Sehun Kim
KAIST, KoreaHonorary President of KIISC
Intrusion Forecasting Framework for Early
Intrusion Forecasting Framework for Early
Warning System against Cyber Attack
Telecommunication System & Internet Security Lab.
Contents
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion
Telecommunication System & Internet Security Lab.
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion
Telecommunication System & Internet Security Lab.
Growth of the Internet usage
Telecommunication System & Internet Security Lab.
Attack Trend
Exploit the interconnectivity of networks
Rapid attacks, sometimes zero-day
More sophisticated and evolutionary attack tools
Attacks on infrastructure
Telecommunication System & Internet Security Lab.
DDoS Attacks
Deploy a large number of compromised systems to attack a
victim host
Attacker Co ntr ol m essag e VictimTelecommunication System & Internet Security Lab.
Internet Worm
Telecommunication System & Internet Security Lab.
Internet Worm
Slammer worm
¾ Infected more than 90% of vulnerable hosts within 10 mins. ¾ Caused shutdown of Internet service in Korea.
Telecommunication System & Internet Security Lab.
Bot
¾ A short word for “robot”
¾ Piece of software that allows a system to be remotely controlled
Zombie
¾ Controlled/corrupted system
Botnet
¾ A network of Zombie systems
¾ DDoS, Spamming, Sniffing, Key Logging, Identity Theft, Hosting of Illegal Software
Botnets
IRC Server Bot Herder Control Channel Botnet Bot Bot Bot Bot Bot BotTelecommunication System & Internet Security Lab.
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion
Telecommunication System & Internet Security Lab.
What is EWS?
¾ A system or procedure designed to warn of a potential or an impending
problem in order to minimize the damage against problem ¾ More important as the damage becomes more tremendous
EWS in Real Life
¾ Famine EWS
¾ Disaster (Tsunami/Earthquake) EWS ¾ Disease EWS
EWS in Cyber Space
¾ Early detection of Cyber Attack and Instant response to it
¾ Cyber Attack can be Intrusion, Worm/Virus Outbreak, Information
Warfare and so on.
Telecommunication System & Internet Security Lab.
The main procedure of EWS conforms to that of National Cyberspace Security Response System (USA)
P1
P2
P4
P3
Phase 1 : Analysis - Data Collecting/processing - Vulnerability Assessment - Forecasting Cyber AttackPhase 2 : Warning
- Issue an Alarm - Sharing Cyber Alert
Phase 3 : Incident Handling
- Federal Coordination - Private, State and Local
Coordination
Phase 4 : Response/Recovery
- Modify Security Policy - Final Report
Telecommunication System & Internet Security Lab.
Computer Emergency Response Team
¾ Coordinate all of the activities of organizations and institutions involved
in efforts to secure national IT network
¾ Protect public/national security from cyber threats by handling computer
incidents promptly and efficiently
¾ Traditionally, EWS is operated by CERT
CERT
KrCERT JPCERT SingCERT CNCERT CERTA US-CERT AusCERTTelecommunication System & Internet Security Lab.
Motivation
¾ ‘Basic Plan for the Establishment of National Cyber Terror Response System’ is approved by President, July 2003
Related Organization
¾ NCSC (National Cyber Security Center)
9 Central point of government for identifying, preventing and responding to cyber attack and threats in Korea
¾ KISA (Korea Information Security Agency)
9 Agency providing public user, industries and organization with information security service
¾ CERT
9 KrCERT (Korea CERT) : CERT operated by KISA
9 KN-CERT (Korea National CERT) : CERT operated by NCSC
Telecommunication System & Internet Security Lab.
