Internet Behavioral Analytics (IBA) using Self Learning Networks. JP Vasseur, PhD, Cisco Fellow BRKSEC-3056

Transcription

1

2 Internet Behavioral Analytics (IBA) using Self Learning Networks JP Vasseur, PhD, Cisco Fellow BRKSEC-3056

3 Agenda Why a predictive analytics approach for next generation security? Security Trends Advanced Malware Self Learning Networks (SLN) Internet Behavioral Analytics (IBA) Architectural Overview Anomaly Detection (AD) A slightly deeper Dive into SLN Analytics (Machine Learning Engines) Building Contexts! Conclusion Visualization and Demo

4 Why a predictive analytics approach for next generation security? Multi-layered defense architectures no longer sufficient to prevent breaches caused by advanced malware... No longer a question of if or when but where... Many of the well-known assumptions are no longer true Attacks come from the outside, are deterministic attacks and well understood attacks (Advanced multi-vector,...) Attacks are more and more subtle (Hard to detect...) Signature-based attacks hardly scale facing subtle and mutating attacks (polymorphic malwares,...), Dramatic increase of the number of 0-day attacks,

5 Why a new predictive analytics approach for next generation security? If we agree that... Existing defense layers cannot block attackers Attacks are multi-vector, highly sophisticated, and mutating Internal systems are compromised... What do we do? This what the payment industry has been using for years! => not just avoiding fraud but reducing risk Make Detection much more effective (use of predictive behavioral analytics) Ubiquitous (distributed) Detect and React quickly (towards a next-gen control architecture)

6 Is it simply a big data problem?

7 What is a Self Learning Network (SLN)? Request(s) Arrival Queue Selec on Process PCE Selector Request cancelled if EPR>k*MTR Op onal packing (correlated requests) Es ma on of the EPR Pre-processing pipeline Preemp on 0 Decreasing bw requirement size Preemp on 7 Dynamic priority increase based on EPR and wai ng me x ~( l) in, j Analytics d dx f ( l) j x n j i 1 ( l ) ( l 1) j, i x out, i PCE Scheduler High Priority Low Priority High Priority Low Priority Reroute Reop miza on Advanced Networking Cisco s Self Learning Networks Why learning? The network is truly adaptive thanks to advanced analytics Why a paradigm shift? Move from Trial-and-Error model to a proactive approach using models built using advanced analytics The hard part is not just the analytics but the underlying architecture for self-learning and the how to

8 Network Edge (LAN, WPAN) Private/Public Network Datacenter and cloud SLN Architecture SLN Central Engine (SCA) Controller Orchestration and interaction with remote learning agents (DLA) Advanced Visualization Centralized policy Distributed Learning Agent SLN Architecture VPN, Public Internet DLA DLA Granular data collection with knowledge extraction (Lightweight) analytics and learning Edge Control Architecture (ECA): autonomous embedded control, fast close loop, advanced networking control (police, shaper, recoloring, redirect,...) Application hosted devices (SDN)

9 Self Learning Networks Initial Deployment Scenarios March 14 Internet Behavioral Analytics (IBA) For Security IWAN Path Optimization IoT/IoE Network Behavioral Analytics for detection of 0-day attacks and various network anomalies Auto learn new threats Massively Distributed, Global, real-time protection Cisco Internet Behavioral Analytics Predict network behavior and traffic patterns based on multivariable and timebased modeling Automatically select and optimize network path in real-time, based on Business SLAs Predictive models for large scale networks, enable: High performance High Resiliency

10 Security Trends Advanced Malware

11 (Distributed) Denial-of-Service Attacks Botnet Attacker Botnet Attacker App-Layer Internet C&C Server Reflectors Internet C&C Server Exhaustion Volumetric Volumetric Direct attack: originates from compromised hosts (or directly from attacker) Reflection attack: send spoofed request to vulnerable server, response goes to victim Amplification attack: small request produces large reply small attack B/W required

12 An example... The Internet of Things Technical challenges in IoT networks: Connectivity is inherently unstable Limited bandwidth Constrained nodes Harsh environment Hyper-scale Randomness and unpredictability Other challenges: determinism, etc.... Deployed IoT network, 800 nodes, April 2013 How do we detect anomalies in IoT networks without edge analytics?

