partners

...

PPP

26

This will help to:

improve the stability and trustworthiness of the Internet,

raise awareness for critical processes or components, and

find out more about the Internet and its users in order to better support to their needs and service demands

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

Internet Situation Awareness Related work

Sensor level:

Log-data based

Honeypot based

Netflow based…

Analysis level:

Pattern recognition

Neural network models

Data Mining algorithm

…

System level:

Symantec - DeepSight Theat Management System

DShield.org - Internet Storm Center of the SANS

MOMENT, LOBSTER - pan-European platform

CarmentiS project of the German CERTs

…27

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

28

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

Summary

P

rof.

Dr.

Norb

ert

Pohlm

ann,

Inst

itute

for

Inte

rnet

Secu

rity

-if(is)

, U

niv

ers

ity o

f A

pplie

d S

cience

s G

els

enki

rchen,

Germ

any

29

Internet Situation Awareness Summary

The internet is a critical infrastructure for our society.

We need a trusted infrastructure (Internet) to protect our future.

Analogical to natural disaster warning systems, like the Tsunami warning system, we need Situation Awareness and a Early Warning System for the Internet to be able to issue countermeasures before the actual threat strikes at us.

If you can‘t measure it, you can‘t manage it!

Let us start to measure the Internet together!

Prof. Dr.

Norbert Pohlmann

Institute for Internet Security - if(is)University of Applied Sciences Gelsenkirchenhttp://www.internet-sicherheit.de

Thank you for your attention!Questions?

Internet Continuous Situation Awareness