Motivation
¾ FISMA : Federal Information Security Management Act of 2002
¾ Planning ‘National Strategy to Secure Cyberspace’, Feb. 2003
Related Organization
¾ DHS/NCSD (National Cyber Security Division)
9 Division that works to secure cyberspace and America’s cyber assets.
9 Within DHS (Department of Homeland Security)
¾ CERT/CC (CERT/Coordination Center)
9 CERT Center operated by Carnegie Mellon University
¾ US-CERT (U.S. Computer Emergency Readiness Team)
9 US-CERT is charged with protecting USA’s Internet infrastructure by coordinating defense against and response to cyber attacks 9 Founded by CERT/CC & NCSD
Telecommunication System & Internet Security Lab.
Motivation
¾ Decree 2001-693, July 2001 : Organize DCSSI
¾ ‘State Information System Security Reinforcement Plan’ , 2004
Related Organization
¾ SGDN (Secrétariat général de la défense rationale)
9 By Decree 96-67, SGDN takes charge of Cyber Security of France 9 Belong directly to Prime Minister
¾ DCSSI (Direction Centrale de la Sécurité des Systèmes d’Information)
9 Execute governmental task in order to protect information system 9 Operate CERTA and ITSOC, under the authority of the SGDN
¾ ITSOC (IT Security Organization Center)
9 Research specialized knowledge to prevent and solve security incident 9 Collect data through CERTA and provide authorities with collected data
Telecommunication System & Internet Security Lab.
Early Detection of Incident
¾ Incident (Intrusion) Forecasting Method ¾ Alert Correlation
¾ Threat Assessment
Issue of an alarm or warning
¾ Design of main framework for EWS
¾ Partnership with other related organization ¾ Effective visualization of event
Response/Recovery
¾ Traceback Mechanism
¾ Establishment of national cyber security policies or law
Telecommunication System & Internet Security Lab.
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion
Telecommunication System & Internet Security Lab.
Intrusion Forecasting System
Intrusion Forecasting System
¾ Forecast cyber attacks in advance ¾ The most significant part in EWS
9 Analysis phase corresponding to the National Cyberspace Security
Response System
9 The speed and precision of detection is a key factor of EWS
Telecommunication System & Internet Security Lab.
Telecommunication System & Internet Security Lab.
DC Module
¾ Collect data from various sensors ¾ Pre-processing for the DA module
DA Module
¾ Analyze the collected data
¾ Predict possibilities of cyber attack
REP Module
¾ Create alarm reports ¾ Alarm visualization
Telecommunication System & Internet Security Lab.
Three Important Forecasting Steps
¾ Analyze the present state ¾ Predict a future state
¾ Interpret the model results
Methods of Weather forecasting
¾ Folklore forecast ¾ Persistence forecast ¾ Climatology forecast ¾ Trend forecast ¾ Analog forecast ¾ Numerical forecast ¾ Ensemble forecast
Forecasting in Real Life
Telecommunication System & Internet Security Lab.
Forecasting Methods against Cyber Attack
¾ Still at primary level compared to other forecasting areas
9 predict virus day or possibility of cyber threat by exploiting security vulnerabilities
9 Commercial intrusion forecasting system is currently in beginning phase 9 Some researches have applied existing forecasting techniques to the
prediction of worms or viruses
¾ Related organization
9 Warning virus/malicious code : Ahnlab, Hauri, SANS (Internet Storm Center)
9 Threat management system : Symantec (DeepSight TMS), Computer Associated (eTrust Security Management)
Telecommunication System & Internet Security Lab.
Data Mining Method
¾ Extract implicit, previously unknown, and potentially useful information from large data sets or databases
¾ Widely used in the various forecasting areas
9 Stock prices, weather forecasting, and earthquake forecasting
¾ Possible to handle numerous traffic variables difficult to analyze intuitively ¾ Clustering Analysis, Decision Tree, Genetic Algorithm, etc.
Advantages vs. Disadvantages
¾ Advantages
9 Consider not only quantitative changes of multiple variables but also changes of their distribution
¾ Disadvantages
9 High computational complexity
Intrusion Forecasting Method
Telecommunication System & Internet Security Lab.
