intrusion forecasting framework for early warning system ...icss/jwis2007/pdf/invited-2.pdf ·...
TRANSCRIPT
Sehun Kim
KAIST, KoreaHonorary President of KIISC
Intrusion Forecasting Framework for Early Intrusion Forecasting Framework for Early Warning System against Cyber AttackWarning System against Cyber Attack
Telecommunication System & Internet Security Lab.
- 2 -
Contents
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion4
Telecommunication System & Internet Security Lab.
- 3 -
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion4
Telecommunication System & Internet Security Lab.
- 4 -
Growth of the Internet usage
Number of Internet users in Korea (unit: 1,000) (Source: isis.nida.or.kr)
Number of vulnerabilities identified (Source: www.cert.org)
Telecommunication System & Internet Security Lab.
- 5 -
Attack Trend
Exploit the interconnectivity of networksRapid attacks, sometimes zero-dayMore sophisticated and evolutionary attack toolsAttacks on infrastructure
Source: www.cert.org
Telecommunication System & Internet Security Lab.
- 6 -
DDoS Attacks
Deploy a large number of compromised systems to attack a victim host
Attacker
Control
message
Victim
Telecommunication System & Internet Security Lab.
- 7 -
Internet Worm
Self-propagating & self-replicating network program
Telecommunication System & Internet Security Lab.
- 8 -
Internet Worm
Slammer wormInfected more than 90% of vulnerable hosts within 10 mins.Caused shutdown of Internet service in Korea.
The number of infected slammer hosts in the 30 minutes after release (Source: www.caida.org)
Telecommunication System & Internet Security Lab.
- 9 -
BotA short word for “robot”Piece of software that allows a system to be remotely controlled
Zombie Controlled/corrupted system
BotnetA network of Zombie systemsDDoS, Spamming, Sniffing, Key Logging, Identity Theft, Hosting of Illegal Software
Botnets
IRC Server
Bot Herder
Control Channel
Botnet
BotBot
Bot
Bot Bot
Bot
Telecommunication System & Internet Security Lab.
- 10 -
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion4
Telecommunication System & Internet Security Lab.
- 11 -
What is EWS?A system or procedure designed to warn of a potential or an impending problem in order to minimize the damage against problemMore important as the damage becomes more tremendous
EWS in Real Life Famine EWSDisaster (Tsunami/Earthquake) EWSDisease EWS
EWS in Cyber SpaceEarly detection of Cyber Attack and Instant response to itCyber Attack can be Intrusion, Worm/Virus Outbreak, Information Warfare and so on.
Early Warning System
Telecommunication System & Internet Security Lab.
- 12 -
The main procedure of EWS conforms to that of National Cyberspace Security Response System (USA)
P1
P2
P4
P3
Phase 1 : Analysis- Data Collecting/processing
- Vulnerability Assessment
- Forecasting Cyber Attack
Phase 2 : Warning- Issue an Alarm
- Sharing Cyber Alert
Phase 3 : Incident Handling- Federal Coordination
- Private, State and Local
Coordination
Phase 4 : Response/Recovery- Modify Security Policy
- Final Report
EWS Procedure
Telecommunication System & Internet Security Lab.
- 13 -
Computer Emergency Response TeamCoordinate all of the activities of organizations and institutions involved in efforts to secure national IT networkProtect public/national security from cyber threats by handling computer incidents promptly and efficientlyTraditionally, EWS is operated by CERT
CERT
KrCERT
JPCERT
SingCERT
CNCERT
CERTA
US-CERT
AusCERT
Telecommunication System & Internet Security Lab.
- 14 -
Motivation‘Basic Plan for the Establishment of National Cyber Terror Response System’ is approved by President, July 2003
Related OrganizationNCSC (National Cyber Security Center)
Central point of government for identifying, preventing and responding to cyber attack and threats in Korea
KISA (Korea Information Security Agency)Agency providing public user, industries and organization with information security service
CERTKrCERT (Korea CERT) : CERT operated by KISAKN-CERT (Korea National CERT) : CERT operated by NCSC
EWS in Korea
Telecommunication System & Internet Security Lab.
