From Correlation to Causation: Active Delay Injection for Service Dependency Detection

Similar documents
Delay Injection for. Service Dependency Detection

Program-Analysis-Supported Identification of Applications in Large Networks

This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict

Detection and Mitigation of Cyber-Attacks using Game Theory

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

The Bro Cluster The Bro Cluster

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Distilling Network Activity at Scale

Seceon s Open Threat Management software

Threat Hunting in Modern Networks. David Biser

Intelligent and Secure Network

UNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Software Engineering Institute (SEI) Applied Research. Prior Years FY 2013 FY 2014

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

MULTIVARIATE ANALYSIS OF STEALTH QUANTITATES (MASQ)

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

Multidimensional Investigation of Source Port 0 Probing

SIEM Solutions from McAfee

The Bro Network Intrusion Detection System

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Securing Your Microsoft Azure Virtual Networks

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Building Resilience in a Digital Enterprise

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Deep Instinct v2.1 Extension for QRadar

Vulnerability Validation Tutorial

RiskSense Attack Surface Validation for IoT Systems

Automated Threat Management - in Real Time. Vectra Networks

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Table of Content Security Trend

Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

The Interactive Guide to Protecting Your Election Website

An Aflac Case Study: Moving a Security Program from Defense to Offense

Data Sources for Cyber Security Research

The role of ICT in managing the complex Smart Grid Infrastructure. Nampuraja Enose Infosys Labs

Overview of nicter - R&D project against Cyber Attacks in Japan -

Compare Security Analytics Solutions

Variability in Architectural Simulations of Multi-threaded

Detecting Botnets Using Cisco NetFlow Protocol

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Securing Your Amazon Web Services Virtual Networks

The GenCyber Program. By Chris Ralph

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Training for the cyber professionals of tomorrow

Search Engines Considered Harmful In Search of an Unbiased Web Ranking

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

IPS-1 Robust and accurate intrusion prevention

CTI Capability Maturity Model Marco Lourenco

MSU IT Update. Rob McCurdy Chief Information Officer

Automated Extraction of Network Protocol Specifications

ARIA SDS. Application

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Cisco Prime Unified Service Monitor 8.7

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #18

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Table of Contents 1 Introduction A Declarative Approach to Entity Resolution... 17

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers

IDS: Signature Detection

The Future of Threat Prevention

Know Your Achilles Heel: Automatic Detection of Network Critical Services

N-Dimension n-platform 340S Unified Threat Management System

Sherlock Diagnosing Problems in the Enterprise

McAfee Virtual Network Security Platform

Port Mirroring in CounterACT. CounterACT Technical Note

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

RSA NetWitness Suite Respond in Minutes, Not Months

Certified Vulnerability Assessor

Protect vital DNS assets and identify malware

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

McAfee Network Security Platform Administration Course

Nimble Storage Adaptive Flash

Detecting Credential Spearphishing Attacks in Enterprise Settings

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Creating Customized Whitelist Domains from DNS Traffic

Petroleum User Group Meeting, April 2006 Houston, TX. Leveraging Semantic Technology for Improved Enterprise Search and Knowledge Discovery

An Overview of Mobile Security

Distributed Agent-Based Intrusion Detection for the Smart Grid

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

McAfee Network Security Platform

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

CASE STUDY: REGIONAL BANK

McAfee Network Security Platform

Q48: I noticed an amendment to the ASED BAA, what has changed? Q48: The due date for proposals has been extended from November 9 to November 28.

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Flows at Masaryk University Brno

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Advanced Systems Security: Program Diversity

Transcription:

From Correlation to Causation: Active Delay Injection for Service Dependency Detection Christopher Kruegel Computer Security Group ARO MURI Meeting ICSI, Berkeley, November 15, 2012

Correlation Engine COAs Data Data Data Data Real World Enterprise Network Mission Cyber-Assets Simulation/Live Security Exercises Analysis to get up-to-date view of cyber-assets Analyze and Characterize Attackers Analysis to determine dependencies between assets and missions Predict Future Actions Mission Model Cyber-Assets Model Create semantically-rich view of cyber-mission status Sensor Alerts Data Impact Analysis ARO MURI Meeting, Berkeley, November 15, 2011 2

Motivation Thrust I: Obtaining an up-to-date view of the available cyber-assets Need to know and model assets on your network network services (beyond IP address and ports) Thrust II: Obtaining understanding of the dependencies between missions and assets Find dependencies and redundancies between services Find relationships (mappings) between missions and assets Find assets and activities critical for network (or particular mission) ARO MURI Meeting, Berkeley, November 15, 2011 3

