European Internet Situation Awareness The Global View

Transcription

1 European Internet Situation Awareness The Global View Prof. Dr. Norbert Pohlmann Institute for Internet Security - if(is) University of Applied Sciences Gelsenkirchen

2 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 2

3 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 3

4 Main Research Focus Institute for Internet Security if(is) Internet: Research, Situation Awareness, Early Warning Internet Analysis System (IAS) Internet Availability System (IVS) LogData-Analysis-System, Intrusion Detection, for real time analysis Trusted Computing Turaya (Security Platform based on TPM) Trusted Network Connect (TNC) Anti-Spam Survey (German Government, ENISA) Distributed IP Reputation Systems, blacklist, Other actual topics: VoIP QoS/Security, Mobile Security, ID card, 4

5 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 5

6 Structure of the Internet Autonomous Player Autonomous Systems (AS) The global Internet consists of thousands of independent networks, the Autonomous Systems (AS) Currently there are about different ASs advertised in the global Routing table The AS operators have different policies for the size and expansion of their network An AS needs a strategy to connect with other ASs using upstreams, private or public peerings There are more than logical connections between ASs at the moment Different types of Autonomous Systems Large Companies, e.g. business consumer (41 %) Internet Service Providers, e.g. IP-carrier (35 %) Universities (11 %) Internet Exchange Points, e.g. public data exchange nodes (2 %) 6

7 Structure of the Internet Connectivity of the Internet Ongoing analysis on the Route Views Snapshot <= 2 = 63 % <=10 = 94 % >10 = 6 % >100 = 0,4 % >300 = 0,1 % Economical necessities affect the carrier s proceeding This yields to a destabilization of the internet infrastructure What is imported in this field? We need an entity which keeps an eye on the level of connection and the reliability of all ASs in the Internet 7

8 Data volume / month in Germany Estimation A view on data streams exchanged between the networks! AS AS PRIVATE PEERING 50 Peta Byte (33%) AS AS INTERNAL 30 Peta Byte (20 %) autonomous System (AS) AS AS TRANSIT (Global ISP) 40 Peta Byte (27%) PUBLIC PEERING 30 Peta Byte (20%) TRANSIT (Customer) 150 Peta Byte (100%) AS AS 100 Peta Byte (66 %): dsl customer 50 Peta Byte (33 %): business customer 1 Peta Byte = Giga Byte 8

9 Structure of the Internet Analysis of Internet Germany Most important Autonomous Systems for Germany 9

10 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 10

11 Internet Analysis System (1/3) Idea Observation of the critical infrastructure Internet. Probes are placed in thoughtfully selected spots of the internet communication infrastructure to gather the raw data, made up of counted header information. Only header information is counted, which is not considered as data privacy relevant. The system gathers information over a great period of time! A centrally managed Evaluation System is used to analyze the raw data and to display the detailed results in an intuitive manner. Internet Evaluation System IAS 11

12 Internet Analysis System (2/3) Targets Description of profiles, patterns and coherences, creation of a knowledge base. Outline of the current state of the internet. Detection of attacks and of deflections. Forecast of patterns and attacks. 12

13 Internet Analysis System (3/3) Counting of header information Number of Counters: - Max: Real-Ø:

14 IAS: Current State of Development Result: Knowledge base Distribution of Transport Protocols Profile shaping und trend development TCP UDP ESP IGMP GRE TCP 89% UDP 7% ICMP 14

15 IAS: Current State of Development Result: Knowledge base SYN-Scan (Potential Attack) Comparison between different periods Expected: SYN > SYN/ACK > 2xFIN/ACK (TCP teardown handshake) Gap between expected spreading and spreading in case of an attack Detection of attacks Expected Distribution SYN (31% - 52%) SYN/ACK (26% - 19%) FIN/ACK (43% - 30%) Unexpected Distribution 15

16 IAS: Current State of Development Result: Detection of attacks SYN-Scan (Potential Attack) Period of SYN scan can easily be detected SYN SYN/ACK FIN/ACK 16