13 APIC NMS DoS attack: Signal Jamming in IoE networks Public/Private Cellular (3G) Route r Scenario : An attacker emits an interfering RF signal whenever it detects jammer activity Interference makes the frame impossible to decode (same as in case of a collision) The attacker can switch targets in order to cause routing oscillations WPAN: 3400 nodes????????? Situation as of today Large Scale LLN prone to DoS attacks! No need to obfuscate the whole spectrum: transmitting at a bit rate of less than 1kbps, a jammer can make the reception success rate drop dramatically A low-end IoT node with modified firmware is sufficient for such a DoS attack

14 Evolution of C&C using DGA algorithm Objective: C2 channel used to use a list of hard coded addresses... Objective of DGA (aka Domain Fluxing) based malware: dynamically generate a domain name the attacker would have registered (usually 1h before) => increase resiliency against static reputation defensive systems. DGA algorithms use date, time and seed value to generate and test a list of candidate domains (to check whether a C&C server is available). Most abused Top Level Domain (TLD) are.com,.ru and.com. Damballa performed DNS passive analysis (PushDo Malware): 1,380 domains generated per day (inferred periodicity close to one day!). The malware will generate fake traffic to legitimate web sites in an attempt to mask its command and control communications, with 200 domain names to contact including many universities and Internet Service Providers... In another method of obfuscation, the command and control servers will also respond with a jpeg image with encrypted, embedded malware payloads to hide any additional files it wants to download

15 Evolution of C&C using Peer to Peer network (P2P Network) First version of Zeus based on centralized C&C server (2007), then moved to P2P (called P2P Zeus or Zeus Gameover). Used both for Malware dropping, DDoS,... The overall P2P Zeus network (~ 200K bots) divided in sub-botnet (hard coded by an ID) controlled by individual botnet master: 1) Bots use the P2P network to exchange binaries and configuration, 2) Exchange list of proxy bots where stolen data can be sent and command can be received P2P Zeus makes use of a DGA should the P2P network be disrupted Actual C2 layer... C2 proxy layer: dedicated HTTP server (no bots) communicating with proxybot Periodically a subset of bots are assigned the status of proxybot (botmaster pushing crypto signed announcement) => used to fetch command and drop stolen data Sub-botnets

16 Evolution of C&C: Fast Flux DNS - Single Flux Infected host queries DNS for C&C server FQDN Hardcoded or from Domain Generation Algorithm (DGA) Authoritative DNS for C&C domain is controlled by the botnet master DNS reply has very short TTL (a few minutes) Uses botnet members as C&C relays Cycles very quickly through C&C relay hosts (based on availability, connection quality,...) Greatly reduces possibility of C&C server takedown Rapidly-changing, optimized set of C&C endpoints Still possible to take down the C&C DNS server(s) Root DNS Query: domain botnet.tld Response: ask ns.botnet.tld ( ) Infected Host C&C Relay 1 ( ) Internet Query: cc.botnet.tld Response: Query: cc.botnet.tld Response: C&C Relay 2 ( ) Real C&C Server Botnet Master DNS Server for C&C domain (ns.botnet.tld, )

17 Evolution of C&C: Fast Flux DNS - Double Flux Same as Simple Flux with addition of rapidly changing authoritative DNS for C&C domain Botnet Master updates low-ttl NS entries through permissive DNS registrar Use some botnet members as DNS relays, and others as C&C relays (2 layers) Massively complicates botnet takedown Think of botnet combining Fast Flux double Flux with DGA, and possibly other techniques such as Peer-to-Peer Root DNS Query: domain botnet.tld Response: ask ns.botnet.tld ( ) Infected Host Query: cc.botnet.tld Response: C&C Relay 1 ( ) DNS Relay 1 ( ) Internet C&C Relay 2 ( ) DNS Relay 2 ( ) Real C&C Server Botnet Master Real DNS Server

18 Botnets and Data Ex-Filtration Techniques Size can range from thousands to millions of compromised hosts Botnet can cause DDoS & other malicious traffic (spam,...) to originate from the inside of the corporate network C&C (C2) servers become increasingly evasive Fast Flux Service Networks (FFSN), single or double Flux DGA-based malware (Domain Generation Algorithms) DNS Tunneling Peer-to-Peer (P2P) protocols Anonymized services (Tor) Steganography, potentially combined with Cryptography Social media updates or messages Mixed protocols... Timing Channels Internet C&C Server(s)

