techniques for detecting compromised iot devices
play

Techniques for detecting compromised IoT devices Ivo van der Elzen, - PowerPoint PPT Presentation

Oct 23, 2022 •222 likes •456 views

Introduction Research questions Research Results Conclusion Questions Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1 Presentation February 6, 2017 RIoT Van der Elzen, Van Heugten Introduction

  1. Introduction Research questions Research Results Conclusion Questions Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1 Presentation February 6, 2017 RIoT Van der Elzen, Van Heugten

  2. Introduction Research questions Research Results Conclusion Questions Introduction RIoT Van der Elzen, Van Heugten

  3. Introduction Research questions Research Results Conclusion Questions Research questions • Which techniques are feasible in order to gather insight into infected IoT devices? • What are the generic properties of existing IoT malware? • What techniques are available to detect IoT malware activity based on these properties? • Which technique or combination of techniques is/are most appropriate for a given set of resources or network location? RIoT Van der Elzen, Van Heugten

  4. Introduction Research questions Research Results Conclusion Questions Malware analysis: Mirai Mirai overview Credit: Level 3 Threat Research Labs RIoT Van der Elzen, Van Heugten

  5. Introduction Research questions Research Results Conclusion Questions Malware analysis: Mirai (cont.) • Scanning • Random IP (/32), with exclusions • Ports targeted • Peculiar window size • Attacking • List of 60 username/password combinations • Check string busybox MIRAI & ECCHI • Results sent to loader • Infection • Loader delivers malware • Removes competing bots • Many processor architectures supported RIoT Van der Elzen, Van Heugten

  6. Introduction Research questions Research Results Conclusion Questions Malware analysis: BASHLITE AKA: Torlus, gafgyt, Lizkebab • Very simple client/server setup • scanner ”Lel” • DDoS attacks • C&C IRC-derived RIoT Van der Elzen, Van Heugten

  7. Introduction Research questions Research Results Conclusion Questions Malware analysis: BASHLITE (cont.) • Scanning • Random IP subnet (/24), with exclusions • Targets port 23 only • Window size unset (system default) • Attacking • Uses random combination of 6 usernames and 14 passwords • Bot downloads shell script that downloads the malware • Infection • Script downloads binary for each arch • Many processor architectures supported RIoT Van der Elzen, Van Heugten

  8. Introduction Research questions Research Results Conclusion Questions Other malware targetting IoT devices Some more • Zollard • Hajime • Anime/Kami • and many more... RIoT Van der Elzen, Van Heugten

  9. Introduction Research questions Research Results Conclusion Questions Generic properties of IoT malware Difficult to be comprehensive... but: • Lifecycle • Scan for devices with open ports • Attack devices • Infect compromised devices • Perform intended actions (DDoS) • GOTO 10 RIoT Van der Elzen, Van Heugten

  10. Introduction Research questions Research Results Conclusion Questions Generic properties of IoT malware (cont.) • Scanning behavior • Random scan of IPv4 address space, with exclusions • Ports targeted • Much code shared, but some peculiarities • Attacking • Main attack method: weak/default username/password • Sometimes exploits are used • Infection method varies • BASHLITE: Bots scan & attack, drop/fetch binary • Mirai: Bots report results to loader, loader drops binary • Hajime: Drops small binary that fetches malware over DHT and uTP RIoT Van der Elzen, Van Heugten

  11. Introduction Research questions Research Results Conclusion Questions So wat defines IoT malware? IoT malware is mostly defined by which types of devices it targets: • IP camera’s, DVR’s, home routers and other ”embedded” devices • Effective due to support for many architectures, not just x86 • Almost any Linux device with an open telnet and weak password susceptible! Credit: Hangzhou Xiongmai Technologies RIoT Van der Elzen, Van Heugten

  12. Introduction Research questions Research Results Conclusion Questions Detection techniques • NetFlow • Packet capture • Honeypots • Other RIoT Van der Elzen, Van Heugten

  13. Introduction Research questions Research Results Conclusion Questions Detection techniques: NetFlow • Lower OSI layers • Packet headers • Network monitoring • Accuracy Credit: Cisco Systems RIoT Van der Elzen, Van Heugten

  14. Introduction Research questions Research Results Conclusion Questions Detection techniques: Packet capture • All OSI layers • Packet headers & payload • Troubleshooting • Performance RIoT Van der Elzen, Van Heugten

  15. Introduction Research questions Research Results Conclusion Questions Detection techniques: Honeypot • Cowrie (medium-interaction) • Tracking malware variants • Gathering infected IP addresses • Full-interaction honeypots • DDoS attack targets • C&C IP addresses Credit: The Honeynet Project RIoT Van der Elzen, Van Heugten

  16. Introduction Research questions Research Results Conclusion Questions Detection techniques: Other • DNS analysis • DGA • Open/closed port monitoring • Shodan • CAMELIA RIoT Van der Elzen, Van Heugten

  17. Introduction Research questions Research Results Conclusion Questions Experiments • Mirai PRNG window size v.s. darknet scans • Mirai scanning behavior compared to NetFlow • Telnet honeypots RIoT Van der Elzen, Van Heugten

  18. Introduction Research questions Research Results Conclusion Questions Results Window sizes of TCP SYN packets captured by darknet monitor RIoT Van der Elzen, Van Heugten

  19. Introduction Research questions Research Results Conclusion Questions Results (cont.) Compared to Mirai’s window size algorithm (note change of scale!) Conclusion: Window sizes used by Mirai very uniformly distributed, this is unusual. RIoT Van der Elzen, Van Heugten

  20. Introduction Research questions Research Results Conclusion Questions Results (cont.) Simulated Mirai v.s. suspected Mirai bot Mirai/Hajime variants seen by honeypots MIRAI 3147 MASUTA 1835 MM 309 OBJPRN 215 MEMES 29 THTC 18 ECCHI 18 TERROR 5 LLDAN 2 TASKF 2 FBI 2 Subtotal 5582 5 random characters 7624 Total 13224 Unique source IP / string combinations seen RIoT Van der Elzen, Van Heugten

  21. Introduction Research questions Research Results Conclusion Questions Conclusion • Determine generic properties of IoT malware? • Yes, but needs to be updated periodically • Feasible techniques • NetFlow analysis • Packet capture (Darknet) • Honeypot logging • Other Conclusion: Detection techniques can only be effective when applied with knowledge of malware gained from sources such as honeypots and malware analysis. RIoT Van der Elzen, Van Heugten

  22. Introduction Research questions Research Results Conclusion Questions Questions Thank you! Any questions? Special thanks to SURFnet for hosting us and the use of their data and expertise. RIoT Van der Elzen, Van Heugten

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
The Role of Web Hosting Providers in Detecting Compromised Websites Davide Canali, Davide

The Role of Web Hosting Providers in Detecting Compromised Websites Davide Canali, Davide

The Role of Web Hosting Providers in Detecting Compromised Websites Davide Canali, Davide Balzarotti, Aurlien Francillon Software and System Security Group Software and System Security Group EURECOM, France EURECOM, France Motivations

335 views • 20 slides
Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques Developed in the Fuego Core Project in the Fuego Core Project Helsinki-Rutgers Ph.D. Workshop 2007 Tancred Lindholm, Jaakko Kangasharju

280 views • 27 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
DECODE: Detecting Co-Moving Wireless Devices Gayathri Chandrasekaran, Mesut Ali Ergin, Marco

DECODE: Detecting Co-Moving Wireless Devices Gayathri Chandrasekaran, Mesut Ali Ergin, Marco

DECODE: Detecting Co-Moving Wireless Devices Gayathri Chandrasekaran, Mesut Ali Ergin, Marco Gruteser, Rich Martin (WINLAB, Rutgers University) Jie Yang and Yingying Chen (Department of ECE, Stevens Institute of Technology) Co-Movement