- 15 -
MotivationFISMA : Federal Information Security Management Act of 2002Planning ‘National Strategy to Secure Cyberspace’, Feb. 2003
Related OrganizationDHS/NCSD (National Cyber Security Division)
Division that works to secure cyberspace and America’s cyber assets.Within DHS (Department of Homeland Security)
CERT/CC (CERT/Coordination Center)CERT Center operated by Carnegie Mellon University
US-CERT (U.S. Computer Emergency Readiness Team)US-CERT is charged with protecting USA’s Internet infrastructure by coordinating defense against and response to cyber attacks Founded by CERT/CC & NCSD
EWS in USA
Telecommunication System & Internet Security Lab.
- 16 -
MotivationDecree 2001-693, July 2001 : Organize DCSSI‘State Information System Security Reinforcement Plan’ , 2004
Related OrganizationSGDN (Secrétariat général de la défense rationale)
By Decree 96-67, SGDN takes charge of Cyber Security of FranceBelong directly to Prime Minister
DCSSI (Direction Centrale de la Sécurité des Systèmes d’Information)Execute governmental task in order to protect information systemOperate CERTA and ITSOC, under the authority of the SGDN
ITSOC (IT Security Organization Center)Research specialized knowledge to prevent and solve security incidentCollect data through CERTA and provide authorities with collected data
EWS in France
Telecommunication System & Internet Security Lab.
- 17 -
Early Detection of IncidentIncident (Intrusion) Forecasting MethodAlert CorrelationThreat Assessment
Issue of an alarm or warningDesign of main framework for EWSPartnership with other related organizationEffective visualization of event
Response/RecoveryTraceback MechanismEstablishment of national cyber security policies or law
Research Activity in EWS
Telecommunication System & Internet Security Lab.
- 18 -
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion4
Telecommunication System & Internet Security Lab.
- 19 -
Intrusion Forecasting System
Intrusion Forecasting SystemForecast cyber attacks in advanceThe most significant part in EWS
Analysis phase corresponding to the National Cyberspace Security Response SystemThe speed and precision of detection is a key factor of EWS
Development of an intrusion forecasting system is necessary
Telecommunication System & Internet Security Lab.
- 20 -
Intrusion Forecasting System Architecture
Telecommunication System & Internet Security Lab.
- 21 -
DC ModuleCollect data from various sensorsPre-processing for the DA module
DA ModuleAnalyze the collected dataPredict possibilities of cyber attack
REP ModuleCreate alarm reportsAlarm visualization
Intrusion Forecasting System Architecture
Telecommunication System & Internet Security Lab.
- 22 -
Three Important Forecasting Steps Analyze the present statePredict a future stateInterpret the model results
Methods of Weather forecastingFolklore forecastPersistence forecastClimatology forecastTrend forecastAnalog forecastNumerical forecastEnsemble forecast
Forecasting in Real LifeWeather Forecasting Case
Telecommunication System & Internet Security Lab.
- 23 -
Forecasting Methods against Cyber AttackStill at primary level compared to other forecasting areas
predict virus day or possibility of cyber threat by exploiting security vulnerabilitiesCommercial intrusion forecasting system is currently in beginning phaseSome researches have applied existing forecasting techniques to the prediction of worms or viruses
Related organizationWarning virus/malicious code : Ahnlab, Hauri, SANS (Internet Storm Center)Threat management system : Symantec (DeepSight TMS), Computer Associated (eTrust Security Management)
Intrusion Forecasting Methods
Telecommunication System & Internet Security Lab.
- 24 -
Data Mining MethodExtract implicit, previously unknown, and potentially useful information from large data sets or databasesWidely used in the various forecasting areas
Stock prices, weather forecasting, and earthquake forecastingPossible to handle numerous traffic variables difficult to analyze intuitivelyClustering Analysis, Decision Tree, Genetic Algorithm, etc.
