leaks was 799 cases in 2015 •The amount of damage was estimated to be at 25,437 million Japanese yen •337.05 million Japanese yen per case •Information leakage due to Advanced Persistent Threat(APT) on organizations was considered the most serious cyber security threat in 2016 •It is projected to be the most serious threat in 2017 •The purpose of APT is obtaining sensitive information by continually attacking specific organizations 2
(gather intelligence on the target) •(3) Initial Breach (infect with malware) •(4) Expand area of influence within physical institution •(5) Penetration/Exploration (recon and search for valuable data) •(6) Mission Execution (send stolen data) •(7) Re-Infiltration 4 System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/files/000035723.pdf 10 Major Security Threats 2015 https://www.ipa.go.jp/files/000048018.pdf Countermeasures for initial breach: ・Prevent virus/malware infection Examples: ・Antivirus software ・Security patches We focused on this phase Countermeasures for expansion: ・Prevent anomalous internal traffic
information leakage 5 System design guide for thwarting "advanced targeted attack"(Japanese) https://www.ipa.go.jp/files/000046236.pdf D i rect external co m m uni cati o n typ e Pro xy co m m uni cati o n co rresp o nd i ng typ e A uthenti cati o n p ro xy b reakthro ugh typ e D o w nlo ad to o ls C o m m and executi o n T heft o f authenti cati o n i nfo rm ati o n IP ad d ress search Search servi ce p o rt A ttacki ng I nfrastructure Bui ldi ng Phase B ackd o o r O p eni ng Intelli gence acti vi ti es at user term i nals Investigatio n and search o f the netw o rk enviro nm ent At the stage of expansion of influence, malware performs the following: • Open backdoors • Survey the network and hosts • Communicate with external actors such as the C&C server.
capable of detecting malware traffic, we can prevent malware from expanding its influence, and mitigate the threat of information leakage. Using SDN technology, we built a quarantine system for information leakage mitigation. 6
detects whether the communication content or communication behaviors are anomalous. Anomalies are appropriately handled by the system. •We believe anomalous communication behaviors may be observed when the malware attempts to open backdoors, survey the network, etc. •We have built a system to detect such communication anomalies. 7 Client PCs L2 Switch
detection/evaluation results are sent back to OFC. The client trustworthiness is updated accordingly. Quarantine System Analyzes packets received from OFSW, and pass only relevant information to the Quarantine System. Processes the packet based on the result from the quarantine system. Transfers packets received from clients to OFC. Forwards packets based on instructions from OFC. OpenFlow Controller (OFC) OpenFlow Switch (OFSW) 9
•Communication tendencies •Detect anomalies based on the history of destinations (tendencies) to which the clients communicate •When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic •Communication contents •Detect anomalies in the content of the communications •We assume that communications between the malware and C&C server have distinguishable characteristics. 19
networks from within the organization, and vectorize the destination tendencies. •Clustering is performed for each subnet to which the client belongs and destination anomalies are detected using Mahalanobis distance based on subnet based tendency. •⇒Lower the trustworthiness of the client that issued the anomalous vector. •Collect communication vectors in chronological order and detect anomalies. 21
edit distance •The payload of normal HTTP communication is projected in the edit distance space and clustered. •Calculate the probability of communications with the C&C server from the clustering result. •Infer the degree of the anomaly according to probability, and decrease the trustworthiness of the client performing the communication accordingly. 22
"trustworthiness" of clients, based on their history of communication. •The Quarantine System algorithmically detects anomalous packets. In the case of anomalies, the "trustworthiness" of the initiating client is lowered with the degree of the anomaly. •If the client's “trustworthiness” level falls below a certain level, it is determined to be infected with malware. ⇨Communications from infected clients are continuously blocked. 23 Trustworthiness High Low Risky Safety Communication disabled Communication enabled
survey all subnets. •This is an anomalous communication behavior, based on past tendencies. 24 Anomalous communication behaviors - Detect anomalies based on the history of destinations (tendencies) to which the clients communicate. When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic
192.168.10.0/24 192.168.100.0/24 .254 Router Open Flow Switch Quarantine System Open Flow Controller .254 .254 Subnet A Subnet B Subnet C 9 10 11 12 0.1 .2 .3 .4 1.10 10.1 .2 .3 .4 100.1 .2 .3 .4 26 Anomalous communication behavior Surveying all subnets Host1 has a malware infection ⇨ Pinging all hosts
problem, and in order to prevent information leakage, we built a system to prevent malware from expanding its influence, in the network itself. •This system utilizes an algorithm for detecting anomalies based on the communication tendencies of clients. •Future tasks •TCP fragment packet processing •Evaluate the system with actual malware •Detect encrypted backdoor communications •Consider a response method other than packet drop 27
orisano
signer
bansousha
kajikent
e869120_sub
anatolykr
jimboken
vegapunkhiroshi79
.png){kind=avatar}
satai
.jpg){kind=avatar}
iflection
karakurist
ankh2054
aleyda
honzajavorek
destraynor
katarinadahlin
reverentgeek
tammyeverts
axbom
lara
holman
