Forensic Analysis for Epidemic Attacks in Federated Networks

Size: px

Start display at page:

Download "Forensic Analysis for Epidemic Attacks in Federated Networks"

Jessica Cobb
5 years ago
Views:

1 Forensic Analysis for Epidemic Attacks in Federated Networks Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui Zhang Carnegie Mellon University Presented by Gaurav Shah (Based on slides by Yinglian Xie and Michael Hsiao) 1

2 Forensic Analysis for Epidemic Attacks in Federated Networks Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui Zhang Carnegie Mellon University Presented by Gaurav Shah (Based on slides by Yinglian Xie and Michael Hsiao) 1

3 Internet Attacks 2

4 Internet Attacks Worm Infection 2

5 Internet Attacks Worm Infection 2

6 Internet Attacks Worm Infection 2

7 Internet Attacks Worm Infection 2

8 Internet Attacks Worm Infection 2

9 Internet Attacks Worm Infection Distributed DoS 2

10 Internet Attacks Worm Infection Distributed DoS 2

11 Internet Attacks Worm Infection Distributed DoS 2

12 Many More Potential Attacks Different time scales Seconds, hours, days Different means Various security exploits Different propagating methods Random scan, hit list scan Potentially infect a large number of nodes before an explicit or real attack 3

13 The Structure of Attacks Attackers Involved hosts (e.g., zombies) Identified Victims Worm Infection Distributed DoS Modern attacks are multi-level Large scale: difficult to defend Hidden trail: difficult to identify initial launch point 4

14 Existing Approaches Firewall Intrusion detection Identify compromised hosts [Paxson 98], [Roesch 99], [Staniford 96], [Jung 4] IP traceback Trace to the source of a packet [Snoeren 1], [Savage ], [Bellovin 1], [Burch ] Build better perimeter or find only the lowest level of activities 5

15 Existing Approaches Firewall Intrusion detection Identify compromised hosts [Paxson 98], [Roesch 99], [Staniford 96], [Jung 4] IP traceback Trace to the source of a packet [Snoeren 1], [Savage ], [Bellovin 1], [Burch ] Build better perimeter or find only the lowest level of activities 5

16 Existing Approaches Firewall Intrusion detection Identify compromised hosts [Paxson 98], [Roesch 99], [Staniford 96], [Jung 4] IP traceback Trace to the source of a packet [Snoeren 1], [Savage ], [Bellovin 1], [Burch ] Build better perimeter or find only the lowest level of activities 5

17 Network Forensics Keep communication records Permit post-mortem analysis of patterns across network and time Scope: Internet and Intranet Correct weak points in a network perimeter Deter future similar attacks 6

18 Attacks utilize indirection Attackers and victims must communicate for the attack to propagate Independent of attacks Visible to the network Globally correlate the communication events General across all types of attacks Applicable to different attack propagation speeds Possible with/without attack signature 7

19 Host Contact Graph and Attack Trees Hosts I H G F E D C B A Causal edge Non causal attack edge Normal edge Node in infected state Node before infection t1 t2 t3 t4 t5 t6 t7 t8 Time Figure 1: Example of host contact graph showing the communication between hosts. Attack edges are shown as arrows in black (both solid and dashed). Filled nodes correspond to hosts in an infected state. 8

20 Feasibility of Network Forensics Need to collect network flow information Data to be collected around 1Gbps 4.5TB for one hour of data Given complete information, can we find needles in the haystack? Host contact graph is large and noisy Algorithms to identify global correlation 9

21 Reconstruction Methods Globally correlate local observations Step 1: Assign initial P(involved) E.g., local IDS Step 2: Identify the most likely paths Maximum likelihood estimate Random walk sampling Step 3: Refine P(involved) A feedback loop B, E are likely involved: given pattern, so are C,F 1

22 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks 11

23 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks 11

24 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

25 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

26 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

27 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

28 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

29 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

30 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

31 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

32 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

33 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

34 Random Moonwalks Observation: many attacks have a tree structure A random walk on the host contact graph: Start with an arbitrarily chosen flow Pick a next step flow randomly to walk backward in time Intuition Walks converge to higher levels of the host attack tree Top level causal infection flows emerge as high frequency flows Theoretical study Random walk is effective in finding the initial causal flows for fast attacks

35 Structure of the Selected Flows Worm source Top Frequency Flows display a tree-like structure 12

36 Federated Forensics Administrative Domain (AD) a network under a single administrative authority possesses an independent traffic monitor Network Forensic Alliance (NFA) a collaborative effort involving multiple ADs to provide network-wide & localized forensic capabilities 13

37 Distributed Random Moonwalks Each AD performs its own local random moonwalk ADs do cross-domain exchanges For flows whose source lies in another AD Other AD might start its own local moonwalk Post-processing Identify top frequency flows locally Exchange and identify top flows globally 14

38 Distributed Random Moonwalks Parameters: Maximum number of AD hops to traverse (H) Sampling Window Size Local walk-length d(i) Traffic Normalization factor 15

39 Partial Deployment Not all ADs might participate Different Strategies to continue Discard Random selection Routing-path based selection Routing-horizon based selection 16

40 Evaluation Performance of distributed approach (accuracy) Overhead of federated forensics Is architecture incentive-compatible? Effect of partial deployment on performance 17

41 Performance and Overhead Detection accuracy closely matches that of a centralized random moonwalk Increases with increase in worm propagation rate Communication overhead increases with increase in AD-hops (H) So does accuracy Overhead is of the order of 1-3 fraction of total traffic records 18

42 Incentive Compatibility Causal Flow detection accuracy increases with collaboration Can detect more initial infected hosts Can detect more initial causal flows along the edge Large ADs gain more by collaboration 19

43 Partial Deployment Important for large ADs to participate Accuracy drop can be significant Much less significant impact if worm is localpreferential scanning 2

44 Issues and Limitations Slow-rate attacks Server-targeted attacks Latent-period varying attacks Topology-aware attacks Information leakage attacks Mis-information and information-hiding attacks 21

45 Summary Distributed Random Moonwalks can be useful in attack identification and reconstruction Many Challenges Storage and Archival Anonymization of network traces and flow information for exchange Query Management Distributed Query Infrastructure? Vulnerability to different attack strategies 22

CE Advanced Network Security Network Forensics

CE Advanced Network Security Network Forensics CE 817 - Advanced Network Security Network Forensics Lecture 22 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially