Monitoring and 3D Visualization of the Internet Threats

Transcription

1 Monitoring and 3D Visualization of the Internet Threats APAN Meeting Joint Workshop on SIP and Network Security Aug. 5 th, 2008 Masaki Ishiguro 1

2 1. Introduction Outline 1.1 Background and Motivations 1.2 Objectives 2. Overview of 3D Visualization System 2.1 System Overview 2.2 Capabilities of the System 2.3 Methodologies 2.4 Demonstration 3. Current Status & Future Plans 4. Conclusion 2

3 Introduction 3

4 Background and Motivation Internet threats caused by worms and botnets are becoming global and borderless. Threat information sharing and international coordination for response is indispensible. Attack techniques are becoming sophisticated, which makes incident invisible and obfuscate for usual PC users. Internet monitoring can help revealing invisible attacks in cyber space Economic incentives urge attackers toward more severe malicious activities. Raising the cost of attackers by threat monitoring and response can defer attack Impact of vulnerability of software are becoming wider internationally. Discovery of exploit codes, zero day attack by internet monitoring is promising Japanese government (NISC, METI) started promoting projects to strengthen technologies for security information sharing & analyses among counties for internationally coordinated incident responses. 4

5 Objectives Establish a common platform for Internet threat monitoring, information sharing & analyses of threats over the Internet. Promote collaboration among national & private sector CSIRT (Computer Security Incident Response Team) in Asia-Pacific region or around the world by using the common platform. Enhance capability of global threat analyses by incorporating 3D Visualization features to the common platform 5

6 Overview of 3D Visualization System 6

7 Cyber Space (IP address) The Internet Worms System Overview Sensor(Dark IP s) Geographic Space (Economy-based) Botnets Malicious Packets Sensor Sensor Encrypted Transfer SQL KML http mn128,may,13,05:40:11,111/tcp mn128,may,13,10:12:55,111/tcp mn128,may,13,10:13:04,111/tcp mn128,may,13,12:35:05,111/tcp mn128,may,13,12:35:05,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:30,111/tcp, Event Log Records DB Event Log Database (1) Secure (2) 24 7 Operation (3) Robust Analysis & 3D Visualization Server (1) Trend Analysis (2) Statistical Analysis (3) Threat Screening 3D Visualization Client (on GoogleEarth) (1) Flexible View (2) Manipulation (3) 3D Animation 7

8 3D Visualization of the Internet Threats Color & Width of Arrows Arrow: Src & Dest of Threat Popup: Analysis data 8

9 Monitoring Malicious Packets Passive Monitoring (Dark IP Sensors) Attacker (Worms, Bots) Attack / infectious packets (Malicious Packets) Sensor No response No network services are provided. 9

10 JP Malicious Packets and Unique Security Events Unique <src-ip, dst-ip> pair Sensor Sensor JP Sensor Example: U[JP:JP] = 4 U[CN:JP] = 2 U[JP:AU] = 3 U[CN:AU] = 1 U[JP:KR] = 0 U[CN:KR] = 3 Source IP CN AU Sensor Sensor Destination IP 1 3 KR 1 Sensor 1 Sensor 10

11 Threat Evaluation (Statistical Method) Time-Series Trend #Events Mean Poisson Distribution P = λ/n n Normal Distribution Probability density Historical Probability Distribution X N+1 (Current Time) Mean Standard Deviation Time X N+ 1 σ Z Score Event probability: (Normal distribution approximation) Z > 1.0 less than 16% Z > 2.0 less than 3% #Events 11

12 Calculation of Coordinates of Threat Arrows Directional vector :u s0 = (s d) s z Point S(s) Coordinates of arrows are calculated based on following coordinate transformation Point D(d) θ y Directional Vector: u d0 = (s d) d x φ Normal vector: nd0 = s d Great circle crossing points S and D 12

13 Capabilities of Visualization System Animation Controller (Time-Slide Bar) View Navigation Controller Threat Status(Arrows) (1) Color: Threat Level (2) Width: Traffic Threat data (1) Traffic (2) ZScore (3) Std.Dev Flexible Manipulation 13

14 Demonstration 14

15 Usage Scenario 1. Observe overall trend of threats. 2. Check and find some specific incident of concern. 3. Examine the analysis data and identify the port number and time of the incident. 4. Scrutinize the cause of the incident by looking into detail of event log database. 5. Announce alert and proceed to coordination for incident response. 15

16 Current Status/Future Plan So far: Deployed a sensor at Indiana University Started working with JPCERT/CC Stared collaboration with AusCERT in Australia MyCERT & JPCERT/CC informal agreement Sensor installed at AusCERT Future Plan Extend collaboration members Deploy sensors at collaborators Enhancement of Analysis & 3D Visualization System Establish global sharing and analysis environment 16

17 Conclusion Developed 3D Visualization & Analysis System Deployed sensors in US, Australia, Japan. The 3D Visualization server is open and anyone can access to the server and check latest status of the Internet. We welcome collaborators for monitoring and information sharing of the Internet threats. 17

18 Thank you very much! 18