CIT-IoT

Transcript

1. A Proposal for a Quarantine System for Information Leakage Mitigation

   8th March, 2017 Team SecLab (National Institute of Technology, Okinawa College) 1 Shuji Koike @koikeshuji Nao Yonashiro @orisano

2. The threat of information leakage •The number of personal information

   leaks was 799 cases in 2015 •The amount of damage was estimated to be at 25,437 million Japanese yen •337.05 million Japanese yen per case •Information leakage due to Advanced Persistent Threat(APT) on organizations was considered the most serious cyber security threat in 2016 •It is projected to be the most serious threat in 2017 •The purpose of APT is obtaining sensitive information by continually attacking specific organizations 2

3. A breakdown of the typical APT •(1) Planning •(2) Preparation

   (gather intelligence on the target) •(3) Initial Breach (infect with malware) •(4) Expand area of influence within physical institution •(5) Penetration/Exploration (recon and search for valuable data) •(6) Mission Execution (send stolen data) •(7) Re-Infiltration 3 System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/files/000035723.pdf 10 Major Security Threats 2015 https://www.ipa.go.jp/files/000048018.pdf Countermeasures for initial breach: ・Prevent virus/malware infection Examples: ・Antivirus software ・Security patches

4. A breakdown of the typical APT •(1) Planning •(2) Preparation

   (gather intelligence on the target) •(3) Initial Breach (infect with malware) •(4) Expand area of influence within physical institution •(5) Penetration/Exploration (recon and search for valuable data) •(6) Mission Execution (send stolen data) •(7) Re-Infiltration 4 System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/files/000035723.pdf 10 Major Security Threats 2015 https://www.ipa.go.jp/files/000048018.pdf Countermeasures for initial breach: ・Prevent virus/malware infection Examples: ・Antivirus software ・Security patches We focused on this phase Countermeasures for expansion: ・Prevent anomalous internal traffic

5. Mitigating APT Prevent malware expansion by considering ways to prevent

   information leakage 5 System design guide for thwarting "advanced targeted attack"(Japanese) https://www.ipa.go.jp/files/000046236.pdf D i rect external co m m uni cati o n typ e Pro xy co m m uni cati o n co rresp o nd i ng typ e A uthenti cati o n p ro xy b reakthro ugh typ e D o w nlo ad to o ls C o m m and executi o n T heft o f authenti cati o n i nfo rm ati o n IP ad d ress search Search servi ce p o rt A ttacki ng I nfrastructure Bui ldi ng Phase B ackd o o r O p eni ng Intelli gence acti vi ti es at user term i nals Investigatio n and search o f the netw o rk enviro nm ent At the stage of expansion of influence, malware performs the following: • Open backdoors • Survey the network and hosts • Communicate with external actors such as the C&C server.

6. To mitigate information leakage If the network infrastructure itself is

   capable of detecting malware traffic, we can prevent malware from expanding its influence, and mitigate the threat of information leakage. Using SDN technology, we built a quarantine system for information leakage mitigation. 6

7. System overview •A communication packet passing through the L2 switch

   detects whether the communication content or communication behaviors are anomalous. Anomalies are appropriately handled by the system. •We believe anomalous communication behaviors may be observed when the malware attempts to open backdoors, survey the network, etc. •We have built a system to detect such communication anomalies. 7 Client PCs L2 Switch

8. System components Quarantine System OpenFlow Switch OpenFlow Controller 8

9. System components Based on the information passed from OFC, anomaly

   detection/evaluation results are sent back to OFC. The client trustworthiness is updated accordingly. Quarantine System Analyzes packets received from OFSW, and pass only relevant information to the Quarantine System. Processes the packet based on the result from the quarantine system. Transfers packets received from clients to OFC. Forwards packets based on instructions from OFC. OpenFlow Controller (OFC) OpenFlow Switch (OFSW) 9