17 IAS: Current State of Development Result: Knowledge base SMTP Content Type 60% text Mails 33 % attachments 4%: text/html 26%: text/plain 33%: multipart/mixed 30%: multipart/alternative 17

18 IAS: Current State of Development Result: Detection of attacks SMTP Content Type Temporarily more s witch attachments -> Mail-Virus! multipart/mixed 18

19 IAS: Current State of Development Result: Knowledge base HTTP Methods Diurnal rhythm HEAD used by automated processes GET und POST usually used by human users GET HEAD HEAD 6% GET 92% POST POST 2% 19

20 IAS: Current State of Development Result: Technology trend Distribution of browsers (Technology Trend) Diurnal profile Differences between manual use (e.g. Internet Explorer und Firefox) and automated use (z.b. wget) are detectable. Firefox Internet Explorer Firefox Internet Explorer Others Others (wget, etc) 20

21 IAS: Current State of Development Result: Awareness (Crypto used TLS)!! 0.1 %: RSA / Export (40) / SHA1 and 0.01 %: RSA / NULL / SHA1!! 60%: RSA / RC4 / MD5 33%: DHE_RSA AES / SHA1 6 %: RSA AES / SHA1 21

22 IAS: Current State of Development Situation Reports 22

23 IAS: Current State of Development Continuous situation awareness 23

24 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 24

25 Idea of the global view Overview virtual probe local view local view P1 global view Generation of global view centrally managed Evaluation System global view global view local view P2 global view local view P3 local view local view probes 25

26 Idea of the global view Relation of used protocols Global representation of the relation of different protocols 11% Port 443 (TLS/SSL) 13% Port 443 (TLS/SSL) 89 % Port 80 (HTTP) 87 % Port 80 (HTTP) local view global view 26

27 Anomaly detection Malware Dangers on the internet (e.g.: attachment ZIP) 27

28 European Internet Situation Awareness Project idea (together with JRC) Internet Object: Internet Critical Assets This will help to: global data sensors statistics PPP partners improve the stability and trustworthiness of the European Internet, raise awareness for critical processes or components, and find out more about the European Internet and its users in order to better support to their needs and service demands... 28

29 Content Main Research Focus of the Institute for Internet Security - if(is) Structure of the Internet Internet Analysis System (IAS) (Idea, Targets, Approach, Results) Global view Summary 29

30 EU Internet Situation Awareness Summary Internet The internet is a critical infrastructure for our society We need a trusted infrastructure to protect our future Organisations running the infrastructure need to cooperate We need the global view of the Internet To identify the current status To see the new trends To get early warnings to reduce damage To make forecasts which help us to avoid damage Analogical to natural disaster warning systems, like the Tsunami warning system, we need a warning system for the internet to be able to issue countermeasures before the actual threat strikes at us. If you can t measure it, you can t manage it! Let us start together now! 30

31 European Internet Situation Awareness The Global View Thank you for your attention! Questions? Prof. Dr. Norbert Pohlmann Institute for Internet Security - if(is) University of Applied Sciences Gelsenkirchen

32 Internet Availability System (IVS) Idea Observation of the critical infrastructure Internet. Drones are placed in carefully selected spots to gather information on availability. Different types of availability data is gathered Important websites DNS service Communication routes of routers Services and Server Parameter: Quality of Service: Bandwidth, Bit Error Rate, Jitter, Delay, Packet Loss Rate A centrally managed Evaluation System is used to analyze the Rawdata and to display the detailed results in an intuitive manner. Internet Drone Drone IVS Drone: aktive Probe Placement of the drones is done independent from third parties! 32

33 IVS: Current State of Development Result Examples (1/2) The most traffic and the lowest throughput takes place between 6pm and 11pm rapidshare.de File Sharing Portal 33

34 IVS: Current State of Development Result Examples (2/2) Different routings have an influence on the bandwidth t-online.net Information Portal 34

35 Internet Analysis System (IAS) Introduction (1/2) Local View 35

36 Internet Analysis System (IAS) Introduction (2/2) Globale view Air Traffic Control 36