ground truth driven cyber security research some examples
play

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque - PowerPoint PPT Presentation

May 01, 2023 •133 likes •554 views

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu Dhabi and Pindrop Paul Royal, Georgia Tech Terry Nelms, Georgia Tech & Damballa Roberto Perdisci, University of Georgia Page 1 Background

  1. Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu Dhabi and Pindrop Paul Royal, Georgia Tech Terry Nelms, Georgia Tech & Damballa Roberto Perdisci, University of Georgia Page 1

  2. Background • Georgia Tech Information Security Center – Founded in 1998 – About a dozen faculty, 30+ PhD students – MS degree program in cyber security • Research philosophy – Data-driven and high impact research • Research thrusts – Understanding emerging threats, mobile security, converged networks security & crypto Page 2

  3. Data Driven Cyber Security Research • Security is about assumptions and guarantees • What assumptions can we make about the nature of threats? – Evolution from hackers and criminals to nation-states • Ground-truth based approach – Observe, understand and defend • Allows validation in a realistic setting Page 3

  4. Agenda: Examples of Data-Driven Research • GTISC MTrace System – Scalable malware analysis • ExecScent – Malware family attribution via communication templates • Data sharing and coordination challenges Page 4

  5. Example 1: Mtrace: Malware Analysis (Paul Royal) • Malware is the centerpiece of current threats on the Internet – Botnets (spamming, DDOS, etc.) – Information Theft – Financial Fraud • Used by Real Criminals – Criminal Infrastructure – Domain of Organized Crime

  6. Malware Cont ’ d • There is a pronounced need to understand malicious software behavior • Malware analysis is the basis for understanding the intentions of malicious programs – Threat Discovery and Analysis – Compromise Detection – Forensics and Asset Remediation

  7. Malware Analysis Challenges • DIY kits, packing tools, server-side polymorphism vastly increase volume of samples • GTISC collects over 250,000 new samples each day - Collected from crawlers, mail filters, honeypots, user submissions, and malware exchanges • Volume makes manual analysis untenable

  8. Malware Analysis - Transparency • Analysis tool/environment detection is a standard malware feature

  9. Transparency Cont ’ d • GTISC ’ s Idea: Use Intel VT as a malware analysis technology • External - No in-guest components to detect • Capable - Functionality sufficient to build analysis tools • “ Equivalent ” - Hardware-assisted nature offers same instruction-execution semantics • Created tools supporting multiple tracing granularities - Coarse-grained tracing via SYSENTER_EIP_MSR displacement • e.g., System call tracing - Fine-grained tracing via TF injection • e.g., Precision automated unpacking

  10. GTISC’s Mtrace System • GTISC has built a horizontally scalable, automated malware analysis framework - Each sample executed in a sterile, isolated environment - Intel VT used to ensure transparency - Structured representations of network actions placed inside intelligence database - C&C domains, anomalous outbound netflow, malicious download URLs, malware-generated email subjects, etc. • Database used by corporate security groups, hosting providers, domain registrars, and law enforcement

  11. Leveraging Intelligence - Mariposa • Case Study: Mariposa – Large, data-stealing botnet • Used to steal credit card, banking information • Compromises in half of Fortune 1000 – Before takedown, over 1M members

  12. Mariposa Cont ’ d • Takedown Timeline – Spring 2009: Mariposa discovery – Fall 2009: International Mariposa Working Group (MWG) formed • Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO) – December 2009: All C&C domains shutdown and sinkholed within hours of the first • Operators panic; log into domain management services from home systems – Warrants issued to operators ’ ISP – January 2010: Operators arrested • 800,000 financial credentials found on one operator ’ s home systems

  13. Example 2: ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates Terry Nelms , Roberto Perdisci and Mustaque Ahamad Appeared in Usenix Security Symposium, August 2013.

