network security today finding complex attacks at 100gb s
play

Network Security Today: Finding Complex Attacks at 100Gb/s Robin - PowerPoint PPT Presentation

Jun 07, 2023 •329 likes •1.27k views

Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU Mnchen, September 2012

  1. Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU München, September 2012 Informatik-Kolloquium, TU München

  2. Outline 2 Informatik-Kolloquium, TU München

  3. Outline Today’s Threats. Deep Packet Inspection at High Speed. Collective Intelligence. 2 Informatik-Kolloquium, TU München

  4. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections 600M 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  5. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections Successful connections 600M Attempted connections 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  6. The Old Days ... 1300M Border Traffic Conficker.B Lawrence Berkeley National Lab (Today) Conficker.A 10GE upstream, 4,000 user, 12,000 hosts Santy 1000M Mydoom.O Sasser #connections/month 800M Total connections Sobig.F Successful connections Welchia 600M Attempted connections Blaster 400M Slapper Nimda 200M CodeRed2 CodeRed 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  7. Trend 1: Commercialization of Attacks 4 Informatik-Kolloquium, TU München

  8. Trend 1: Commercialization of Attacks Attacks aimed at making a profit. Selling (illegal) goods and services. Exfiltrating information. Thriving underground economy. Empowered by virtually endless supply of “bots”. Everything is on sale (“crime-as-a-service”). 4 Informatik-Kolloquium, TU München

  9. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  10. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  11. Crime Economics 6 Informatik-Kolloquium, TU München

  12. Crime Economics Accelerated arms race. Innovative, fast moving attackers. 6 Informatik-Kolloquium, TU München

  13. Crime Economics Accelerated arms race. Bear race. Innovative, fast moving attackers. If attack pays, it’s good enough. 6 Informatik-Kolloquium, TU München

  14. Trend 2: Highly Targeted Attacks 7 Informatik-Kolloquium, TU München

  15. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. 7 Informatik-Kolloquium, TU München

  16. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. “Advanced Persistent Threats”. 7 Informatik-Kolloquium, TU München

  17. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. Advanced Persistent Threat (APT). MANDIANT defines “Advanced Persistent Threats”. the APT as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of Source: MANDIANT 7 Informatik-Kolloquium, TU München

  18. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE STEP 1 Reconnaissance STEP 2 Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network STEP 4 Obtain User Credentials STEP 5 Install Various Utilities STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  19. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE APT MALWARE COMMUNICATION STEP 1 100% of APT backdoors made only outbound connections Reconnaissance Used another STEP 2 port 17% Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network Used TCP port 80 or 443 83% STEP 4 Obtain User Credentials STEP 5 Install Various Utilities In no instance was any APT malware written or configured to listen for STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration inbound connections. STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  20. Challenges for Defenders 9 Informatik-Kolloquium, TU München

  21. Challenges for Defenders Varying threat models. No ring rules them all. 9 Informatik-Kolloquium, TU München

  22. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. 9 Informatik-Kolloquium, TU München

  23. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. Semantic complexity. The action is really at the application-layer. 9 Informatik-Kolloquium, TU München

  24. Analyzing Semantics 10 Informatik-Kolloquium, TU München

  25. Analyzing Semantics Internal Tap Internet Network IDS 10 Informatik-Kolloquium, TU München

  26. Analyzing Semantics Internal Tap Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 10 Informatik-Kolloquium, TU München

  27. Deep Packet Inspection at High Speed 11 Informatik-Kolloquium, TU München

  28. Back in 2005 ... 12 Informatik-Kolloquium, TU München

  29. Back in 2005 ... Munich Scientific Network (Today) Total bytes 80 3 major universities, 2x10GE upstream Incoming bytes ~100,000 Users ~65,000 Hosts 60 Total upstream bytes Incoming bytes TBytes/month 40 20 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 Data: Leibniz-Rechenzentrum, München 12 Informatik-Kolloquium, TU München

  30. Today ... 13 Informatik-Kolloquium, TU München

  31. Today ... Munich Scientific Network (Today) Total bytes 3 major universities, 2x10GE upstream Incoming bytes 800 ~100,000 Users ~65,000 Hosts Total upstream bytes 600 Incoming bytes TBytes/month 400 200 Oct 2005 0 1996 1998 2000 2002 2004 2006 2008 2010 Data: Leibniz-Rechenzentrum, München 13 Informatik-Kolloquium, TU München

  32. Traditional Gap: Research vs. Operations 14 Informatik-Kolloquium, TU München

  33. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. 14 Informatik-Kolloquium, TU München