19 Self Learning Networks (Internet Behavioral Analytics) Architectural Overview

20 Network Edge (LAN, WPAN) Private/Public Network Datacenter and cloud Controller infrastructure Plugin RESTful HTTP API API To SCA Plugin SLN Architecture (APIC-EM) (DLA) Orchestration and interaction with remote learning agents (DLA) Host- HTTP server (user interface) AD Advanced Visualization CPU-intensive Learning Centralized policy DLA Distributed Learning Agent Abstracted Network Characteristics Receive Network Data (NetFlow, ART, Media Metrics) Network Element (e.g. Cisco Router) e.g. NetFlow Exporter SLN Central Engine (SCA) Northbound API MLM Updates Distributed Learning Component (DLC) Traffic- AD Network Sensing Component (NSC) Grap h-ad Network Data Sources VPN, Public Internet DLA DQoS API Receive Network Data Predictive Control Module (PCM) ABR API Network Control Component (NCC) Alerts, Predictions, Recommended Actions, Trending Data Modify Network x ~( l) Modify in, j Network Behavior DCAC API DLA x Distributed Learning Agent Granular (OnePK) data Behavior collection with knowledge extraction (Lightweight) analytics and learning Autonomous e.g. embedded control, fast close loop, OnePK API Advanced mitigation (police, shaper, recoloring, DLA redirect,...) Application hosted devices (SDN) d dx f ( l) j n j i 1 ( l ) ( l 1) j, i x out, i

21 SLN Architecture: Network Sensing Component Receives Network and Network Element Data from Various Sources on the Local Router NetFlow Data from Appropriate Interfaces to achieve IP address visibility Interface Counters Network Element CPU, Memory, NetFlow Exporter status, other status Processes and Forwards Data to Machine Learning Modules for Analysis Internet NAT Main office

22 Looking at the network under every angle Graph-based modeling (GraphAD) Structural changes and lateral movements Suspicious patterns (exfiltration) App-based modeling (AppAD) Host-based modeling (HostAD) Changes in application behavior Unusual patterns of application usage Suspicious host and user activities Misconfigurations and software bugs

23 Edge Control Architecture Controller Honeypot (forensic Analysis) SCA DSCP Rewrite, CBWFQ Shaping VPN, Public Internet DSCP Rewrite, CBWFQ Divert/Redirect (GRE Tunnel) Volumetric DDoS DLA Control policy DLA hosts record Smart Traffic flagging According to {Severity, Confidence, Anomaly_Score) DNS HTTP applications Traffic segregation & selection Smart Flagging Network-centric control (shaping, policing, divert/redirect)

24 Motivations for Distributed Edge Analytics and Control Data is consumed locally (no impact on WAN bandwidth!) => the amount of data that would have to be sent in the cloud is, in many cases, a non-starter Granularity: allowing for findings anomalies related to granular data => required to detect evasive attacks Visibility: traffic does not systemically transit through the data center Access to data only available locally (e.g. DPI, network states,...) Each DLA builds its own model (no one sixe-fits-all) Local context (from ISE,...) Privacy: a major plus since privacy may be violated if user data is sent to the DC and/or cloud Complementary to other approaches: does not replace FW/IPS, centralized analytics,...

25 Visualization

26 SLN Visualization Why is it Hard? Challenge of extracting the complexity of analytics into data exploitable by NoC and SoC engineers Must be intuitive, rich of multiple levels of information and still not confusing Level-1: High Level Dashboard Visualize state of the network Keep an eye on any change, be warned of anomalies in real-time Level-2: Interactive Map with SLN semantic and tools Replay network activity related to the anomaly Instantly mitigate related flows

27 Control the sensitivity of the system (triggers complex mechanics underneath) Real-time Gauge indicative of the learning state of the system

28

29

30 Visualization

31 Anomaly Detection

32 Internet Behavioral Analytics What is an anomaly? A pattern in data that does not conform to an expected (normal observed/learned) behavior Challenges: One main challenge is that the data often comes without any class labels, that is, the ground truth of which data instances are anomalous and non-anomalous does not exist Define a normal region in a multi-dimensional space is hard (boundaries are generally not precise) Malicious actions try to adapt to look as normal Normal behaviors keep evolving (adaptive models are required) Anomaly differ according to the application Usually lack of labeled data for training and validation models Hard to differentiate noise and actual anomalies p 3 p 2 p 1

33 On mathematical models... Machine Learning: refers to a number of algorithms and models (a subset of Artificial Intelligence) Science Fiction? Not at all! Machine Learning is being used in a number of fields: aircraft, healthcare, predictions of many kinds,... No one size fits all... Usually a combination of algorithms, which used together, provide a very powerful adaptive approach... Learning at the edge of the network (SLN) makes it even harder... Implies on-line learning with limited storage and CPU processing to achieve reactiveness and scalability Number of in-house algorithms developed by Cisco over the past two years for Self Learning Networks