A Proactive detection of DDoS attack
¾ Detect DDoS attack proactively by exploiting the sequential movement of DDoS
¾ Attack phases of DDoS attack
A CASE STUDY : Data Mining Method
DDOS attack detection method using cluster analysis
attacker handler handler agent agent victim phase1 phase2 phase3 phase4 phase5
Telecommunication System & Internet Security Lab.
Feature selection process
¾ Select several features to detect the symptoms of a DDoS attack ¾ Indicate abnormal changes in traffic according to each phase of the
attack.
¾ Selected features
9 Distribution of source/IP port 9 Distribution of destination IP/port 9 Packet type
9 Occurrence rate of TCP SYN, UDP, ICMP
¾ The entropy values of the selected features are calculated to measure the randomness in their distribution.
¾ Entropy
A CASE STUDY : Data Mining Method
DDOS attack detection method using cluster analysis
∑
=−
=
n i i iP
P
H
1 2log
Telecommunication System & Internet Security Lab.
Results of clustering analysis
A CASE STUDY : Data Mining Method
DDOS attack detection method using cluster analysis
0 0.99 0 1.19 0.04 0.12 0.07 0.12 0.08 3 ph 2 0.87 0 0 41.4 0.53 0.55 4.91 0.56 0.71 2 ph1 0.00 0.00 0.02 37.0 1.12 1.50 1.58 1.61 1.59 1 normal 0 0 0
Occurrence rate of ICMP
0 0
0
Occurrence rate of UDP
0.44 0
0
Occurrence rate of SYN
4.70 2876 6225 Number of packet 1.36 0.12 0.02
Entropy of packet type
1.07 11.5
12.6
Entropy of dest port
1.06 11.5 12.6 Entropy of dest IP 1.07 11.4 12.4 Entropy of src port 1.06 0.13 0.02 Entropy of src IP 6 normal 5 post attack 4 attack cluster variable 0 0.99 0 1.19 0.04 0.12 0.07 0.12 0.08 3 ph 2 0.87 0 0 41.4 0.53 0.55 4.91 0.56 0.71 2 ph1 0.00 0.00 0.02 37.0 1.12 1.50 1.58 1.61 1.59 1 normal 0 0 0
Occurrence rate of ICMP
0 0
0
Occurrence rate of UDP
0.44 0
0
Occurrence rate of SYN
4.70 2876 6225 Number of packet 1.36 0.12 0.02
Entropy of packet type
1.07 11.5
12.6
Entropy of dest port
1.06 11.5 12.6 Entropy of dest IP 1.07 11.4 12.4 Entropy of src port 1.06 0.13 0.02 Entropy of src IP 6 normal 5 post attack 4 attack cluster variable attack normal phase 2 phase 1 normal post attack attack attack normal normal phase 2 phase 2 phase 1 phase 1 normal normal post attack post attack
Telecommunication System & Internet Security Lab.
Probabilistic Modeling
¾ Capture evidence of intrusions in terms of a probability from the current network state
¾ Enable system administrator to understand the degree of risk on a probabilistic scale
¾ Markov chain, Bayesian method, etc.
Advantages vs. Disadvantages
¾ Advantages
9 Easy to understand the possibility of attacks based on a probabilistic scale
9 Highly applicable in the determination of the warning level
¾ Disadvantages
9 Difficult to construct the state profile and transition probabilities between them
9 Require correct decision of a system administrator
Intrusion Forecasting Method
Telecommunication System & Internet Security Lab.
Effectiveness of DDoS attacks Detection & Filtering
¾ DDoS attacks are viewed as congestion event in routers
¾ Effectively detected at the victim network, but effectively filtered when closer to the attack source
A CASE STUDY : Probabilistic Modeling
An effective DDOS attack detection and packet-filtering scheme
victim Attack source networks
Further upstream ISP network
The victim’s ISP network
The victim ’s network
victim Attack source networks
Further upstream ISP network
The victim’s ISP network
The victim ’s network
Ef fe ct iv eness o f at ta ck d et ect io n increase Ef fe ct iv eness o f p ack e t fil tering increase Ef fe ct iv eness o f at ta ck d et ect io n increase Ef fe ct iv eness o f p ack e t fil tering increase
Telecommunication System & Internet Security Lab.
