RTN CTRL

User-Centricity, Provenance & Cyber Security Lab Research

Dr Ryan Ko www.crow.org.nz

RTN CTRL

Background •  Preparation work started December 2012

•  Officially launched on 3 Dec 2013 by Sir William Gallagher, together with NZ’s 1st Master of Cyber Security degree.

•  1st dedicated cyber security academic research lab in New Zealand

•  Builds on Waikato’s strong computer

science heritage (New Zealand Internet, Endace, Lightwire, etc.).

•  Currently 4 academics, 2 research staff, 20+

graduate research students

•  Aims to be 1 of the top cyber security programmes in Asia Pacific in 5 years.

RTN CTRL

Our Motto & Foci •  Motto:

– To return control of data to users.

•  CROW aims to return control of data to data owners, by focusing on research addressing data security from a user-centric perspective.

•  Advised by NZ & int’l ICT companies, and Industry Advisory Board comprising of internationally-renown cyber security experts.

RTN CTRL

Key Focus Areas

•  Provenance. •  User-Centricity. •  Security Visualisation. •  Security Economics. •  Hardware Security. •  Tools and Datasets.

RTN CTRL

5 Years Ahead… Unsustainable Future

•  Problem 1: High dependency on vendors/ ‘trusted’ technical staff.

•  Problem 2: Lack of effective tools for everyone –  Which leads us back to Problem 1

RTN CTRL

A New Security Mindset •  Effective defence against cyber attacks?

–  Empower everyone – including users –  Everyone a defender

•  We’d like to propose a user-centric mindset, resulting in a form of “Cyber Civil Defence”

•  Recalling Lab motto: To return control of data to users

RTN CTRL

Empowering Users •  Ability to know

–  What has happened to their data/ systems? –  What are the threats?

•  Ability to act –  Perform revocation –  Ability to use tools –  Ability to collect evidence (for justice)

•  Ability to be private with their transactions –  How to process encrypted data without decrypting them? (Not covered today;

another talk in the future?)

RTN CTRL

Starting with some questions… •  If users don’t want to use our inventions, we can’t empower them.

•  Therefore, our hypothesis: –  To empower more users, we need to gain increased

uptake by making security tools easy to use.

•  Relating Research Questions: –  Are current security tools user-centric and user-empowering? –  How is use-centricity linked to ‘ease-of-use’? –  If so, how do we measure a software’s ease-of-use?

RTN CTRL

Surveying the landscape… •  Traditionally, 2 types penetrate non-technical users’ market well:

–  Anti-virus –  Firewalls

•  Why high penetration? –  Ease of use? No. of clicks? Easy to understand?

•  High usability results in user confidence à Higher user-centricity –  E.g. Patent “A Method and System for Placing a Purchase Order Via a Communications

Network” – 1 click to purchase Amazon products –  E.g. Three click rule – no page on a website should be > 3 clicks away.

RTN CTRL

Usability & Clicks •  Research question:

–  Is there a relationship between market share & click count?

•  Focus: –  “Top” = market penetration/ share. –  “Top market share” list came from Jan 2014 OPSWAT security market share

report.

•  Installed Top 16 anti-virus applications from OPSWAT report & for each, counted (manually) the no. of clicks to complete tasks.

RTN CTRL

Product  Name  Market  Share  from  2014  OPSWAT  rpt.  

Min  Clicks   Max  Clicks   Average  Clicks   Min  Windows   Max  Windows  

Microso'  Security  Essen0als   16.30%   1   4   2.5   0   1  avast!  Free  An0virus   13.20%   1   6   3.5   0   1  Windows  Defender   6.20%   1   4   2.5   0   1  Avira  Free  An0virus   5.00%   1   4   2.5   1   3  AVG  An0-­‐Virus  Free  Edi0on   4.80%   1   4   2.5   0   0  ESET  Smart  Security   4.60%   2   4   3   0   1  Malwarebytes  An0-­‐Malware  Pro  

4.20%   1   5   3   0   0  

AVG  Internet  Security   3.30%   1   4   2.5   0   0  Kaspersky  Internet  Security   3.30%   2   6   4   1   2  Norton  Internet  Security   3.10%   2   5   3.5   0   1  ESET  NOD32  An0virus   2.80%   2   4   3   0   1  COMODO  An0virus   2.70%   2   6   4   2   2  McAfee  VirusScan   2.50%   2   11   6.5   1   4  Norton  360   2.30%   3   7   5   2   4  avast!  Internet  Security   2.20%   1   6   3.5   0   1  Symantec  Endpoint  Protec0on  

1.90%   2   12   7   1   2  

RTN CTRL

Clicks vs. Market Share

0  1  2  3  4  5  6  7  8  

0.00%  2.00%  4.00%  6.00%  8.00%  

10.00%  12.00%  14.00%  16.00%  18.00%  20.00%  

Average  nu

mbe

r  of  clicks  

Market  S

hare  

Market  Share  

Average  Clicks  

RTN CTRL

Interesting observations •  For most cases:

–  The higher the click count, the lower the market share.