  14. Modern Malware Networking C&C Web Proxy badguy.com Enterprise Network 192.168.1.2 4/22/14 14

  15. ExecScent Goals & Observations • Goals: – Network detection domains & hosts. – Malware family attribution. • Observations: – C&C protocol changes infrequently. – HTTP C&C application layer protocol. 4/22/14 15

  16. Adaptive Control Protocol Templates • Structure of the protocol. • Self-tuning. • Entire HTTP request. 4/22/14 16

  17. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Background Network Traffic Enterprise Network 4/22/14 17

  18. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Background template Network Traffic matching HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 18

  19. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Similarity Background template Network Traffic matching Specificity HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 19

  20. ExecScent Overview Adaptive (self-tuning) Malware Traffic Traces Control Protocol Templates ExecScent ... (learning) Infected Hosts Background template Network Traffic matching C&C Domains HTTP(S) Traffic C&C Web Proxy Enterprise Network 4/22/14 20

  21. Template Learning Process Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 21

  22. Malware C&C Traces Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 22

  23. Request Generalization Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 23

  24. Request Generalization (a) Request 1 : GET /Ym90bmV0DQo=/cnc.php?v=121&cc=IT Host: www.bot.net User-Agent: 680e4a9a7eb391bc48118baba2dc8e16 ... Request 2 : GET /bWFsd2FyZQ0KDQo=/cnc.php?v=425&cc=US Host: www.malwa.re User-Agent: dae4a66124940351a65639019b50bf5a ... (b) Request 1 : GET /<Base64;12>/cnc.php?v=<Int;3>&cc=<Str;2> Host: www.bot.net User-Agent: <Hex;32> ... Request 2 : GET /<Base64;16>/cnc.php?v=<Int;3>&cc=<Str;2> Host: www.malwa.re User-Agent: <Hex;32> ... 4/22/14 24

  25. Request Clustering Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 25

  26. Labeled C&C Domains Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 26

  27. Labeled C&C Domains Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 27

  28. Generating CPTs Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 28

  29. Generating CPTs Malware-A Unlabeled Unlabeled Unlabeled Unlabeled Malware-C Malware-F Malware-D Malware-B Malware-E Unlabeled Unlabeled 4/22/14 29

  30. Labeled CPTs Labeled C&C Domains Generate Labeled Malware Request Request Control Control C&C Generalization Clustering Protocol Protocol Traces Templates Templates Background Network Traffic 4/22/14 30

  31. Labeled CPT 1 ) Median URL path : /<Base64;14>/cnc.php 2 ) URL query component : {v=<Int,3>, cc=<String;2>} 3 ) User Agent : {<Hex;32>} 4 ) Other headers : {(Host;13), (Accept-Encoding;8)} 5 ) Dst nets : {172.16.8.0/24, 10.10.4.0/24, 192.168.1.0/24} Malware family : { Trojan-A , BotFamily-1 } URL regex : GET /.*\?(cc|v)= Background traffic profile : specificity scores used to adapt the CPT to the deployment environment 4/22/14 31

  32. Template Matching • Similarity Input: req, CPT – Measures likeness Similarity: s (req i , CPT i ), – Components for each component i – Weighted average – Match threshold Specificity: δ (req i , CPT i ), for each component i • Specificity Match-Score: f (sim, spec) – Measures uniqueness – Dynamic weights If Match-Score > Θ : return C&C Request – Self-tuning 4/22/14 32

  33. Evaluation Deployment Networks UNetA UNetB FNet Distinct Src IPs 7 , 893 27 , 340 7 , 091 HTTP Requests 34 , 871 , 003 66 , 298 , 395 58 , 019 , 718 Distinct Domains 149 , 481 238 , 014 113 , 778 • Evaluation ran for two weeks. • CPTs updated daily beginning two weeks prior to evaluation. 4/22/14 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael Assante President, NBISE David H. Tobey, Ph.D. Director of Research The Need for Cyber Defenders &quot;Everywhere I go, across the country, CEOs and

595 views • 27 slides
Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research

Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research

Ground Truth Data for Performance Evaluation of Urdu Nastalique OCR Aneeta Niazi Research Officer Ground Truth Data Definition : The term &quot;ground truthing&quot; refers to the process of gathering the proper objective data to prove or

658 views • 38 slides
Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

495 views • 20 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security Research Scientist Oak Ridge National Laboratory Main Points Information Sharing Enable discovering and sharing information about real threats to

216 views • 6 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC Piracy and Sea Robbery Conference Agenda The regulatory framework Shipping industry guidance Cyber incident examples from real life

355 views • 10 slides
Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1 Will the followings only be seen in movies? Movies: Cyber

510 views • 28 slides
An Update from Washington: Whats Happening in the World of Cyber Security and Critical

An Update from Washington: Whats Happening in the World of Cyber Security and Critical

