User Entity Behavior Analysis for Cyber Security. Dr. Chin-Hao, Eric, Mao Institute for Information Industry

Transcription

1 User Entity Behavior Analysis for Cyber Security Dr. Chin-Hao, Eric, Mao Institute for Information Industry

2 About me Section Manager, Cyber Trust Technology Institute, Institute for Information Industry EDUCATIONS and EXPERIENCES Ph. D., National Taiwan University of Science and Technology, Computer Science Visiting scholar in Carnegie Mellon University, CyLab Presentation: FIRST 2013/2014, CSA-APAC 2013, APCERT2014, (ISC)2 APAC Congress 2016 RESEARCH EXPERIENCES big data analytics, network security, intrusion detection, mobile APP static analysis more than 20+ academic journal and conferences papers 2

3 Outline 3

4 Outline What Data Analytics in Information Security do. Supervised Learning Decision Tree if 2 Unsupervised Learning- GMiner Anomaly Detection & Graph Mining ChainSpot (Sequential) PlayWright (Graph) Recommendation System & Data Visualization CloudOrion Conclusions 4

5 What Data Analytics in Information Security do Log Analysis IDS Logs Firewall Logs Web Server Access Logs Proxy Logs Active Directory Logs Social Media Twitter, FB, 5

6 Intrusion Detection System (IDS) Host IDS (HIDS) vs. Network IDS (NIDS) Detect the known attacking signature Port, attacking vector, or payload Highly depends on human fine tuning False alarm issue Usually contains following information: Event Name, Source IP, Source Port, Dest. IP, Dest. Port, TimeStamp A well-studied domain: False Alarm Reduction Multi-steps Attacks correlation Applied scenario: SOC (security operation center), CERT, ISAC...

7 Firewall Logs Firewall: blocking connection or transmission based on known blacklist or pre-defined policy Easy to deployment and use. Lacking of analysis ability as facing unseen attacking signature. (e.g. IP, Domain Name) Contain following information: Source IP, Source Port, Dest. IP, Dest. Port, Permit/Deny Also well-studied on large-scaled connection correlation Honeypot attacking pattern analysis Botnet structure analysis

8 Web Server Accessing Log Application-layer malicious behavior detection Web Server Accessing Logs contain: Source IP, Accessed Path, Access Status, Timestamp, Http header (optional), File Size(optional) Usually, a tradeoff is between log visibility and server execution performance Only application-layer malicious behavior such as script can be detected. (entry point into system level threats) Research emerged around 2005: Analyze the accessed path to detect SQL injection Graph mining on association graph of web access Build a classifier to predict a risk of a given request Users (visitor) Behavior!!

9 Proxy Logs Proxy is an agent deployed on gateway of an enterprise network. Recorded the Web surfing behavior Why web surfing behavior is important URL connection for C&C server communication and control. Detect the phishing web site. Detect malicious scanning attack. Containing: Source IP, Dest. URL, TimeStamp, Web Agent Info., MIME Research emerged around 2010 Analyze the malware behavior inside the enterprise network. Correlate other logs (IDS, FW, AD logs, etc.) to evaluate risk of an account User s Behavior!!

10 Active Directory Logs Operating system records connections or events, between client side and server side, of registered accounts. Containing: TimeStamp, Account, Source IP, Event Name, Sub- Event Annotation, Can be used to detect hidden malicious behavior: Anomaly login/logout behavior Anomaly resource allocation Anomaly permission granting User s Behavior!! Recently, AD is well-used on event tracking, however, it resulted in issue that AD data is big scale Companies in industry focused on AD-related research in last 2-3 years.

