tracing iot devices for anomaly detection purposes©sentation... · mirai telnet -> upload file...
TRANSCRIPT
Tracing IoT devices for anomaly
detection purposes
Robin Gassais
December 7, 2017
École Polytechnique de Montréal
DORSAL lab
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Agenda
Context
IoT – Smart Home
Approach
Tracing multiple systems
Analyzing multiple traces
Use-case
Mirai botnet
Future Work
Context Approach Use-case Future work
2
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Context
Context Approach Use-case Future workheterogeneous
3
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Context
Embedded Linux based systems
Limited resources
20 billions of smart devices in 2020
Heterogeneous market
Context Approach Use-case Future workheterogeneous
3
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
ARM virtual machine
Central device to collect and analyse
the traces
Safe communication : SSH
Context Approach Use-case Future workheterogeneous
Tracing multiple systems
4
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
Context Approach Use-case Future workheterogeneous
Tracing multiple systems
Virtual Bridge - Qemu
Lttng - relayd Lttng - sessiond Lttng - sessiond
5
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
Context Approach Use-case Future workheterogeneous
Tracing multiple systems
5
SNAPSHOT
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
What to monitor?
How to monitor anomalies?
Context Approach Use-case Future workheterogeneous
Analyzing multiple traces
?6
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
Context Approach Use-case Future workheterogeneous
Analyzing multiple traces
Source : Slideshare - Security Monitoring with eBPF - Alex Maestretti, Brandan Gregg
7
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Approach
What to monitor?
How to monitor anomalies?
Context Approach Use-case Future workheterogeneous
Analyzing multiple traces
8
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
Biggest DDoS attack ever seen : 3 Tbps, 500 000 devices
IP surveillance camera, video recorder, router
Twitter, Ebay, Netflix, Github, Paypal down via Dyn DNS
Context Approach Use-case Future workheterogeneous
What’s Mirai?
9
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
Context Approach Use-case Future workheterogeneous
What’s Mirai?
Internet
ownHACKER C&C
Victim’s server
infect obey
connect
connect
10
attack
order
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
Context Approach Use-case Future workheterogeneous
What’s Mirai?
Internet
HACKER C&C
Victim’s server
connect
connect
connect
11
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
Context Approach Use-case Future workheterogeneous
Experiment
C&C
Network monitoring
Debian Jessie
192.168.1.186
Router
DNS
Ubiquity nanostation M2
| OpenWRT
Rpi2
Vulnerable device
Yocto | Busybox |
Telnetd
192.168.1.226
Lttng - relayd Lttng - deamon
12
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
Context Approach Use-case Future workheterogeneous
Results
13
Mirai
Telnet -> upload file -> chmod on it : 14,9 s
Using all the kernel tracepoints – live mode
Now
Chmod on a new created directory: 1,33 s
execve, faccessat, chmod – snapshot mode (send 1s)
Chmod on a new created directory: 0,98 s
faccessat, chmod – snapshot mode (send 0,7s)
No Network, not physical devices
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Use-case
METTRE RESULTATS
Context Approach Use-case Future workheterogeneous
Results
14
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Future work
Detection rules? Machine learning?
Physical objects
Tradeoff between snapshot frequency,
nomber of tracepoints to monitor and
performance of the device
Context Approach Use-case Future workheterogeneous
15
POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais
Context Approach Use-case Future work
Thank you!
Questions? Suggestions? Solutions?
16