user-centricity, provenance & cyber security lab research
TRANSCRIPT
RTN CTRL
User-Centricity, Provenance & Cyber Security Lab Research
Dr Ryan Ko www.crow.org.nz
RTN CTRL
Background • Preparation work started December 2012
• Officially launched on 3 Dec 2013 by Sir William Gallagher, together with NZ’s 1st Master of Cyber Security degree.
• 1st dedicated cyber security academic research lab in New Zealand
• Builds on Waikato’s strong computer
science heritage (New Zealand Internet, Endace, Lightwire, etc.).
• Currently 4 academics, 2 research staff, 20+
graduate research students
• Aims to be 1 of the top cyber security programmes in Asia Pacific in 5 years.
RTN CTRL
Our Motto & Foci • Motto:
– To return control of data to users.
• CROW aims to return control of data to data owners, by focusing on research addressing data security from a user-centric perspective.
• Advised by NZ & int’l ICT companies, and Industry Advisory Board comprising of internationally-renown cyber security experts.
RTN CTRL
Key Focus Areas
• Provenance. • User-Centricity. • Security Visualisation. • Security Economics. • Hardware Security. • Tools and Datasets.
RTN CTRL
5 Years Ahead… Unsustainable Future
• Problem 1: High dependency on vendors/ ‘trusted’ technical staff.
• Problem 2: Lack of effective tools for everyone – Which leads us back to Problem 1
RTN CTRL
A New Security Mindset • Effective defence against cyber attacks?
– Empower everyone – including users – Everyone a defender
• We’d like to propose a user-centric mindset, resulting in a form of “Cyber Civil Defence”
• Recalling Lab motto: To return control of data to users
RTN CTRL
Empowering Users • Ability to know
– What has happened to their data/ systems? – What are the threats?
• Ability to act – Perform revocation – Ability to use tools – Ability to collect evidence (for justice)
• Ability to be private with their transactions – How to process encrypted data without decrypting them? (Not covered today;
another talk in the future?)
RTN CTRL
Starting with some questions… • If users don’t want to use our inventions, we can’t empower them.
• Therefore, our hypothesis: – To empower more users, we need to gain increased
uptake by making security tools easy to use.
• Relating Research Questions: – Are current security tools user-centric and user-empowering? – How is use-centricity linked to ‘ease-of-use’? – If so, how do we measure a software’s ease-of-use?
RTN CTRL
Surveying the landscape… • Traditionally, 2 types penetrate non-technical users’ market well:
– Anti-virus – Firewalls
• Why high penetration? – Ease of use? No. of clicks? Easy to understand?
• High usability results in user confidence à Higher user-centricity – E.g. Patent “A Method and System for Placing a Purchase Order Via a Communications
Network” – 1 click to purchase Amazon products – E.g. Three click rule – no page on a website should be > 3 clicks away.
RTN CTRL
Usability & Clicks • Research question:
– Is there a relationship between market share & click count?
• Focus: – “Top” = market penetration/ share. – “Top market share” list came from Jan 2014 OPSWAT security market share
report.
• Installed Top 16 anti-virus applications from OPSWAT report & for each, counted (manually) the no. of clicks to complete tasks.
RTN CTRL
Product Name Market Share from 2014 OPSWAT rpt.
Min Clicks Max Clicks Average Clicks Min Windows Max Windows
Microso' Security Essen0als 16.30% 1 4 2.5 0 1 avast! Free An0virus 13.20% 1 6 3.5 0 1 Windows Defender 6.20% 1 4 2.5 0 1 Avira Free An0virus 5.00% 1 4 2.5 1 3 AVG An0-‐Virus Free Edi0on 4.80% 1 4 2.5 0 0 ESET Smart Security 4.60% 2 4 3 0 1 Malwarebytes An0-‐Malware Pro
4.20% 1 5 3 0 0
AVG Internet Security 3.30% 1 4 2.5 0 0 Kaspersky Internet Security 3.30% 2 6 4 1 2 Norton Internet Security 3.10% 2 5 3.5 0 1 ESET NOD32 An0virus 2.80% 2 4 3 0 1 COMODO An0virus 2.70% 2 6 4 2 2 McAfee VirusScan 2.50% 2 11 6.5 1 4 Norton 360 2.30% 3 7 5 2 4 avast! Internet Security 2.20% 1 6 3.5 0 1 Symantec Endpoint Protec0on
1.90% 2 12 7 1 2
RTN CTRL
Clicks vs. Market Share
0 1 2 3 4 5 6 7 8
0.00% 2.00% 4.00% 6.00% 8.00%
10.00% 12.00% 14.00% 16.00% 18.00% 20.00%
Average nu
mbe
r of clicks
Market S
hare
Market Share
Average Clicks
RTN CTRL
Interesting observations • For most cases:
– The higher the click count, the lower the market share.