11 Different Kinds of Machine Learning

12 Supervised Learning Decision Trees

13 A Decision Tree Example The Weather Data ID code Outlook Temperature Humidity Windy Play a Sunny Hot High False No b Sunny Hot High True No c Overcast Hot High False Yes d Rainy Mild High False Yes e Rainy Cool Normal False Yes f Rainy Cool Normal True No g Overcast Cool Normal True Yes h Sunny Mild High False No i Sunny Cool Normal False Yes j Rainy Mild Normal False Yes k Sunny Mild Normal True Yes l Overcast Mild High True Yes m Overcast Hot Normal False Yes n Rainy Mild High True No

14 A Decision Tree Example Outlook sunny overcast rainy humidity yes windy high normal false true no yes yes no Decision tree for the weather data.

15 Supervised Learning Fuzzy Rule-based Classifier

16 if 2 : An Interpretable Fuzzy Rule Filter for Web Log Post-Compromised Malicious Activity Monitoring Chih-Hung Hsieh, Yu-Siang Shen, Chao-Wen Li, and Jain-Shing Wu AsiaJCIS

17 Motivation Traditionally, log tracking depending on heavy human effort Common method for identifying APT attacks become less useful because of various camouflages: VPN, Packing. That means you should have lots of time, domain experience, and good luck very much! 17

18 Interpretable Fuzzy Rule Filter (if 2 ) In fuzzy logic, a fuzzy rule base consists of multiple fuzzy rules with following structure 18

19 Exp. 3 Using if 2 to Analyze Web Access Log One real web access log dataset from a certain organization in Taiwan was collected for usage of demonstrating the performance of if 2. Total 5.36 gigabytes and 45,669,917 records from 545 distinct internet addresses are analyzed and labeled. There are only 22 suspicious internet addresses and 523 benign ones, and it is a typically extremely unbalanced dataset. 19

20 The 11 Statistics Used as Features 20

21 Exp. Resulted Rules The Human interpretable rule base of if 2 to differentiate suspicious internet addresses of 545-IPs from benign ones. 21

22 Anomaly Detection Probability Model - ChainSpot 22

23 ChainSpot: Mining Service Logs for Cyber Security Threat Detection 23

24 Motivation Target of APT is usually specific and personal Attackers usually invade enterprise and access sensitive data by using compromised accounts. We focus on detecting anomaly behavior or behavioral deviation for each employee (account) in an enterprise. 24

25 ChainSpot -Method We concern the anomaly behaviors extracted from Active Directory (Kerberos or NTLM authentication) & Proxy Server (web surfing usage) for each account. Sequential Data Synchronizer Correlate heterogeneous data (ADand Proxy) based on IP Address and interval time (3 days) of SOC Tickets AD Proxy 3 days SOC Ticket i timeline 25

26 ChainSpot -Method ChainSpot model sequential behaviors as a probabilistic model as baseline, and any change on employee s behaviors will results in an anomaly which may imply: Account has been compromised APT exists in an employee s host To properly model the sequential behaviors as a probabilistic model for each account, and to detect the anomalies based on deviation of account s behaviors. Markov Model for building probabilistic model Graph Edit Distance for estimating behavioral deviation 26

27 ChainSpot Method Markov Model For each account, we will build his Markov model using his normal action sequences Transition Probability Matrix An example of Markov Model 27

28 Heterogeneous Data Correlation For each account, we build his personal profile of state sequences which describe this account s sequential behaviors. Each state in a sequential data consists of followings For AD log sequence Event (e.g., No 4624, 4634) Reply Code (Only > 0x12, 0x18) For Proxy log sequence A Meta Behavior describing web surfing. ( e.g., GET and Download on microsoft.com then Failed ) HTTP Method E,g., GET, POST, Download or Upload Download when size in > size out Upload when size in < size out Domain Name Second Level Domain Access Result E.g., Allowed, Failed, 28

29 Experiment regarding to real environment Environment & Dataset Description: Contains about 1,089 accounts. Duration from 2015/08/01 to 2015/08/31. The active directory domain service of Windows Servers ver R2 results in 27,902,857 logs. The proxy service in the same duration generates 78,044,332 logs. Dataset Number of Categories in SOC Tickets: 6 29