•  What does this mean? –  To empower more people, we need to developing tools which are easy to use,

with low click count, but do not compromise on technical coverage.

•  Hypothesis seemingly proven, but still early-stage research; detailed further study required.

RTN CTRL

Empowering Users •  Ability to know

–  What has happened to their data/ systems? –  What are the threats?

•  Ability to act –  Perform revocation –  Ability to use tools –  Ability to collect evidence (for justice)

•  Ability to be private with their transactions –  How to process encrypted data without decrypting them?

RTN CTRL

Empowering Users with Knowledge •  Another form of empowering users:

–  Empower them with information relating the security of their assets.

•  Usually, the asset is data. –  USB stick example –  Especially true in current dependence on cloud services (e.g. Gmail).

•  Most security tools are System-centric à Not Data-centric. •  Current security tools lack effective end-to-end data activity tracking. •  Data provenance = Derivation history of data. •  Perhaps provenance can fill in the gap?

RTN CTRL

Real-­‐life  Example:  Google  

RTN CTRL

September 11, 2001

RTN CTRL

Src: Seib and Janbek, Global Terrorism and New Media – The post Al-Qaeda Generation, 2011

computer along with his Kalashnikov.9 Osama bin Laden and what was leftof Al Qaeda moved into the caves of northwestern Pakistan, and the actionshifted from a conventional battleground (where Al Qaeda and the Talibancould not compete with U.S. military power) to a virtual one.

Internet use linked to Al Qaeda had begun several years before. In 1996, anundergraduate at Imperial College in London, Babar Ahmad, created azzam.com, named in honor of Abdullah Azzam, a Palestinian who was a mentor tobin Laden and had persuaded bin Laden to come to Afghanistan in the1980s. The English-language site provided reports about jihad and mujahideenfrom Chechnya and, beginning in November 2001, Afghanistan. Given thedearth of information emanating from that part of the world, its coverage wassometimes cited by news organizations such as the BBC. The technicallysophisticated site provided a forum for teaching a global audience about jihadand built the foundation for a network by providing links to other, like-mindedsites.10

Al Qaeda soon adopted the Internet as the best medium for sending andreceiving messages to scattered audiences. The Al Neda Web site, which AlQaeda began using in early 2002, published analyses of the wars in Afghani-stan and Iraq, commentary by Islamic clerics about Al Qaeda operations, andexplanations of how Al Qaeda’s war aims would benefit the ummah (theglobal community of Islam) by undermining the power of the United States,Israel, and apostate governments of Muslim states. The content of Al Qaeda-related sites, wrote Michael Scheuer, “adds up to a tremendous contributionto what bin Laden always has said is his and al Qaeda’s first priority: theinstigation to jihad of as many Muslims in as many locales as possible.”11

Al Qaeda’s Internet operations gradually became more sophisticated andsecure. According to a 2004 report by the U.S. Justice and Treasury Depart-ments, the traditional espionage communication technique of the “dead drop”was adapted for online use. Selected Al Qaeda members are given the sameprearranged username and password for an e-mail account such as at hot-mail.com. One person writes a message, but instead of sending it he saves it inthe “draft” file and signs off. Then someone else can access the account, read themessage, and either leave it for someone else to read or delete it. Because themessage was never sent, the ISP retains no copy of it, and no record of ittraversing the Internet exists.12 A similarly useful tool is the discussion board,where announcements can be posted with links to dozens of sites.

While devising secure methods of communicating, Al Qaeda was also amas-sing an online library of training materials that would teach its readers how tomake ricin poison, how to make a bomb from commercial chemicals, and otheruseful advice. The Saudi-based online magazine Muaskar al-Battar (Camp ofthe Sword) told potential recruits, “Oh, Mujahid brother, in order to join thegreat training camps you don’t have to travel to other lands. Alone in yourhome or with a group of your brothers you too can begin to execute thetraining program.” Such training efforts can reach many people quickly andavoid the dangers of recruits gathering at a mosque or other place where they

26 High tech terror: Al Qaeda and beyond

What  could  have

 detected  

this?    

Yes,  data-­‐cent

ric  tools,    

e.g.  provenanc

e  tools  

RTN CTRL

Progger – Provenance Logger •  At CROW, we have developed several tools to collect provenance

information within and across systems.