34 NFL Theorem (No Free Lunch) in Machine Learning We have dubbed the associated results NFL theorems because they demonstrate that if an algorithm performs well on a certain class of problems then it necessarily pays for that with degraded performance on the set of all remaining problems. (Wolpert and Macready)

35 Beyond security anomalies... Security threat Detection of known and unknown attacks patterns (no static signatures) leading to modifying the behavior of a host in terms of traffic patterns, graphs structure, etc. Data ex-filtration thanks to a C2 channel, Lateral movements, (Distributed) Denial of Service (DoS) Misbehaving Devices (Non legit) use of (massive) undesirable scanning in the network Software defect (e.g. a switch or router dropping packet because of a corrupted RIB/FIB or the presence, persistent loop by a routing protocol hitting a corner case) Behavioral Changes Introduction of a new networking or enddevice configuration, Deployment of a new application may lead to dramatic behavioral changes Misconfigured devices Configuration change: misconfigured ACL, route redistribution policy, QoS policy maps,...

36 Does the concept of False Positive make any sense?

37 Does the concept of False Positive make any sense? False Positive: anomaly raised by the system that the user considers non anomalous Technically speaking Behavioral Analytics detects abnormal behaviors (non expected/modeled events), which may or may not be of interest What matters... Is to perform proper modeling and learn the events of interest for the user This makes the notion of FP totally subjective! Solutions: Perform proper modeling.. This is the base (still HARD to do but a MUST), Allow for control of system sensitivity Allow for user feed-back in order to determine which profiles of anomalies are of interest

38 A Slightly Deeper Dive into SLN Analytics (Machine Learning Engines)

39 Learning at the edge: processing pipeline Sensing Sensing Sense network dynamics through Netflow, DPI and local network element states. Scoping Establish the likely root cause of the detected deviations. Scoping Features Features Extract measurable characteristics of the network state. Detection Identify relevant deviations from the normal behavior. Detection Modeling Modeling Construct a statistical model of the normal traffic and network dynamics.

40 Feature construction Raw data (Netflow, DPI, local states) Sensing Highdimensional vector Features Features Statistical moments (mean, standard deviation, skewness, percentiles), derivatives and entropy of key metrics such as: Number of flows Traffic volume (in bytes, in packets) Application breakdowns Transport protocol flags DNS queries and requests Number of sources, destinations Source and destination ports

41 GraphAD: Aggregation Communication between hosts in a network can be viewed as a directed graph /24 SENSITIVE REGION JAPAN Graph structure can be used to infer anomalous behaviors not visible at the host-level only: e.g., scanning/malwar e propgation behaviour FRANCE /24 CALIFORNIA NEW YORK GERMANY Detect subtle and unusual patterns in the graph structure, including stealthy and unusual interactions between sensitive countries!

42 GraphAD: Surprising Interactions Traffic Matrix /24 SENSITIVE REGION surprising interaction JAPAN /24 FRANCE NEW YORK unsurprising CALIFORNIA GERMANY interaction Traffic matrix input: probabilistic estimate of interaction frequency Fit a graph model: representation of interactions between graph regions Interaction scoring: based on graph model, measure the surprise of a conversation

43 Host-based Anomaly Detection Features belong to a high-dimensional (hundreds of dimensions) space They are studied jointly with few underlying statistical hypotheses in an efficient way from a computational point of view Features vectors are decomposed into elementary pieces of normal behavior, among a large (> 100) number of possibilities, in the most efficient way possible in terms of required CPU The wider the discrepancy between the observation and the reconstruction, the more anomalous is deemed the observation The system auto-adapt to new normal learned behavior

44 HostAD: Fundamentals HOST WITH MANY NEIGHBORS RECEIVING MANY HTTP FLOWS HOST WITH FEW NEIGHBORS EMITTING FEW HTTP BYTES Behaviors contribute to a set of words (dictionary) Behavioral model (dictionary) HOST MANY FEW DESTINATIONS BYTES HTTP CLIENT MANY SOURCES ICMP FLOWS Behaviors of hosts are observed as a sentence (i.e.sequence of words) Behaviors are evaluated by trying to explain their behavior based on the model HOST WITH FEW NEIGHBORS RECEIVING MANY HTTP FLOWS Hosts whose behavior cannot be explained (i.e., reconstructed) point to an anomaly