30 Experiments (Cont d) Evaluation We divide Aug. logs of each account into three partitions: Training data A half of unlabeled data mapped by SOC Tickets Abnormal Testing data Labeled data mapped by SOC Tickets Normal Testing data Selection from all unlabeled data except Training data Compare the difference of Training data between Anomaly and Normal Testing data Experiment Hypothesis 30

31 Effectiveness of ChainSpot Hypothesis: The general effectiveness measuring gives 85.66% and87.17% success rates in terms of averaging on various types or averaging on different accounts. 31

32 How tight between Accounts (AD, Proxy) and IPs 32

33 AD Case Study -d Multiple Accounts login from single IP in short time 4658 Normal Testing 4661 Training Abnormal Testing Abnormal Data has no4661 -> 4662, > 4658 A handle to an object was requested (4661) Abnormal Data has > x18, x18 -> 4768 A Kerberos authentication ticket (TGT) was requested (4768) An operation was performed on an object (4662) The handle to an object was closed (4658) Kerberos pre-authentication failed (Bad Password) (4771 0x18) There is no complete service path in abnormal data, and which has error authentication by bad password 33

34 AD Case Study - administrator Too many logins in closing time Normal Testing Training Abnormal Testing An account failed to log on (4625) Abnormal Data has no followings : The handle to an object was closed (4658) A handle to an object was requested (4661) A new process has been created (4688) A Kerberos authentication ticket (TGT) was requested (4768) Kerberos pre-authentication failed (Bad PWD) (4771 0x18) A user account was locked out (4740) Abnormal and Normal Data both have followings : An account failed to log on (4625) Special privileges assigned to new logon (4672) The domain controller attempted to validate the credentials for an account (4776) 34

35 Proxy Case Study - b Host connects to Malicious Domain 35

36 Anomaly Detection Graph Mining - Playwright 36

37 Playwright: a Web Server-side Suspects Detector 37

38 Current Framework of Playwright 38

39 The Anomaly Logs Filter Module Intention 1 Web log volume too large to inspect with bare eyes Input Raw logs from web access record Output Filtered logs Example Illegal Characters Verify Module Unsual Parameter Usage Verify 39

40 The Attack Scene Matching Module Intention 2 There may not be only one candidate of attacking Tactics, Techniques, and Processes (TTPs). Input Kinds of filtered logs Output Attacking Scene with Associated Filtered logs 40

41 The Graph Constructor Module Intention 3 Concretize entities and associated relations of suspicious activities. Input Each Attacking Scene with Associated Filtered logs Output Suspicious Activity Graph Heterogeneous Graph Bipartite Graph hack.asp 1.asp asp Hacker maintains 3 IPs personal_taglist.asp cisc_search.asp Homogenous Graph 41

42 The Graph Pattern Matching Intention 4 Module Find trigger points (or threat seeds) where attacker is in an attempt to invade target Input Suspicious Activity Graph Output Heterogeneous Graph Bipartite Graph Homogenous Graph Entity labeled as suspect 42

43 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 43

44 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 44

45 Suspicious Activity Graph Construction - IIS Scope of Attacking Each IP correlates multiple files with illegal character. Scope of Attacking File Name IP Address Status Code Illegal Character Hacker s Action (File) Hacker s Action (IP Addres 45

46 Initial Threat Seed Finding: with priori knowledge about the threat pattern Our forensics team gives us priori knowledge to form the following patterns:

47 Initial Seeds Finding Regarding to Known Pattern How to ranking nodes in a graph based on their referring to each other. A B Page Rank Algorithm C Originally be used to rank Google retrieved pages 47

48 Is IP which hacker used different from others in Suspicious Activity Graph?! - IIS Problem: Investigate the role of IP Address in Suspicious Activity Graph Input: IPs x IPs Matrix n ij : num of Queried same File IP i to IP j 0: Queried by different File Output: Clustering Result IP 1 IP 2... IP N IP 1 IP 2 IP N n 11 0 n 1N n n NN IP X IP 48