•  One of them is the tamper-evident, efficient kernel-space Progger (short for provenance logger).

•  Progger –  Open-source, and freely available for download (Github). –  Captures system calls relating to C-R-U-D (Create, Read, Update, Delete) data

actions. –  Logs data actions, NOT data contents –  Src: R Ko, M Will, “Progger: An Efficient, Tamper-Evident Kernel-Space Logger for Cloud Data Provenance Tracking”, IEEE Cloud 2014, Alaska, USA.

RTN CTRL

A  Malicious  Insider  Scenario  Executed  In  Systems  with  Progger  Installed  

RTN CTRL

Sample snippet of Progger log

Fine granularity = able to capture several data events e.g. Ctrl+C & Ctrl+V e.g. undeclared copies and backups by programs.

RTN CTRL

1 File’s Provenance captured by Progger

Related  Data  Provenance    Events  of  file  “Patent.txt”  shown  in  demo.    

RTN CTRL

Provenance Graph of 1 File (Note: user details hidden)

RTN CTRL

RTN CTRL

Sample Provenance Graph of 1 File

RTN CTRL

File  “Patent.txt”  created  on  m1  

RTN CTRL

Sample Provenance Graph of 1 File

RTN CTRL

Malicious  insider  scp  patent.txt  to  another  

machine   Patent.txt  travels  across  cloud’s  network  to  

another  host  

Patent.txt  saved  as    Random.txt    

No0ce  that  .ssh/known_hosts  was  

accessed  and  detected  by  Progger  

RTN CTRL

Sample Provenance Graph of 1 File

RTN CTRL

Patent.txt’s  duplicate,  Random.txt,  send  out  by  mail  client  out  of  cloud.  i.e.  Cloud  Data  Leakage  

Des0na0on  IP  of  Cloud  Data  Leakage  tracked  

RTN CTRL

Cloud Data Leakage Detected: Malicious insider (sysadmin) sending of file out of cloud using email

RTN CTRL

Potential uses of Progger Logs •  Cloud Forensics

–  Replaces current (mostly manual), system-centric log analysis

•  Accountability and Data Governance –  Auditability, vendor accountability, etc.

•  Provenance and timeline reconstruction algorithms –  Speeds up threat source attribution. –  Ground truth datasets for research

•  User-centric tools (e.g. SMS alerts, etc) –  Trace data, ability to raise a concern, etc.

RTN CTRL

Recap: Empowering Users •  Ability to know

–  What has happened to their data/ systems? –  What are the threats?

•  Ability to act –  Perform revocation –  Ability to use tools –  Ability to collect evidence (for justice)

•  Ability to be private with their transactions –  How to process encrypted data without decrypting them?

In  Progress  

In  Progress  

RTN CTRL

Infusing Knowledge to Users •  What is the No. 1 obstacle to user-centricity?

– User Apathy

•  Education –  (Positive) Social engineering and public awareness

•  (e.g. TV shows for cyber security agencies like “Border Security”, “Women in Blue”?)

–  Mainstream curriculum –  Tertiary curriculum – Waikato Uni’s Master of Cyber Security

RTN CTRL

Other CROW Projects & Contributions •  Cloud8 testbed •  OpenStack Café •  Progger (covered today) •  DHCPv6 Fuzzer •  Mobile NFC/ smart card

security •  Mobile EFTPOS •  Industry Consulting •  (ISC)2 Curriculum

Development •  Cloud Security Alliance

RTN CTRL

Thank You

•  Join us as we return control of data to users

•  Master of Cyber Security info: –  http://www.waikato.ac.nz/go/cybersecurity

•  Collaborate with us: –  Web: https://crow.org.nz –  Tel: +64 7 838 4798

•  Contact me: Dr Ryan Ko –  ryan@waikato.ac.nz

RTN CTRL

End-to-end data tracking in Clouds – A Big Problem

•  “What  has  happened  to  my  file?”  “Who  has  touched  it?”  

•  Lack  of  data  centric  end-­‐to-­‐end  tracking  tools  

•  Current  methods  of  tracking  breaches  involves  the  use  of  mul0ple  tools  

•  No  way  to  track  both  VMs  and  host  machines  

•  No  efficient  way  to  visualise  data  flow  

RTN CTRL

Data Scaling Experiment - Storage

l  Created a Cloud Testbed of 500 VMs over 10 physical servers, in OpenStack environment

l  Instances mainly CentOS l  Logs from all Proggers consolidated into MySQL database l  Measured using Bonnie++, file system performance benchmarking. l  1 hour usage experience with human users

l  Low / mid / high load l  2.05 mb / user (in mySQL) l  300kb / user (compressed)