Accomplishments Year 1 models to fingerprint specific programs and network services track services and identify bot-infected machines Year 2 service dependency model algorithms for ranking assets and services Year 3 develop techniques and tools to extract indirect dependencies between missions (activities) and assets develop techniques and tools to determine the effects of service failures (using fault injection) ARO MURI Meeting, Berkeley, November 15, 2011 4

Quick Recap and Updates Determine relationships between services one service relies on another one (direct dependency) two services needed together (indirect dependency) B DNS Web A LDAP A B Mail C C ARO MURI Meeting, Berkeley, November 15, 2011 5

Quick Recap and Updates Extract activities and their related assets activity = set of services that cooperate to achieve a higher-level goal building blocks for missions of course, this could be done manually we propose an automated approach (not all activities are obvious) We proposed an approach based on passive observation of network traffic conducted experiments in the CS network at ARO MURI Meeting, Berkeley, November 15, 2011 6

Quick Recap and Updates In this period, we evaluated our tool on traffic collected at LBNL 6.33 billion records (150 GB of NetFlow) 15 days worth of data 5,593 missions and 998 backup relations interesting examples currently under investigation ARO MURI Meeting, Berkeley, November 15, 2011 7

Extracting Dependencies Basic idea of our passive activity extraction approach Find multiple services that are all correlated intuition is that multiple services that work together do this for a purpose; the network is leveraged to achieve a certain goal Problems correlation does not imply causation false positives direction of dependency cannot be determined ARO MURI Meeting, Berkeley, November 15, 2011 8

Extracting Dependencies Basic Idea Perform active discovery actively perturb traffic for service A, monitor how service B reacts when B depends on service A, we expect to see the effect of perturbation when B does not depend on A, there should be no effect How to introduce perturbations introduce delays into requests (flows) to service A active watermarking, but for flows, not for packets ARO MURI Meeting, Berkeley, November 15, 2011 9

Introducing Delays Service A Service B Idle period Busy period ARO MURI Meeting, Berkeley, November 15, 2011 10

Introducing Delays In the real world, idle and busy periods not as easily detectable unrelated requests unexpected delays caching effects Need (many) more than one observation period (window) Need to perform statistical tests ARO MURI Meeting, Berkeley, November 15, 2011 11

Statistical Tests Unknown distribution of service requests D(μ, σ) In case service has dependency, ρ delayed requests result in Idle period D 1 (μ (1-ρ), σ 1 ) Busy period D 2 (μ (1+ρ), σ 2 ) Hypothesis: Two services are independent, hence μ idle = μ busy ARO MURI Meeting, Berkeley, November 15, 2011 12

Statistical Tests Independent samples t-test We can do better: Paired samples t-test ARO MURI Meeting, Berkeley, November 15, 2011 13

Statistical Tests Even better Paired Wilcoxon test When the null hypothesis is rejected, we have found a dependency For all three tests, we can show that increasing the number of sample intervals will eventually allow us to make a decision (even when the fraction of delayed requests is very small) ARO MURI Meeting, Berkeley, November 15, 2011 14

Simulations Demonstrate the desirable properties of the system (more data yields precise results) ARO MURI Meeting, Berkeley, November 15, 2011 15

Simulations Demonstrate the desirable properties of the system (more data yields precise results) ARO MURI Meeting, Berkeley, November 15, 2011 16

Real World Experiment Installed a delay mechanism at the CS Department Perturbed connections from CS lab machines to 54 services 3.5 month worth of data 11.5 million connections to interesting services 500ms delay introduced ARO MURI Meeting, Berkeley, November 15, 2011 17

Results 331 dependencies file server depends on DNS mail applications depend on the file server fileserver depends on backup fileserver LDAP server depends on backup LDAP servers web server depends on LDAP server Direction can be detected here, some services depend on NFS (('128.111.43.46', 1172, 6), ('128.111.43.46', 1174, 6), ('128.111.43.46', 2049, 6)) Causality analysis can remove false positives (('128.111.41.24', 21, 6), ('128.111.41.39', 5308, 6)) ARO MURI Meeting, Berkeley, November 15, 2011 18

Conclusions Work focused on Thrust II Leveraging service models to rank network assets and to build foundation for impact analysis and what-if scenarios Active discovery of dependencies introduced novel flow watermarking scheme multiple statistical tests to identify even small perturbations Simulations and experimental evaluation ARO MURI Meeting, Berkeley, November 15, 2011 19

Future Work Develop techniques and tools to extract asset information and latent service capabilities through active probing useful to find service that are not actively contacted identify service dependencies and causality with better confidence Leveraging dependencies for sophisticated what-if analysis Semantic analysis and labeling of network assets (what is a network proxy, NAT device, ) based on network behaviors ARO MURI Meeting, Berkeley, November 15, 2011 20

Thank You ARO MURI Meeting, Berkeley, November 15, 2011 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback