Internet Continuous Situation Awareness Prof. Dr. Norbert Pohlmann Institute for Internet Security - if(is) University of Applied Sciences Gelsenkirchen http://www.internet-sicherheit.de
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 2
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 3
Structure of the Internet Example: Analysis Internet Germany Most important Autonomous Systems for Germany 4
Data volume / month in Germany Estimation (2007) A view on data streams exchanged between the networks (AS)! AS AS PRIVATE PEERING 50 Peta Byte (33%) AS AS INTERNAL 30 Peta Byte (20 %) autonomous System (AS) AS AS TRANSIT (Global ISP) 40 Peta Byte (27%) PUBLIC PEERING 30 Peta Byte (20%) TRANSIT (Customer) 150 Peta Byte (100%) AS AS 100 Peta Byte (66 %): private user 50 Peta Byte (33 %): business customer 1 Peta Byte = 1.000.000 Giga Byte 5
Structure of the Internet Conclusion Various stakeholders + =? The Internet is more or less like a black box to the various stakeholders. The Internet has become critical in some parts by now. One reason is the lack of global monitoring and controlling for the distributed infrastructure. When using the Internet today various stakeholders just need trust, that everything will be fine. Situation awareness will help the various stakeholders during their decision-making-process. 6
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 7
Internet Situation Awareness Definition The term Situation Awareness (SA) comes from the area of air traffic control and military command & control. Generic definition of the term Situation Awareness (SA) is: Situation Awareness is the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future. (Defined by Endsly) 8
Internet Situation Awareness Added value Situation Awareness (SA) is essential not just for the home user to strengthen the trust in using the Internet, but also for representatives of the government for Internet Governance to make strategies for the further development or for enterprises planning to use the Internet as a reliable platform for business. The understanding of the environment is crucial for process of decision making and a perfect Situation Awareness will reflect positively in the actions of the stakeholders. This will already help to reduce the potential disaster risk. 9
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 10
Internet Analysis System Idea Observation of the critical infrastructure Internet. Probes are placed in strategically selected spots of the internet communication infrastructure to gather the raw data, made up of counters of header information. Only header information is counted, which is not considered as data privacy relevant. The system gathers information over a long period of time! A centrally managed Evaluation System is used to analyze the raw data and to display the detailed results in an intuitive manner. Internet Evaluation System IAS 11
Internet Analysis System Targets Description of profiles, patterns and coherences, creation of a knowledge base. Outline of the current state of the internet. Detection of attacks and of deflections. Forecast of patterns and attacks. 12
Internet Analysis System Counting of header information (1/2) +1 +1 Number of Counters: - Max: 870.000 - Real-Ø: 60.000 13
Internet Analysis System Counting of header information (2/2) Counter Value All of this information is completely anonymous by design! Time 14
IAS: Current State of Development Result: Knowledge base Distribution of Transport Protocols Profile shaping und trend development TCP UDP ESP IGMP GRE weekend TCP 89% UDP 7% ICMP 15
IAS: Current State of Development Result: Knowledge base SMTP Content Type 60% text Mails 33 % attachments 4%: text/html 26%: text/plain 33%: multipart/mixed 30%: multipart/alternative 16
IAS: Current State of Development Result: Detection of attacks (1/2) SMTP Content Type Temporarily more e-mails with attachments -> Mail-(Wurms/Virus)! multipart/mixed 17
Knowledge Base - IAS Result: Detection of attacks (2/2) PDF Spam Wave Port 25 Application/PDF 18
IAS: Current State of Development Result: Technology trend Distribution of browsers (Technology Trend) Diurnal profile Differences between manual use (e.g., Internet Explorer und Firefox) and automated use (e.g., wget) are detectable. Firefox Internet Explorer Firefox Internet Explorer Others Others (wget, etc) 19
IAS: Current State of Development Result: Awareness (Crypto used TLS)!! 0.1 %: RSA / Export (40) / SHA1 and 0.01 %: RSA / NULL / SHA1!! 60%: RSA / RC4 / MD5 33%: DHE_RSA AES / SHA1 6 %: RSA AES / SHA1 20
IAS: Current State of Development Result: Access-Connection (1/2) Distribution of protocols (sum) P2P HTTPS HTTP 21
IAS: Current State of Development Result: Access-Connection (2/2) Distribution of protocols (over the time) P2P HTTP 22
IAS: Current State of Development Result: Technology trend (Firefox vs. IE) Firefox Internet-Explorer 23
IAS: Current State of Development Result: Technology trend (TCP Dst Port 25) TCP Destination Port 25 (SMTP) 24
IAS: Current State of Development Continuous Situation Awareness 25
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 26
Idea of the Global View Overview virtual probe local view local view P1 global view Generation of global view Central System global view global view local view P2 global view local view P3 local view local view probes 27
Idea of the Global View Relation of used protocols Global representation of the relation of different protocols (Example: Web communication) 11% Port 443 (TLS/SSL) 13% Port 443 (TLS/SSL) 89 % Port 80 (HTTP) 87 % Port 80 (HTTP) local view global view 28
Anomaly detection Detection of Malware Dangers on the internet (e.g.: attachment ZIP) local view global view 29
Internet Situation Awareness Project idea Internet Object: Internet Critical Assets This will help to: global data sensors statistics PPP partners improve the stability and trustworthiness of the Internet, raise awareness for critical processes or components, and find out more about the Internet and its users in order to better support to their needs and service demands... 30
Internet Situation Awareness Related work Sensor level: Log-data based Honeypot based Netflow based Analysis level: Pattern recognition Neural network models Data Mining algorithm System level: Symantec - DeepSight Theat Management System DShield.org - Internet Storm Center of the SANS MOMENT, LOBSTER - pan-european platform CarmentiS project of the German CERTs 31
Content Structure of the Internet Internet Situation Awareness Internet Analysis System (IAS) Global View Summary 32
Internet Situation Awareness Summary The internet is a critical infrastructure for our society. We need a trusted infrastructure (Internet) to protect our future. Analogical to natural disaster warning systems, like the Tsunami warning system, we need Continuous Situation Awareness and a Early Warning System for the Internet to be able to issue countermeasures before the actual threat strikes at us. If you can t measure it, you can t manage it! Let us start to measure the Internet together! 33
Internet Continuous Situation Awareness Thank you for your attention! Questions? Prof. Dr. Norbert Pohlmann Institute for Internet Security - if(is) University of Applied Sciences Gelsenkirchen http://www.internet-sicherheit.de