15 20 years ago Internet starting to reach a wider audience most - - PowerPoint PPT Presentation

15 20 years ago
SMART_READER_LITE
LIVE PREVIEW

15 20 years ago Internet starting to reach a wider audience most - - PowerPoint PPT Presentation

Feb 05, 2024 330 likes •589 views

10/19/2010 15 20 years ago Internet starting to reach a wider audience most people did not have emails Mitigating Cyber Attacks computer security an afterthought The typical hacker, often portrayed as teenager,

slide-1
SLIDE 1

10/19/2010 1

Magnus Almgren Göteborg, 2010-10-19

Mitigating Cyber Attacks

Postdoc, finansierad av MSB

15—20 years ago …

  • Internet starting to reach a wider audience

– most people did not have emails – computer security – an afterthought

  • The typical hacker, often portrayed as

– teenager, – attack a ”chess game” – goal: some esoteric fame …

  • And today ?

SVT Documentary oct-10, 2010: Att hacka en stormakt (http://goo.gl/1Zrd)

slide-2
SLIDE 2

10/19/2010 2

Outline

  • Status today
  • Monitoring traffic
  • Research Activities

– Reasoning with alerts from several sensors – Monitoring backbone traffic

  • European network: SysSec
slide-3
SLIDE 3

10/19/2010 3

Financial Health care Transportation Financial Health care Transportation

slide-4
SLIDE 4

10/19/2010 4

Financial Health care Transportation Financial Health care Transportation

slide-5
SLIDE 5

10/19/2010 5

Malicious Code

  • Many users say:

I would never download unsecure content!

  • But what type of content is safe?

Targeted attacks

  • Targeted attacks
  • 48% of exploits target Adobe Acrobat / Adobe Reader
  • Adobe begins a quarterly patch cycle
  • Health Check statistics show that Adobe Reader is among

the top unsecured applications

slide-6
SLIDE 6

10/19/2010 6

http://home.mcafee.com/AdviceCenter/most-dangerous-celebrities Cameron Diaz Searches Yield Ten Percent Chance of Landing on a Malicious Site Cameron Diaz Searches Yield Ten Percent Chance of Landing on a Malicious Site

Dangerous People (!!!)

slide-7
SLIDE 7

10/19/2010 7

http://doi.ieeecomputersociety.org/10.1109/MC.2010.237 http://www.zdnetasia.com/malware-link-to-air-crash-inconclusive-62202513.htm

slide-8
SLIDE 8

10/19/2010 8

slide-9
SLIDE 9

10/19/2010 9

New Era 2010: Stuxnet

  • Advanced Malware

– target specifically Programmable Logic Controllers: Siemens SIMATIC Step 7 software – Lots of rumors of goal and who creators

  • designed and released by a government

– the U.S. or Israel ???

  • Target: Bushehr nuclear power plant in Iran

(60% of infected hosts in Iran)

Symantec oct-2010: W32.Stuxnet Dossier (http://goo.gl/pP7S)

slide-10
SLIDE 10

10/19/2010 10

Stuxnet: Pandora’s box ?

– Stuxnet is advanced and one of the first wild malware’s targeting PLCs.

  • 6—8 people about 6 months to create.

– PLCs exists in many industries

  • factory assembly lines, amusement rides,
  • r lighting fixtures.
  • Compare this with the Loveletter virus (2000)

– 2003/11 there existed 82 different variants of Loveletter. – It is claimed that more than 5,000 attacks are carried out every day.

now blueprint to create malware targeting PLCs now blueprint to create malware targeting PLCs

Financial Health care Transportation

Status today Monitoring traffic: Intrusion Detection Systems Research Activities Status today Monitoring traffic: Intrusion Detection Systems Research Activities

slide-11
SLIDE 11

10/19/2010 11

Financial Health care Transportation Financial Health care Transportation

slide-12
SLIDE 12

10/19/2010 12

Financial Health care Transportation

Normal behavior

Number

Financial Health care Transportation

Normal behavior

Number

slide-13
SLIDE 13

10/19/2010 13

Financial Health care Transportation

Normal behavior

Number

A AAѦ fl

“A”

B BBℬ β ʙ

“B” This is an ”Attack.” ???????? Financial Health care Transportation

slide-14
SLIDE 14

10/19/2010 14

Financial Health care Transportation

Normal behavior

Number

Status today Monitoring traffic Research Activities: Status today Monitoring traffic Research Activities:

  • 1. Reasoning with alerts from several sensors
  • 2. Monitoring backbone traffic

Financial Health care Transportation

Normal behavior

Number

Attack Attack No Attack

?