49 Initial Threat Seed Finding: with priori knowledge about the threat pattern Blue: True Positive Green: Suspicious N i : The PR Score of ith IP N max : The Maximum PR Score Pagerank Evidence IPs Never Miss E E E E E-01 N i : The BP Score of ith IP N max : The Maximum BP Score Evidence IPs 1.00E E+00 Belief Propagation Miss

50 Initial Seeds Finding without Known Pattern How about the case that you don t have any priori knowledge SVD Effect of SVD 50

51 c0 Is IP which hacker used different from others in Suspicious Activity Graph?! (Cont d) SVD c c c c2 Malicious Benign c2 51

52 Limitation - SVD Hackers usually use different IPs to achieve their goal Test the Trojan (China Chopper) Weak Link IP Scan the architecture of website Outlier (Decomposition) & Pattern (Pagerank) Weak Link This kind of IP is not an outlier and easily ignored by SVD File Name IP Address Hacker s Action (IP Address) IP 1 China Chopp er IP 2 52

53 Limitation - SVD How to resolve Weak Link problem?! Use Graph Mining Algo. to propagate the threat score from IP1 (Seed) to IP2 Random Walk with Restart (RWR) Threat Seed as Start Point Weak Link File Name IP Address IP 1 China Chopp er IP 2 Hacker s Action (IP Address) 53

54 How to propagate the confidence once you have suspect candidate Random walk with restart

55 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score Blue: True Positive Green: Suspicious RWR Evidence IPs Never Miss

56 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score RWR Evidence IPs Blue: True Positive Green: Suspicious Never Miss

57 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 57

58 Suspicious Activity Graph Construction - Apache Case 2: Frequently SQL Injection 1. Previous Pattern can t be used because of./ is the index page (e.g., index.php, index.html and so on) 2. Need to consider the attribute: Illegal Characteristic File Name IP Address Illegal Character Hacker s Action (File) Hacker s Action (IP Address) Hacker s Illegal Character 58

59 Problem: Investigate the role of IP Address in Suspicious Activity Graph Outliers may be the candidates of initial threat seeds Input: Initial Threat Seed Finding: without priori knowledge IPs x (File m, IllegalChar n ) Matrix n ij : num of queried same (File m, IllegalChar n ) Output: by IP i and IP j 0: Never Queried by (File m, IllegalChar n ) Clustering Result (File m, IllegalChar n ) 1 (File m, IllegalChar n ) mxn IP 1 IP 2... IP N n 11 0 n mxnx1 n n mxnxn IP X (File m, IllegalChar n ) 59

60 Initial Threat Seed Finding: with priori knowledge about the threat pattern Our forensics team gives us priori knowledge to form the following patterns:

61 Initial Threat Seed Finding: with priori knowledge about the threat pattern N i : The PR Score of ith IP PAGERANK N max : The Maximum PR Score Blue: True Positive Green: Suspicious Evidence IPs Miss

62 Initial Threat Seed Finding: with priori knowledge about the threat pattern PAGERANK N i : The PR Score of ith IP N max : The Maximum PR Score Never Miss Blue: True Positive Green: SuspiciousEvidence IPs

63 c Initial Threat Seed Finding: without priori knowledge TENSOR c Only Query./ # Query is similar to normal c c c Malicious Benign c2 We change same # Query of with others

64 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds Use and (Tensor Results Outlier ) as Start Points for Random Walk with Restart (RWR) We expect that (in Unknown Data) can be detected by RWR Input: IPs x IPs Matrix n ij : num of queried same (File m, IllegalChar n ) by IP i and IP j 0: Never Queried by (File m, IllegalChar n ) c IP 1 IP 2 IP N IP 1 IP 2... IP N n 11 0 n 1N n n NN IP X IP Unknown Data c2

