Developing the Sensor Capability in Cyber Security

Transcription

1

2 Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D

3 JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development and training center Located in the JAMK University of Applied Sciences, Institute of Information Technology

4 Organization

5 Intrusion Intrusion is a violation to compromise a computer system or network Intrusion Detection System tries to recognize those violations National Institute of Standards and Technology (NIST): Intrusion detection in a computer system or network is the process that itemizes events by the characteristics of possible incident incident is defined as violation against standard security practices, acceptable use policies, or computer security policies, covering also impending threat of violation.

6 Network or Host IDS Intrusion Detection Systems (IDS) can be divided according to the location Network Intrusion Detection System (NIDS) Host Intrusion Detection System (HIDS) Network intrusion detection systems are located in essential points of a certain network or segment of a network, where they monitor and analyse traffic for the benefit of intrusion detection. Host intrusion detection systems are located in a specific system or host, where they analyze the characteristics of e.g. incoming and outgoing packets, audit trails or software calls in terms of intrusion detection

7 IDS - basic solutions Intrusion detection can be divided into two basic solutions anomaly based detection (anomaly detection) and signature based detection (misuse detection) Signature based - intrusions are detected by comparing samples with known predefined signatures or attack patterns Accurate and effective for detecting known attacks Cannot detect state-of-the-art attacks with unknown signatures or attack patterns Mistakes in the signature definition will prejudice the intrusion detection Anomaly based - normal behavior profile is established and differences from that norm with the threshold are indicated as anomalies and detected as intrusions The advantage is capability to detect novel zero-day attacks with unknown attack patterns Generates large amount of false positives

8 Requirements for R&D-infrastructure Realistic Internet traffic generation and network infrastructure Generation of attack-free legitimate Internet traffic and intentionally mix it with illegal attack traffic Some public data sets are available (for example KDD-99) anonymized lack of realistic statistical characteristics no modern attack patterns available

9

10

11 RGCE and cyber security exercises National cyber security exercises Industrial cyber security exercises

12 Example 1

13 Analyzing HTTP requests from log data HTTP logs can include lot of information about client and client interaction with the web server. For example log line: frank [10/Oct/2000:13:55: ] "GET /apache_pb.gif HTTP/1.0" " "Mozilla/4.08 [en] (Win98; I ;Nav) Indicates the requesting client s IP address the client s identity (RFC 1413) user id as determined by HTTP authentication time stamp of the request received the client s request line the server status code to the client returned object s size referrer site that the client reports being referred from User-Agent header as the identifying information by the browser

14 Statistics for feature vectors Statistics based on requests Occurrence frequencies of the feature in log lines Statistics per time bin Sample entropy as the degree of disorder Concentration of the parameter s distribution

15 Statistics based on requests

16 Clustering example, K-means K-means clustering groups objects based on their feature values into K disjoint clusters Objects that are classified into the same cluster have similar feature values K is a positive integer number specifying the number of clusters, and has to be given in advance 1. Select the total number of clusters (K) 2. Choose random K points and set as centroid 3. Calculate the distance from each instance to all centroids 4. Assign each instance to the closest centroid 5. Recalculate the positions of the centroids 6. Repeat step 3-5 until the centroids do not change

17 Training the algorithm

18 Detection Sample 1: Anomalous/Intrusion Sample 2: Legitimate/Normal Treshold

19 Demonstration A vulnerable web server installed in the RGCE environment For testing the methods, normal network traffic and special attacks against the web server generated during a five-day time period On the first day, there is only legitimate traffic The next four days consists of legitimate traffic mixed with several attacks against the web server Attacks include scanning attacks, DoS attacks, bruteforce attacks and various targeted attacks The web server s HTTP logs gathered during these five days are then used to evaluate the performance of the proposed detection scheme

20 Results

21 Example 2

22 Analyzing encrypted on-line traffic The payload of the network packet information is unreachable because of traffic encryption focusing to the statistics of the headers of the packet The intrusion detection consists of the following phases Forming the behavior model of the normal user Finding the conversations which are segregating from that behavior model for detecting trivial attacks Analyzing the distribution of feature vectors in the clusters for detecting more sophisticated attacks

23 Information used Duration of the conversation Number of packets sent in 1 second Number of bytes sent in 1 second Maximal, minimal and average packet size Maximal, minimal and average size of TCP window Maximal, minimal and average time to live (TTL) Percentage of packets with different TCP flags: FIN, SYN, RST, PSH, ACK and URG Percentage of encrypted packets with different properties: handshake, alert, etc

24 Analysis Once all relevant features have been extracted and normalized, the resulting feature vectors can be used to determine the model of normal user behavior Feature vectors from the training phase are grouped into several clusters by applying a clustering algorithms During the detection phase, if the vector differs from those clusters the conversation is identified as intrusive

25 Demonstration Web shop service implemented in RGCE Cyber Range Communication through encrypted HTTPS protocol Total of 55 web shop users scattered with different global GeoIP locations within an roughly 2-hour long scenario All web shop users generated legitimate traffic, but some of them were also attackers who scanned the target and did Slowloris, Slowpost and advanced DDoS attacks The first 12 minutes of the dataset are only legitimate traffic used as the training set

26 Results

27 Example 3

28 Live Scenario

29 Next steps for detection capability Future research can be carried out to achieve better performance metrics and visualization about intrusions in complex networked systems As the future work, the utilization of the AI (Artificial Intelligence) for network anomaly detection should be developed and tested

30 Questions / Discussion

31 Contact information