10. System operation OpenFlow Switch OpenFlow Controller Quarantine System 10

11. System operation OpenFlow Switch OpenFlow Controller Quarantine System 11 Packet-in

12. System operation OpenFlow Switch OpenFlow Controller Quarantine System 12 Packet-in

13. System operation OpenFlow Switch OpenFlow Controller Quarantine System 13 Packet

    analysis / Preparation of evaluation data evaluati- on data

14. System operation OpenFlow Switch OpenFlow Controller Quarantine System 14 Evaluation

    and Detection evaluati- on data

15. System operation OpenFlow Switch OpenFlow Controller Quarantine System 15 Return

    Evaluation Trustworthiness update

16. System operation OpenFlow Switch OpenFlow Controller Quarantine System 16 Based

    on results, packet-out or DROP

17. System operation OpenFlow Switch OpenFlow Controller Quarantine System 17 Based

    on results, packet-out or DROP

18. System operation OpenFlow Switch OpenFlow Controller Quarantine System 18

19. Quarantine System •Evaluation Units •Client PC (IP Address) •Evaluation Items

    •Communication tendencies •Detect anomalies based on the history of destinations (tendencies) to which the clients communicate •When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic •Communication contents •Detect anomalies in the content of the communications •We assume that communications between the malware and C&C server have distinguishable characteristics. 19

20. Methods used in the Quarantine System •Destination Aggregates •Payload Aggregates

    20

21. Destination Aggregates •Regularly record the number of communications to external

    networks from within the organization, and vectorize the destination tendencies. •Clustering is performed for each subnet to which the client belongs and destination anomalies are detected using Mahalanobis distance based on subnet based tendency. •⇒Lower the trustworthiness of the client that issued the anomalous vector. •Collect communication vectors in chronological order and detect anomalies. 21

22. Payload Aggregates •Determine similarity of HTTP communication packets •Detection using

    edit distance •The payload of normal HTTP communication is projected in the edit distance space and clustered. •Calculate the probability of communications with the C&C server from the clustering result. •Infer the degree of the anomaly according to probability, and decrease the trustworthiness of the client performing the communication accordingly. 22

23. Detection of unreliable clients •Maintained a numeric representation of the

    "trustworthiness" of clients, based on their history of communication. •The Quarantine System algorithmically detects anomalous packets. In the case of anomalies, the "trustworthiness" of the initiating client is lowered with the degree of the anomaly. •If the client's “trustworthiness” level falls below a certain level, it is determined to be infected with malware. ⇨Communications from infected clients are continuously blocked. 23 Trustworthiness High Low Risky Safety Communication disabled Communication enabled

24. Demonstration •Scenario: A client has initiated a network scan to

    survey all subnets. •This is an anomalous communication behavior, based on past tendencies. 24 Anomalous communication behaviors - Detect anomalies based on the history of destinations (tendencies) to which the clients communicate. When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic

25. Host1 2 3 4 Sv 5 6 7 8 192.168.1.0/24

    192.168.10.0/24 192.168.100.0/24 .254 Router Open Flow Switch Quarantine System Open Flow Controller .254 .254 Subnet A Subnet B Subnet C 9 10 11 12 1.1 .2 .3 .4 1.100 10.1 .2 .3 .4 100.1 .2 .3 .4 25 Anomalous communication behavior Surveying all subnets

26. Host1 2 3 4 Sv 5 6 7 8 192.168.0.0/24

    192.168.10.0/24 192.168.100.0/24 .254 Router Open Flow Switch Quarantine System Open Flow Controller .254 .254 Subnet A Subnet B Subnet C 9 10 11 12 0.1 .2 .3 .4 1.10 10.1 .2 .3 .4 100.1 .2 .3 .4 26 Anomalous communication behavior Surveying all subnets Host1 has a malware infection ⇨ Pinging all hosts

27. Overall summary •Information leakage due to APT is a serious

    problem, and in order to prevent information leakage, we built a system to prevent malware from expanding its influence, in the network itself. •This system utilizes an algorithm for detecting anomalies based on the communication tendencies of clients. •Future tasks •TCP fragment packet processing •Evaluate the system with actual malware •Detect encrypted backdoor communications •Consider a response method other than packet drop 27