Measure for deciding congestion level in a congestion router
¾ Decide congestion level using packet loss probabilities
9 Congestion occurred at an output queue in a transit router if packet loss probability is larger than given threshold
¾ Detect attacks in routers through the use of queueing model
A CASE STUDY : Probabilistic Modeling
An effective DDOS attack detection and packet-filtering scheme
R1 R2
messages
Telecommunication System & Internet Security Lab.
Detection & Filtering strategy
¾ Detect attacks in routers through the use of queueing models
¾ Perform congestion control in consideration of packet loss probabilities in routers
¾ Local & global detection by
exchanging congestion messages
9 In local detection
Each transit router checks its output queues for deciding congestion levels as the local detection
9 In global detection
Identify an attack and its route
A CASE STUDY : Probabilistic Modeling
An effective DDOS attack detection and packet-filtering scheme
R7 R6 R1 R3 R5 R4 R2 R8 R9 R10 R11 R12 victim R13 AM messages R7 R6 R1 R3 R5 R4 R2 R8 R9 R10 R11 R12 victim R13 AMs IMs L7 L6 R7 R6 R1 R3 R5 R4 R2 R8 R9 R10 R11 R12 victim AMs PFMs
Telecommunication System & Internet Security Lab.
Main Idea
¾ Detect intrusions early in broadband networks using the exponential smoothing method
¾ Extract traffic volume at a destination port to find anomalies earlier and more precisely p o r t 1 4 3 4 0 3 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 9 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 3 2 1 0 5 7 6 4 3 2 1 3 6 5 4 3 8 7 6 5 4 4 6 5 4 3 2 1 0 9 8 7 8 d a t e by te T o t a l t r a f f i c 0 2 0 0 , 0 0 0 , 0 0 0 4 0 0 , 0 0 0 , 0 0 0 6 0 0 , 0 0 0 , 0 0 0 8 0 0 , 0 0 0 , 0 0 0 1 , 0 0 0 , 0 0 0 , 0 0 0 1 , 2 0 0 , 0 0 0 , 0 0 0 20070 3 20112 4 20154 5 20200 6 21052 6 21094 7 21140 8 22053 8 22095 9 22142 0 22184 1 22230 5 23073 0 23115 1 23161 2 23203 3 24055 0 24101 1 24143 2 24185 3 24231 4 25033 6 25080 0 25122 1 25164 2 25210 3 26012 4 26054 5 26100 6 26142 7 26184 8 26230 9 27033 2 d a t e by
te Total Traffic volume
Traffic volume at port 1434
Intrusion Forecasting Method
Telecommunication System & Internet Security Lab.
Experimental Results
A CASE STUDY : Time-Series Analysis
Fast detection scheme for broadband network using traffic analysis
Detection of anomalies at port 445 Detection of anomalies at port 137 Detection of anomalies at port 1434 Detection of anomalies at port 80
Telecommunication System & Internet Security Lab.
Recent Cyber Attacks
Early Warning System
Intrusion Forecasting System
1
2
3
Conclusion
Telecommunication System & Internet Security Lab.
To defend networks against current cyber attacks, the importance of EWS is emphasized
¾ Many countries operate EWS through CERT
Intrusion forecast system
¾ Most significant part in EWS
¾ Intrusion forecasting system architecture
9 Data Collection module 9 Data Analysis module 9 Reporting module
Intrusion forecasting techniques
¾ Forecasting in real-life
9 Weather, stock, power, etc.
¾ Forecasting methods against cyber attacks
9 Data mining method 9 Probabilistic modeling 9 Time-series analysis