A Proposal for a Quarantine System for Information Leakage Mitigation 8th March, 2017 Team SecLab (National Institute of Technology, Okinawa College) 1 Shuji Koike @koikeshuji Nao Yonashiro @orisano 

The threat of information leakage •The number of personal information leaks was 799 cases in 2015 •The amount of damage was estimated to be at 25,437 million Japanese yen •337.05 million Japanese yen per case •Information leakage due to Advanced Persistent Threat(APT) on organizations was considered the most serious cyber security threat in 2016 •It is projected to be the most serious threat in 2017 •The purpose of APT is obtaining sensitive information by continually attacking specific organizations 2 

A breakdown of the typical APT •(1) Planning •(2) Preparation (gather intelligence on the target) •(3) Initial Breach (infect with malware) •(4) Expand area of influence within physical institution •(5) Penetration/Exploration (recon and search for valuable data) •(6) Mission Execution (send stolen data) •(7) Re-Infiltration 3 System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/files/000035723.pdf 10 Major Security Threats 2015 https://www.ipa.go.jp/files/000048018.pdf Countermeasures for initial breach: ・Prevent virus/malware infection Examples: ・Antivirus software ・Security patches 

A breakdown of the typical APT •(1) Planning •(2) Preparation (gather intelligence on the target) •(3) Initial Breach (infect with malware) •(4) Expand area of influence within physical institution •(5) Penetration/Exploration (recon and search for valuable data) •(6) Mission Execution (send stolen data) •(7) Re-Infiltration 4 System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/files/000035723.pdf 10 Major Security Threats 2015 https://www.ipa.go.jp/files/000048018.pdf Countermeasures for initial breach: ・Prevent virus/malware infection Examples: ・Antivirus software ・Security patches We focused on this phase Countermeasures for expansion: ・Prevent anomalous internal traffic 

Mitigating APT Prevent malware expansion by considering ways to prevent information leakage 5 System design guide for thwarting "advanced targeted attack"(Japanese) https://www.ipa.go.jp/files/000046236.pdf D i rect external co m m uni cati o n typ e Pro xy co m m uni cati o n co rresp o nd i ng typ e A uthenti cati o n p ro xy b reakthro ugh typ e D o w nlo ad to o ls C o m m and executi o n T heft o f authenti cati o n i nfo rm ati o n IP ad d ress search Search servi ce p o rt A ttacki ng I nfrastructure Bui ldi ng Phase B ackd o o r O p eni ng Intelli gence acti vi ti es at user term i nals Investigatio n and search o f the netw o rk enviro nm ent At the stage of expansion of influence, malware performs the following: • Open backdoors • Survey the network and hosts • Communicate with external actors such as the C&C server. 

To mitigate information leakage If the network infrastructure itself is capable of detecting malware traffic, we can prevent malware from expanding its influence, and mitigate the threat of information leakage. Using SDN technology, we built a quarantine system for information leakage mitigation. 6 

System overview •A communication packet passing through the L2 switch detects whether the communication content or communication behaviors are anomalous. Anomalies are appropriately handled by the system. •We believe anomalous communication behaviors may be observed when the malware attempts to open backdoors, survey the network, etc. •We have built a system to detect such communication anomalies. 7 Client PCs L2 Switch 

System components Quarantine System OpenFlow Switch OpenFlow Controller 8 

System components Based on the information passed from OFC, anomaly detection/evaluation results are sent back to OFC. The client trustworthiness is updated accordingly. Quarantine System Analyzes packets received from OFSW, and pass only relevant information to the Quarantine System. Processes the packet based on the result from the quarantine system. Transfers packets received from clients to OFC. Forwards packets based on instructions from OFC. OpenFlow Controller (OFC) OpenFlow Switch (OFSW) 9 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 10 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 11 Packet-in 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 12 Packet-in 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 13 Packet analysis / Preparation of evaluation data evaluati- on data 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 14 Evaluation and Detection evaluati- on data 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 15 Return Evaluation Trustworthiness update 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 16 Based on results, packet-out or DROP 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 17 Based on results, packet-out or DROP 

System operation OpenFlow Switch OpenFlow Controller Quarantine System 18 

Quarantine System •Evaluation Units •Client PC (IP Address) •Evaluation Items •Communication tendencies •Detect anomalies based on the history of destinations (tendencies) to which the clients communicate •When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic •Communication contents •Detect anomalies in the content of the communications •We assume that communications between the malware and C&C server have distinguishable characteristics. 19 

Methods used in the Quarantine System •Destination Aggregates •Payload Aggregates 20 

Destination Aggregates •Regularly record the number of communications to external networks from within the organization, and vectorize the destination tendencies. •Clustering is performed for each subnet to which the client belongs and destination anomalies are detected using Mahalanobis distance based on subnet based tendency. •⇒Lower the trustworthiness of the client that issued the anomalous vector. •Collect communication vectors in chronological order and detect anomalies. 21 

Payload Aggregates •Determine similarity of HTTP communication packets •Detection using edit distance •The payload of normal HTTP communication is projected in the edit distance space and clustered. •Calculate the probability of communications with the C&C server from the clustering result. •Infer the degree of the anomaly according to probability, and decrease the trustworthiness of the client performing the communication accordingly. 22 

Detection of unreliable clients •Maintained a numeric representation of the "trustworthiness" of clients, based on their history of communication. •The Quarantine System algorithmically detects anomalous packets. In the case of anomalies, the "trustworthiness" of the initiating client is lowered with the degree of the anomaly. •If the client's “trustworthiness” level falls below a certain level, it is determined to be infected with malware. ⇨Communications from infected clients are continuously blocked. 23 Trustworthiness High Low Risky Safety Communication disabled Communication enabled 

Demonstration •Scenario: A client has initiated a network scan to survey all subnets. •This is an anomalous communication behavior, based on past tendencies. 24 Anomalous communication behaviors - Detect anomalies based on the history of destinations (tendencies) to which the clients communicate. When malware probes the internal network, packets with anomalous destinations are generated, and can be differentiated from normal traffic 

Host1 2 3 4 Sv 5 6 7 8 192.168.1.0/24 192.168.10.0/24 192.168.100.0/24 .254 Router Open Flow Switch Quarantine System Open Flow Controller .254 .254 Subnet A Subnet B Subnet C 9 10 11 12 1.1 .2 .3 .4 1.100 10.1 .2 .3 .4 100.1 .2 .3 .4 25 Anomalous communication behavior Surveying all subnets 

Host1 2 3 4 Sv 5 6 7 8 192.168.0.0/24 192.168.10.0/24 192.168.100.0/24 .254 Router Open Flow Switch Quarantine System Open Flow Controller .254 .254 Subnet A Subnet B Subnet C 9 10 11 12 0.1 .2 .3 .4 1.10 10.1 .2 .3 .4 100.1 .2 .3 .4 26 Anomalous communication behavior Surveying all subnets Host1 has a malware infection ⇨ Pinging all hosts 

Overall summary •Information leakage due to APT is a serious problem, and in order to prevent information leakage, we built a system to prevent malware from expanding its influence, in the network itself. •This system utilizes an algorithm for detecting anomalies based on the communication tendencies of clients. •Future tasks •TCP fragment packet processing •Evaluate the system with actual malware •Detect encrypted backdoor communications •Consider a response method other than packet drop 27