Advantages vs. Disadvantages Advantages
Consider not only quantitative changes of multiple variables but also changes of their distribution
DisadvantagesHigh computational complexityDifficult to understand the results
Intrusion Forecasting Method(1) Data Mining Method
Telecommunication System & Internet Security Lab.
- 25 -
A Proactive detection of DDoS attackDetect DDoS attack proactively by exploiting the sequential movement of DDoSAttack phases of DDoS attack
A CASE STUDY : Data Mining MethodDDOS attack detection method using cluster analysis
attacker
handler handler
agent agent
victim
phase1
phase2phase3
phase4
phase5
Telecommunication System & Internet Security Lab.
- 26 -
Feature selection processSelect several features to detect the symptoms of a DDoS attackIndicate abnormal changes in traffic according to each phase of the attack.Selected features
Distribution of source/IP portDistribution of destination IP/portPacket typeOccurrence rate of TCP SYN, UDP, ICMP
The entropy values of the selected features are calculated to measure the randomness in their distribution. Entropy
A CASE STUDY : Data Mining MethodDDOS attack detection method using cluster analysis
∑=
−=n
iii PPH
12log
Telecommunication System & Internet Security Lab.
- 27 -
Results of clustering analysis
A CASE STUDY : Data Mining MethodDDOS attack detection method using cluster analysis
00.99
01.190.040.120.070.120.08
3ph 2
0.8700
41.40.530.554.910.560.71
2ph1
0.000.000.0237.01.121.501.581.611.59
1normal
000Occurrence rate of ICMP000Occurrence rate of UDP
0.4400Occurrence rate of SYN4.7028766225Number of packet1.360.120.02Entropy of packet type1.0711.512.6Entropy of dest port1.0611.512.6Entropy of dest IP1.0711.412.4Entropy of src port1.060.130.02Entropy of src IP
6normal
5post attack
4attack
clustervariable
00.99
01.190.040.120.070.120.08
3ph 2
0.8700
41.40.530.554.910.560.71
2ph1
0.000.000.0237.01.121.501.581.611.59
1normal
000Occurrence rate of ICMP000Occurrence rate of UDP
0.4400Occurrence rate of SYN4.7028766225Number of packet1.360.120.02Entropy of packet type1.0711.512.6Entropy of dest port1.0611.512.6Entropy of dest IP1.0711.412.4Entropy of src port1.060.130.02Entropy of src IP
6normal
5post attack
4attack
clustervariable
attack
normalphase 2
phase 1
normal
post attack
attackattack
normalnormalphase 2phase 2
phase 1phase 1
normalnormal
post attackpost attack
Telecommunication System & Internet Security Lab.
- 28 -
Probabilistic ModelingCapture evidence of intrusions in terms of a probability from the current network stateEnable system administrator to understand the degree of risk on a probabilistic scaleMarkov chain, Bayesian method, etc.
Advantages vs. Disadvantages Advantages
Easy to understand the possibility of attacks based on a probabilistic scaleHighly applicable in the determination of the warning level
DisadvantagesDifficult to construct the state profile and transition probabilities between themRequire correct decision of a system administrator
Intrusion Forecasting Method(2) Probabilistic Modeling
Telecommunication System & Internet Security Lab.
- 29 -
Effectiveness of DDoS attacks Detection & FilteringDDoS attacks are viewed as congestion event in routersEffectively detected at the victim network, but effectively filtered when closer to the attack source
A CASE STUDY : Probabilistic ModelingAn effective DDOS attack detection and packet-filtering scheme
victim
Attack source networks
Further upstream ISP network
The victim ’s ISP network
The victim ’s network
victim
Attack source networks
Further upstream ISP network
The victim ’s ISP network
The victim ’s network
Effe
ctive
ness o
f atta
ck d
ete
ctio
n in
cre
ase
Effe
ctive
ness o
f packe
t filterin
g in
cre
ase
Effe
ctive
ness o
f atta
ck d
ete
ctio
n in
cre
ase
Effe
ctive
ness o
f packe
t filterin
g in
cre
ase
Telecommunication System & Internet Security Lab.