• What does this mean? – To empower more people, we need to developing tools which are easy to use,
with low click count, but do not compromise on technical coverage.
• Hypothesis seemingly proven, but still early-stage research; detailed further study required.
RTN CTRL
Empowering Users • Ability to know
– What has happened to their data/ systems? – What are the threats?
• Ability to act – Perform revocation – Ability to use tools – Ability to collect evidence (for justice)
• Ability to be private with their transactions – How to process encrypted data without decrypting them?
RTN CTRL
Empowering Users with Knowledge • Another form of empowering users:
– Empower them with information relating the security of their assets.
• Usually, the asset is data. – USB stick example – Especially true in current dependence on cloud services (e.g. Gmail).
• Most security tools are System-centric à Not Data-centric. • Current security tools lack effective end-to-end data activity tracking. • Data provenance = Derivation history of data. • Perhaps provenance can fill in the gap?
RTN CTRL
Real-‐life Example: Google
RTN CTRL
September 11, 2001
RTN CTRL
Src: Seib and Janbek, Global Terrorism and New Media – The post Al-Qaeda Generation, 2011
computer along with his Kalashnikov.9 Osama bin Laden and what was leftof Al Qaeda moved into the caves of northwestern Pakistan, and the actionshifted from a conventional battleground (where Al Qaeda and the Talibancould not compete with U.S. military power) to a virtual one.
Internet use linked to Al Qaeda had begun several years before. In 1996, anundergraduate at Imperial College in London, Babar Ahmad, created azzam.com, named in honor of Abdullah Azzam, a Palestinian who was a mentor tobin Laden and had persuaded bin Laden to come to Afghanistan in the1980s. The English-language site provided reports about jihad and mujahideenfrom Chechnya and, beginning in November 2001, Afghanistan. Given thedearth of information emanating from that part of the world, its coverage wassometimes cited by news organizations such as the BBC. The technicallysophisticated site provided a forum for teaching a global audience about jihadand built the foundation for a network by providing links to other, like-mindedsites.10
Al Qaeda soon adopted the Internet as the best medium for sending andreceiving messages to scattered audiences. The Al Neda Web site, which AlQaeda began using in early 2002, published analyses of the wars in Afghani-stan and Iraq, commentary by Islamic clerics about Al Qaeda operations, andexplanations of how Al Qaeda’s war aims would benefit the ummah (theglobal community of Islam) by undermining the power of the United States,Israel, and apostate governments of Muslim states. The content of Al Qaeda-related sites, wrote Michael Scheuer, “adds up to a tremendous contributionto what bin Laden always has said is his and al Qaeda’s first priority: theinstigation to jihad of as many Muslims in as many locales as possible.”11
Al Qaeda’s Internet operations gradually became more sophisticated andsecure. According to a 2004 report by the U.S. Justice and Treasury Depart-ments, the traditional espionage communication technique of the “dead drop”was adapted for online use. Selected Al Qaeda members are given the sameprearranged username and password for an e-mail account such as at hot-mail.com. One person writes a message, but instead of sending it he saves it inthe “draft” file and signs off. Then someone else can access the account, read themessage, and either leave it for someone else to read or delete it. Because themessage was never sent, the ISP retains no copy of it, and no record of ittraversing the Internet exists.12 A similarly useful tool is the discussion board,where announcements can be posted with links to dozens of sites.
While devising secure methods of communicating, Al Qaeda was also amas-sing an online library of training materials that would teach its readers how tomake ricin poison, how to make a bomb from commercial chemicals, and otheruseful advice. The Saudi-based online magazine Muaskar al-Battar (Camp ofthe Sword) told potential recruits, “Oh, Mujahid brother, in order to join thegreat training camps you don’t have to travel to other lands. Alone in yourhome or with a group of your brothers you too can begin to execute thetraining program.” Such training efforts can reach many people quickly andavoid the dangers of recruits gathering at a mosque or other place where they
26 High tech terror: Al Qaeda and beyond
What could have
detected
this?