65 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score

66 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score RWR

67 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 67

68 Case 3: Suspicious Activity Graph Construction - Apache Scope of Attacking Each IP correlates multiple files with illegal character. Scope of Attacking File Name IP Address Status Code Illegal Character Hacker s Action (File) Hacker s Action (IP Addres 68

69 Case 3: Is role of IP different from others file hacker used in Suspicious Activity Graph?1 - Apache Problem: Investigate the role of IP Address in Suspicious Activity Graph Input: IPs x IPs Matrix n ij : num of Queried same File IP i to IP j 0: Queried by different File Output: Clustering Result IP 1 IP 2... IP N IP 1 IP 2 IP N n 11 0 n 1N n n NN IP X IP 69

70 c1 Case 3: Is role of IP different from others file hacker used in Suspicious Activity Graph?1 - Apache (Cont d) Benign c c2 SVD Benign c Benign c Malicious Benign c0 70

71 Case 3: Why using Propagation to evaluate Suspicious IPs?! - Apache The correlation between Files and IPs can t be evaluate in decomposition SVD We mention that evidence have the following patterns: Patterns Fil e Fil e Fil e IP Fil e Fil e Fil e Fil e 71

72 Case 3: Why using Propagation to evaluate Suspicious IPs?! - Apache (Cont d) Design a directed homogeneous graph to illustrate above patterns we found In this pattern, we expect to obtain high score IPs from graph when using propagation algorithm Pagerank Fil e Fil e Fil e Fil e IP Fil e Fil e Fil e 72

73 3.00E-01 Case 3: Why using Propagation to evaluate Suspicious IPs?! (Cont d) High Score IPs N i : The PR Score of ith IP PAGERANK N max : The Maximum PR Score Blue: True Positive Green: Suspicious Evidence IPs Miss E E E E E E

74 CloudOrion Cloud Threats Analytics 74

75 Men in The Cloud Detection Cloud Drive File of Team A File of Team B Team A Team B 75

76 CloudOrion- Google Drives Logs Analyzing cloud user behavior Access Log Scenario Policy Administrator Home Mobile Office 76

77 Visualization Threats Explorer Intuition to aware the potential threats in cloud Drill-down and quick response visualization analytics Full and deep views between cloud resources and users behavior User and Entity Behavior Analysis Danger Zone User access log 77

78 CTA UEBA Collaborative Filtering Using machine learning and artificial intelligence that analyze cloud logs via API sets CTA in cloud apart from state-ofthe-art cloud security solution Maliciou On Duty s Behavio r Off Duty Temporal Analysis Time-Series Analysis Deep Learning Spatial Analysis 78

79 Scenario Policy Enforcement Manage Google Drive and OAuth Tokens Decreasing risks of data leakage via Scenario Policy deployment :20:24 GMT Login from US IP Super Travel Policy :10:23 GMT Modify a file in Drive from Taiwan IP Detecting account compromising by 10+ scenario policies 79

80 Abnormal Behavior Detection Construct user behavior model over files in Drive User and Entity Behavior (UEBA) Quick identify potential threats Reversed collaborative filtering from file access behavior Edit, view and other behavior Drive file proximity score measuring User access log Detecting insider suspect with highrisk behavior Users past access behavior matrix User recent access behavior vector 80 Structure-oriented risk propagation

81 Case Study Inspected more than 1200 user accounts with more than 400,000 event logs every day About 100,000 distinct user-file access records every day Mantain 1200 increamental individual behavior models Find out anomaly access record from humongous of logs Automatically 81

82 Conclusions Easy start Anaconda Python ( ipython notebook!! Scikit-learn ( Tensor Flow ( Bokeh ( NetworkX ( ElasticSearch ( 82

83 Conclusions Good Tutorial Document Clustering with Python Using Machine Learning to Track IoT Vulnerability and Threats Unstructured data Structure data Together them 83

84 Thanks & Welcome Collaboration Ching-Hao, Eric, Mao Ph. D. CTTI,III, Taiwan 84

85 85