- 30 -
Measure for deciding congestion level in a congestion routerDecide congestion level using packet loss probabilities
Congestion occurred at an output queue in a transit router if packet loss probability is larger than given threshold
Detect attacks in routers through the use of queueing model
A CASE STUDY : Probabilistic ModelingAn effective DDOS attack detection and packet-filtering scheme
R1 R2
messages
messages
Telecommunication System & Internet Security Lab.
- 31 -
Detection & Filtering strategyDetect attacks in routers through the use of queueing modelsPerform congestion control in consideration of packet loss probabilities in routersLocal & global detection by exchanging congestion messages
In local detectionEach transit router checks its output queues for deciding congestion levels as the local detection
In global detectionIdentify an attack and its route
A CASE STUDY : Probabilistic ModelingAn effective DDOS attack detection and packet-filtering scheme
R7
R6
R1
R3
R5
R4
R2
R8
R9
R10
R11
R12
victim
R13
AM messages
R7
R6
R1
R3
R5
R4
R2
R8
R9
R10
R11
R12
victim
R13
AMsIMs
L7
L6
R7
R6
R1
R3
R5
R4
R2
R8
R9
R10
R11
R12
victim AMsPFMs
Telecommunication System & Internet Security Lab.
- 32 -
Main IdeaDetect intrusions early in broadband networks using the exponential smoothing methodExtract traffic volume at a destination port to find anomalies earlier and more precisely
p o r t 1 4 3 4
0
3 0 0 0 0 0 0 0
6 0 0 0 0 0 0 0
9 0 0 0 0 0 0 0
1 2 0 0 0 0 0 0 0
200703
201122
201541
202000
210515
210937
211356
220524
220943
221402
221821
222243
230706
231125
231544
232003
240518
240937
241356
241815
242234
250254
250716
251135
251554
252013
260032
260451
260910
261329
261748
262207
270228 d a t e
byte
T o t a l t r a f f i c
0
2 0 0 , 0 0 0 , 0 0 0
4 0 0 , 0 0 0 , 0 0 0
6 0 0 , 0 0 0 , 0 0 0
8 0 0 , 0 0 0 , 0 0 0
1 , 0 0 0 , 0 0 0 , 0 0 0
1 , 2 0 0 , 0 0 0 , 0 0 0
200703
201124
201545
202006
210526
210947
211408
220538
220959
221420
221841
222305
230730
231151
231612
232033
240550
241011
241432
241853
242314
250336
250800
251221
251642
252103
260124
260545
261006
261427
261848
262309
270332 d a t e
byte Total Traffic volume
Traffic volume at port 1434
Intrusion Forecasting Method(3) Time-Series Analysis
Telecommunication System & Internet Security Lab.
- 33 -
Experimental Results
A CASE STUDY : Time-Series AnalysisFast detection scheme for broadband network using traffic analysis
Detection of anomalies at port 445 Detection of anomalies at port 137
Detection of anomalies at port 1434 Detection of anomalies at port 80
Telecommunication System & Internet Security Lab.
- 34 -
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion4
Telecommunication System & Internet Security Lab.
- 35 -
To defend networks against current cyber attacks, the importance of EWS is emphasized
Many countries operate EWS through CERT
Intrusion forecast systemMost significant part in EWSIntrusion forecasting system architecture
Data Collection module Data Analysis module Reporting module
Intrusion forecasting techniquesForecasting in real-life
Weather, stock, power, etc.Forecasting methods against cyber attacks
Data mining methodProbabilistic modeling Time-series analysis
Conclusions
Telecommunication System & Internet Security Lab.
- 36 -