slide-15
SLIDE 15

10/19/2010 15

Scenario multiple sensors (1)

  • Normal phf access (no attack)

– P(inv-A | …) = 0.20 = don’t investigate

Snort webIDS A2 A1

r0

1

webIDS

inv-A w1 a1

1

Snort

w2 a2

1

Scenario multiple sensors (2)

  • Normal phf access (no attack)

– P(inv-A | …) = 0.20 = don’t investigate

Snort webIDS A2 A1 encrypted request valid?

slide-16
SLIDE 16

10/19/2010 16

Scenario multiple sensors (3)

  • Normal phf access (no attack)

– P(inv-A | …) = 0.20 = don’t investigate

  • Snort sensor defunct, this may be an attack!

– P(inv-A | …) = 0.54 = investigate – P(w1 | …) = 0.01 = sensor broken

Snort webIDS A2 A1

r0

1

webIDS

inv-A w1 a1

1

Snort

w2 a2

1

encrypted

Analysis of malicious backbone traffic

  • Looking for attacks on

a backbone network

– 10 Gbps (=fast!) – Problems:

  • speed of network link
  • amount of data
  • routing
  • user privacy – anonymize data

(key feature!)

slide-17
SLIDE 17

10/19/2010 17

Measurement Setup (simplified)

Backbone network the rest of the world Router

Measure

Measurement Setup (simplified)

Backbone network the rest of the world Router Router

Measure

slide-18
SLIDE 18

10/19/2010 18

Measurement Setup (simplified)

Backbone network the rest of the world Router Router

Measure

Measurement Setup (simplified)

Backbone network the rest of the world Router Router

Measure

slide-19
SLIDE 19

10/19/2010 19

Measurement Setup (simplified)

Backbone network the rest of the world Router Router

Measure

Statistics

  • 23,600 inside hosts initiating

communication with 18,780,894 on the outside.

  • 24,587,096 outside hosts trying

to reach (scan) 970,149 inside hosts.

slide-20
SLIDE 20

10/19/2010 20

Analysis of backbone data Analysis of backbone data

slide-21
SLIDE 21

10/19/2010 21

Analysis of backbone data Analysis of backbone data

slide-22
SLIDE 22

10/19/2010 22

Timing Behavior of Malicious Hosts Timing Behavior of Malicious Hosts

slide-23
SLIDE 23

10/19/2010 23

Timing Behavior of Malicious Hosts

Simple refresh: once every 43min (once every 30 min)

Timing Behavior of Malicious Hosts

Exponential backoff: 111s, 222s, 333s, 666s, 1332s, 2664s

slide-24
SLIDE 24

10/19/2010 24

Identifying SPAM from data traffic

10 10

1

10

2

10

3

10

4

10

5

10

  • 6

10

  • 5

10

  • 4

10

  • 3

10

  • 2

10

  • 1

10 Degree Frequency Node in- and out-degree distribution In-degree Out-degree 10 10

1

10

2

10

3

10

4

10

5

10

  • 6

10

  • 5

10

  • 4

10

  • 3

10

  • 2

10

  • 1

10 Degree Frequency Node in- and out-degree distribution In-degree Out-degree 10 10

1

10

2

10

3

10

4

10

  • 7

10

  • 6

10

  • 5

10

  • 4

10

  • 3

10

  • 2

10

  • 1

10 Degree Frequency Node in- and out-degree distribution In-degree Out-degree 10 10

1

10

2

10

3

10

4

10

  • 7

10

  • 6

10

  • 5

10

  • 4

10

  • 3

10

  • 2

10

  • 1

10 Degree Frequency Node in- and out-degree distribution In-degree Out-degree

Legitimate email (Ham) Unsolicited email (Spam)

  • a Network of Excellence (2010-2014)
  • To work towards solutions and collaborate

– At a European level – and with international colleagues around the world

  • Poli. di Milano (IT)
  • Vrije Uniivesriteit (NL)
  • Institute Eurecom (FR)
  • IPP (Bulgaria)
  • TU Vienna (Austria)
  • Chalmers U (Sweden)
  • UEKAE (Turkey)
  • FORTH – ICS (Greece)

A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet

http://www.syssec-project.eu/

slide-25
SLIDE 25

10/19/2010 25

Links

  • SVT Documentary oct-2010:

– Att hacka en stormakt (http://goo.gl/1Zrd)

  • Symantec oct-2010:

– W32.Stuxnet Dossier (http://goo.gl/pP7S)

  • Uppdrag granskning oct-2010:

– Kapade nätverk (http://svt.se/granskning) – SysSec: http://www.syssec-project.eu/