45 HostAD: words as high-dimensional vectors Input features 1. Number of flows per source Host-based 2. Number of flows per destination observer 3. Number of unique Network destination IP addresses Element 4. Number of unique source IP addresses 5. Number of unique source ports 6. Number of unique destination ports 7. Entropy of source ports 8. Entropy of destination ports 9. Proportion of HTTP source ports 10. Proportion of HTTP destination ports 11. Proportion of DNS source ports 12. Proportion of DNS destination ports 13. Number of bytes as source 14. Number of bytes as destination 15. Number of DNS requests 16. Number of DNS replies Feature Constructor Dataset (one feature vector per observation of each host) Feature Vector (32 dimensions)

46 Reconstruction error HostAD: Reconstruction Error original Dictionary of 25 words 32-dimensional vectors shown in 3 dimensions reconstruction error = original The dictionary contains the reconstruction most representative vectors of the whole dataset (i.e., that allow for the best reconstruction of all other vectors). error = 24.28

47 AppAD: Principles Individual application dynamics are modeled using sparse autoencoders Normal, usual application dynamics can be accurately reconstructed Abnormal and unusual application dynamics lead to large reconstruction errors, which are the hallmark of anomalies Network Element HTTP traffic DNS traffic ICMP traffic HTTP features DNS features ICMP features HTTP model DNS model ICMP model Input features (per application) 1. Number of active flows 2. Number of flows opened recently 3. Number of bytes scores 4. Number of packets Inactive neurons (sparsity) 5. Number of unique source/destination IP addresses 6. Number of unique source/destination ports input output 7. Number (original) of flows per source (reconstructed) 8. Number features of flows per destination High features 9. Number of flows per dimensionality pair of hosts code 10. Number of new correspondants in the last hour ENCODING DECODING

48 MSE Residuals High-dimensional code AppAD: Reconstruction Error Inactive neurons (sparsity) Sparse Activation Time Reconstruction Error input (original) features ENCODING High dimensionality code output (reconstructed) features DECODING Time

49 What is Deep Learning? Deep Learning denotes a branch of machine learning that tries to model high-level representations of data using models with many layers and a high number of non-linear transformations There exist supervised and unsupervised Deep Learning algorithms The most successful Deep Learning architectures involve Artificial Neural Networks The best performances in recent machine learning challenges (such as the ImageNet Challenge) are achieved by Deep Learning algorithms, in particular by ANN-based Deep Learning architectures

50 On the use of Deep Neural Networks Input Features Detected Pattern Goal: detect subtle, yet generic patterns via a pre-trained Deep Neural Network (DNN) Pre-training is performed using a very large quantity of data that include many different scenarios of attack and background traffic Each model contains hundreds of thousands of neural connections. Deep ANN

51 Building Contexts!

52 Building contexts SLN is not a solution providing cryptic alarms resulting from analytics on Netflow Contexts is built thanks to several components: Internal data feed: Netflow but also (on-the-fly) Deep Packet Inspection (e.g. DNS) External data feeds: User names, location, authentication logs, types of devices (profiling)... Using ISE Address allocation... Using DHCP logs Location tracking Activity... DNS logs Threat intelligence feed (reputation,...) Local on-device analytics with FireAmp (e.g. files trajectory, I/O,...)

53 Moderator: Network context maker Detections typical traits are mapped to network tags Typical network-centric metrics are rebuilt from anomaly traits Knowledge map is build upon ML + Networking expertise Knowledge map involved in building Network-centric anomaly tags Network-centric metrics K-map hand crafted by experts Validated on several real networks Tunable

54 A fully integrated architecture... Building anomaly context WWW URL Filtering (Subscription) Intrusion Prevention (Subscription) Distributed Learning Agent Clustering & High Availability ISE Network Firewall Routing Switching Application Visibility & Control FireSIGHT Analytics & Automation Advanced Malware Protection (Subscription)

55 Conclusion Cisco IBA SLN Central Engine (SCA) Internet Cisco IBA Cisco Value Proposition The network-based data is analyzed locally by a Cisco application (SLN) using advanced and lightweight analytics Disruptive approach for Malware detection using behavioral analytics, heavily relying on dynamic learning, fully auto-adaptive The router can perform mitigation The problem is hard (lightweight, distributed) but only scalable architecture available on the market!

56 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <Speaker enter your Twitter handle here> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at

57 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

58 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

59 Thank you

60