Yes, data-‐cent
ric tools,
e.g. provenanc
e tools
RTN CTRL
Progger – Provenance Logger • At CROW, we have developed several tools to collect provenance
information within and across systems.
• One of them is the tamper-evident, efficient kernel-space Progger (short for provenance logger).
• Progger – Open-source, and freely available for download (Github). – Captures system calls relating to C-R-U-D (Create, Read, Update, Delete) data
actions. – Logs data actions, NOT data contents – Src: R Ko, M Will, “Progger: An Efficient, Tamper-Evident Kernel-Space Logger for Cloud Data Provenance Tracking”, IEEE Cloud 2014, Alaska, USA.
RTN CTRL
A Malicious Insider Scenario Executed In Systems with Progger Installed
RTN CTRL
Sample snippet of Progger log
Fine granularity = able to capture several data events e.g. Ctrl+C & Ctrl+V e.g. undeclared copies and backups by programs.
RTN CTRL
1 File’s Provenance captured by Progger
Related Data Provenance Events of file “Patent.txt” shown in demo.
RTN CTRL
Provenance Graph of 1 File (Note: user details hidden)
RTN CTRL
RTN CTRL
Sample Provenance Graph of 1 File
RTN CTRL
File “Patent.txt” created on m1
RTN CTRL
Sample Provenance Graph of 1 File
RTN CTRL
Malicious insider scp patent.txt to another
machine Patent.txt travels across cloud’s network to
another host
Patent.txt saved as Random.txt
No0ce that .ssh/known_hosts was
accessed and detected by Progger
RTN CTRL
Sample Provenance Graph of 1 File
RTN CTRL
Patent.txt’s duplicate, Random.txt, send out by mail client out of cloud. i.e. Cloud Data Leakage
Des0na0on IP of Cloud Data Leakage tracked
RTN CTRL
Cloud Data Leakage Detected: Malicious insider (sysadmin) sending of file out of cloud using email
RTN CTRL
Potential uses of Progger Logs • Cloud Forensics
– Replaces current (mostly manual), system-centric log analysis
• Accountability and Data Governance – Auditability, vendor accountability, etc.
• Provenance and timeline reconstruction algorithms – Speeds up threat source attribution. – Ground truth datasets for research
• User-centric tools (e.g. SMS alerts, etc) – Trace data, ability to raise a concern, etc.
RTN CTRL
Recap: Empowering Users • Ability to know
– What has happened to their data/ systems? – What are the threats?
• Ability to act – Perform revocation – Ability to use tools – Ability to collect evidence (for justice)
• Ability to be private with their transactions – How to process encrypted data without decrypting them?
In Progress
In Progress
RTN CTRL
Infusing Knowledge to Users • What is the No. 1 obstacle to user-centricity?
– User Apathy
• Education – (Positive) Social engineering and public awareness
• (e.g. TV shows for cyber security agencies like “Border Security”, “Women in Blue”?)
– Mainstream curriculum – Tertiary curriculum – Waikato Uni’s Master of Cyber Security
RTN CTRL
Other CROW Projects & Contributions • Cloud8 testbed • OpenStack Café • Progger (covered today) • DHCPv6 Fuzzer • Mobile NFC/ smart card
security • Mobile EFTPOS • Industry Consulting • (ISC)2 Curriculum
Development • Cloud Security Alliance
RTN CTRL
Thank You
• Join us as we return control of data to users
• Master of Cyber Security info: – http://www.waikato.ac.nz/go/cybersecurity
• Collaborate with us: – Web: https://crow.org.nz – Tel: +64 7 838 4798
• Contact me: Dr Ryan Ko – [email protected]
RTN CTRL
End-to-end data tracking in Clouds – A Big Problem
• “What has happened to my file?” “Who has touched it?”
• Lack of data centric end-‐to-‐end tracking tools
• Current methods of tracking breaches involves the use of mul0ple tools
• No way to track both VMs and host machines
• No efficient way to visualise data flow
RTN CTRL
Data Scaling Experiment - Storage
l Created a Cloud Testbed of 500 VMs over 10 physical servers, in OpenStack environment
l Instances mainly CentOS l Logs from all Proggers consolidated into MySQL database l Measured using Bonnie++, file system performance benchmarking. l 1 hour usage experience with human users
l Low / mid / high load l 2.05 mb / user (in mySQL) l 300kb / user (compressed)