  34. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. We focus on working with operations. Close collaborations with several large sites. Extremely fruitful for both sides. 14 Informatik-Kolloquium, TU München

  35. Research Platform: Bro 15 Informatik-Kolloquium, TU München

  36. Research Platform: Bro Originally developed by Vern Paxson in 1996. Open-source, BSD-license, maintained at ICSI. In operational use since the beginning. Conceptually very different from other IDS. http://www.bro-ids.org 15 Informatik-Kolloquium, TU München

  37. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 16 Informatik-Kolloquium, TU München

  38. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 16 Informatik-Kolloquium, TU München

  39. “Who’s Using It?” Installations across the US Universities Research Labs Supercomputer Centers Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research ... and many more sites Recent User Meetings Bro Workshop 2011 at NCSA Fully integrated into Security Onion Bro Exchange 2012 at NCAR Popular security-oriented Linux distribution Each attended by about 50 operators from from 30-35 organizations 17 Informatik-Kolloquium, TU München

  40. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vern writes 1st line of code 18 Informatik-Kolloquium, TU München

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

729 views • 37 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020

CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020

CSE 127: Introduction to Security Lecture 10: Network Attacks Deian Stefan UCSD Winter 2020 Material from Nadia Heninger, Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

585 views • 36 slides
CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020

CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020

CSE 127: Introduction to Security Lecture 13: Network Attacks Deian Stefan UCSD Fall 2020 Material from Nadia Heninger, Stefan Savage, David Wagner, and Nick Weaver Threat modeling for network attacks Basic security goals:

1.11k views • 39 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 15, 2011 Goals For Today Review

825 views • 53 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today Due April 2 nd Online classes going forward Testing out BBCollaborate Ultra today Recordings should be available Might use different

1.19k views • 27 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Network Security: Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

699 views • 58 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network Security Chapter 17: 2 Agenda Net adversary TCP attacks DNS attacks Firewalls Intrusion detection Honeypots Chapter 17: 3

792 views • 62 slides
SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY...

SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY...

Angelo Prado Neal Harris Yoel Gluck SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY... CRIME Target Requirements Presented at Secrets in HTTP TLS compression ekoparty 2012 headers MITM A

553 views • 29 slides
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of cyber attacks by making the system

728 views • 27 slides
StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

Slide 1 StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western States Legal Foundation April 12, 2008 Presented at the 16 th Annual Space Organizing Conference Global Network Against Weapons & Nuclear

419 views • 18 slides
GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

Marshall Heilman GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions Introduction 3 3 Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance -

948 views • 47 slides
SUPPORTING THE WRITING AND COMMUNICATION SKILLS OF EMERGING SCIENTISTS Susanmarie Harrington

SUPPORTING THE WRITING AND COMMUNICATION SKILLS OF EMERGING SCIENTISTS Susanmarie Harrington

SUPPORTING THE WRITING AND COMMUNICATION SKILLS OF EMERGING SCIENTISTS Susanmarie Harrington University of Vermont Susan.harrington@uvm.edu Lisa Emerson Massey University, NEW ZEALAND L.Emerson@massey.ac.nz Reconnaissance Would you

746 views • 22 slides
Combined functionality and need for new tactics for optimized use of AUV-systems Presentation for

Combined functionality and need for new tactics for optimized use of AUV-systems Presentation for

Combined functionality and need for new tactics for optimized use of AUV-systems Presentation for UDT 2019 AUV 62 System 20 years of R&D 1996-1999 DAIM - Digital Acoustic Imaging . FOI and Saab together with LTH and CTH (Universities)

816 views • 24 slides
Leveragi aging g Physi sics cs for or Se Secu curi rity: Micro ro-PM PMUs Us Anna

Leveragi aging g Physi sics cs for or Se Secu curi rity: Micro ro-PM PMUs Us Anna

Leveragi aging g Physi sics cs for or Se Secu curi rity: Micro ro-PM PMUs Us Anna Scaglione, Arizona State University Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org 1 Contents

268 views • 22 slides
{ } = t x ( t ), X x ( t ) | 0 t t i i State and state models

{ } = t x ( t ), X x ( t ) | 0 t t i i State and state models

Data Fusion in Sensor Networks Hugh Durrant-Whyte ARC* Federation Fellow ARC* Centre of Excellence for Autonomous Systems The University of Sydney, Australia hugh@cas.edu.au *ARC=Australian Research Council 1 IPSN April 2005 Hugh

629 views • 13 slides

More recommend