Homeland Security Advanced Research Projects Agency An Update from Washington: Whats Happening in the World of Cyber Security and Critical Infrastructure Douglas Maughan Division Director November 12, 2014 http://www.dhs.gov/cyber-research

489 views • 31 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos National Laboratory LA-UR-17-27644 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA A Cyber-Physical Model

837 views • 7 slides
CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019 INTRODUCTION Cyber Security The activity or process, ability or capability, or state whereby information and

735 views • 24 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with Real-World Impact! April 20, 2010 To: Julian Thrash From: Jeff Reich, Director of Operations for the Institute for Cyber Security Subject:

176 views • 3 slides
Interface Objectives Discuss interfaces concept definition implementation

Interface Objectives Discuss interfaces concept definition implementation

Interface Objectives Discuss interfaces concept definition implementation support for generic code 2 Interface An interface defines a specification also called contract A class can agree to abide by the

561 views • 27 slides
Tor: Anonymous Communications for the EFF ... and you. Roger Dingledine The Tor Project

Tor: Anonymous Communications for the EFF ... and you. Roger Dingledine The Tor Project

Tor: Anonymous Communications for the EFF ... and you. Roger Dingledine The Tor Project https://torproject.org/ 1 Tor: Big Picture Freely available (Open Source), unencumbered. Comes with a spec and full documentation: German

810 views • 50 slides
On-Site Activities Item removal Loaded and shipped 24 boxes, 12 pallets of items from

On-Site Activities Item removal Loaded and shipped 24 boxes, 12 pallets of items from

On-Site Activities Item removal Loaded and shipped 24 boxes, 12 pallets of items from underground. Removed the detector from underground Removed the Xe emergency bladder Detector Removal Had to build a special cart Awsome

349 views • 4 slides
Public Hearing: 2017 CDBG-DR Harris County Draft Infrastructure Project Application Presented

Public Hearing: 2017 CDBG-DR Harris County Draft Infrastructure Project Application Presented

Public Hearing: 2017 CDBG-DR Harris County Draft Infrastructure Project Application Presented by Harris County Community Services Department December 17, 2018 CDBG-DR 2015-2017 Allocations Year Total Housing Non-Housing/ Admin/Project

508 views • 8 slides
GSP Coordinating Committee Coordinating Committee Meeting June 24, 2019 Merced

GSP Coordinating Committee Coordinating Committee Meeting June 24, 2019 Merced

GSP Coordinating Committee Coordinating Committee Meeting June 24, 2019 Merced Irrigation-Urban GSA Merced Subbasin GSA Turner Island Water District GSA-1 Agenda 1. Call to order 2. Approval of minutes for May 29, 2019 meeting 3.

903 views • 45 slides
Pre-Proposal Conference Solicitation No. 89303320REM000073 Ian Rexroad Casey Gadbury

Pre-Proposal Conference Solicitation No. 89303320REM000073 Ian Rexroad Casey Gadbury

CBFO Technical Assistance Contract Final Request For Proposal Pre-Proposal Conference Solicitation No. 89303320REM000073 Ian Rexroad Casey Gadbury Contracting Officer Director, Office of Program Management (EMCBC) (CBFO) Office of

928 views • 72 slides
Hardening the C++ Standard Template Library Marshall Clow Qualcomm Euro LLVM, April 17, 2018

Hardening the C++ Standard Template Library Marshall Clow Qualcomm Euro LLVM, April 17, 2018

Hardening the C++ Standard Template Library Marshall Clow Qualcomm Euro LLVM, April 17, 2018 Marshall Clow (Qualcomm) Hardening the C++ Standard Template Library Euro LLVM, April 17, 2018 1 / 16 About me I work for Qualcomm in San Diego. I

655 views • 16 slides
Checking Modular Refinements of Bluespec Nirav Dave 1 , Michael Katelman 2 Massachusetts Institute

Checking Modular Refinements of Bluespec Nirav Dave 1 , Michael Katelman 2 Massachusetts Institute

Checking Modular Refinements of Bluespec Nirav Dave 1 , Michael Katelman 2 Massachusetts Institute of Technology 1 University of Illinois at Urbana- Champaign 2 1 Frequently BSV designers refine their designs rule map(i&lt;100); i &lt;= i +

1.01k views • 45 slides

More recommend