622 views • 27 slides
An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

1/30 An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela Lozano Universit catholique de Louvain, Belgium Monday 5 December 2011 2/30 Variability Customized and Affordable Maximize reuse of

544 views • 32 slides
Detecting Communities of Commuters: Graph Based Techniques vs Generative Models Ashish Dandekar,

Detecting Communities of Commuters: Graph Based Techniques vs Generative Models Ashish Dandekar,

Detecting Communities of Commuters: Graph Based Techniques vs Generative Models Ashish Dandekar, St ephane Bressan, Talel Abdessalem, Huayu Wu, Wee Siong Ng September 7, 2016 1 Introduction Related Work Generative Models Experiments

786 views • 44 slides
Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD 2015 Hardware Security and Hardware Trojans User apps Each layer trusts all layers below it Kernel Hypervisor More privilege Widely

706 views • 49 slides
Identity Fraud Valuing Compromised Data Identity Fraud Valuing Compromised Data 2008 Chicago

Identity Fraud Valuing Compromised Data Identity Fraud Valuing Compromised Data 2008 Chicago

Identity Fraud Valuing Compromised Data Identity Fraud Valuing Compromised Data 2008 Chicago Federal Reserve Payments Conference Jeff Schmidt, MBA, CISSP jschmidt@jschmidt.org j @j g (Most) Security problems are actually The

500 views • 11 slides
Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak nEINEI, Research Scientist @ McAfee Labs Chong Xu, Director of IPS Research @ McAfee Labs CanSecWest2014 March 20, 2014 Bio nEINEI

546 views • 31 slides
Chapter 7 Input/Output Contents External devices I/O modules I/O techniques

Chapter 7 Input/Output Contents External devices I/O modules I/O techniques

Chapter 7 Input/Output Contents External devices I/O modules I/O techniques Programmed I/O Interrupt-driven I/O Interrupt processing Intel 82C59A controller Direct memory access I/O channels and processors

939 views • 57 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Compromised Social Network Accounts Detection and Incentives Manuel Egele Dept. of Electrical

Compromised Social Network Accounts Detection and Incentives Manuel Egele Dept. of Electrical

Compromised Social Network Accounts Detection and Incentives Manuel Egele Dept. of Electrical & Computer Engineering Boston University megele@bu.edu As Seen on Twitter 2 Why Compromised Accounts? Historically, attackers create fake

528 views • 18 slides
Debulking Below the Knee: Devices & Techniques Jihad A. Mustapha, MD, FSCAI, FACC Advanced

Debulking Below the Knee: Devices & Techniques Jihad A. Mustapha, MD, FSCAI, FACC Advanced

Debulking Below the Knee: Devices & Techniques Jihad A. Mustapha, MD, FSCAI, FACC Advanced Cardiac & Vascular Centers for Amputation Prevention Grand Rapids, MI Disclosures Bard Peripheral Vascular Consultant Boston Scientific

435 views • 27 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

441 views • 31 slides
Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile

Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile

Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile Computing, 2011 Presented by Yang Chen 1 CS6204 Mobile Computing Khalil-TMC11 Outline Background and

1k views • 43 slides
2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018

2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018

2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018 Link Group 1 Important notice This presentation has been prepared by Link Administration Holdings Limited ( Company ) together with its related

1.08k views • 74 slides
RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years

RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years

RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years Resolution BeWaterSmart.info BE WATER SMART Agenda Welcome and Introductions November 2017 Meeting Notes Program Updates QWEL

704 views • 36 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem Molazem Tabrizi Tabrizi Karthik Pattabiraman Karthik Pattabiraman http://blogs.ubc.ca/karthik/ 1 IoT Systems 2 Security Attacks

224 views • 20 slides
Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for Artificial Intelligence Dept. of Computer Science & Technology Tsinghua University 1 Background Artificial intelligence (AI) is a

917 views • 63 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides

More recommend