The document discusses using a collaborative approach and distributed event processing platform called Agilis to detect stealthy port scans across multiple organizations. It describes how a stealthy scan works and how collaborating organizations can share network traffic data in a "semantic room" to identify scanners that target only a small number of ports at each location. The Agilis platform is able to process large amounts of real-time data in parallel to detect such attacks with low latency even when the workload varies over time. A demonstration of the system detected a stealthy scan within 700 seconds using traffic from 8 machines simulated to represent different collaborators.
Report
Share
Report
Share
1 of 33
More Related Content
AGILIS: an on-line map reduce environment for collaborative security
1. AGILIS: an on-line map reduce environmentfor collaborative securityMIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaRoberto BaldoniUniversitàdegliStudidi Roma “La Sapienza”baldoni@dis.uniroma1.it, http://www.dis.uniroma1.it/~baldoni/Prin Meeting - San Vito diCadoreJoint Work with IBM Haifain the contextofCoMiFin EU Project14/2/2011
2. Middleware LaboratoryMIDLABFocus and structure of the talk Requirements coming from the financial context;Collaborative event processing for Cyber Security Edge vs centralized event processing over the internetAgilisEsper Roberto Baldoni
4. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial Ecosystem"webification" of critical financial services, such as home banking, online trading, remote payments;Cross-domain interactions, spanning different organization boundaries are in place in financial contexts;Heterogeneous infrastructure systems such as telecommunication supply, banking, and credit card companies working on heterogeneous data; Roberto Baldoni
5. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial Ecosystem A payment card fraud (2008)100 compromised payment cards used by a network of coordinated attackers retrieving cash from 130 different ATMs in 49 countries worldwide, totaling 9 million of US dollars. High degree of coordination, half an hour to be executedevade all the local monitoring techniques used for detecting anomalies in payment card usage patterns. The fraud has been detected only later, after aggregating all the information gathered locally by each financial institution involved in the payment card scam Roberto Baldoni
6. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial EcosystemDistributed Denial Of Service Attack (2007, Northern Europe) render web-based financial services unreachable from legitimate users. DDoS attack targeted a credit card company and two DNS. Internet restored only after several trial-and-error activities carried out manually by network administrators of the attacked systems and of their Internet Service Providers (ISPs).Long preparation time (days), short attack time (seconds)Roberto Baldoni
12. Iran (in progress!). Stuxnet worm invaded Iran’s Supervisory Control and Data Acquisition systemsMcAfee report 2010 “in the crossfire: criticalinfrastructures in the ageof cyber war “ Roberto Baldoni
16. one out of five DDos attacks is accompanied with an extorsionMcAfee report 2010 “in the crossfire: criticalinfrastructures in the ageof cyber war “ Roberto Baldoni
17. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial EcosystemBoth previous attacks cannot be detected quickly through information available at the IT infrastructure of a single financial player (i.e., using local monitoring)Need of Information SharingExchange non-sensitive status information Set up of agreementsAdvantages of a global monitoring systemDamage mitigationQuick reactionRoberto Baldoni
22. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaCollaborative event Processing for cyber security: The CoMiFin ProjectApplicationLevelCollaborationLevelInternet level
23. Middleware LaboratoryMIDLABCollaborative Cyber Security PlatformMonitoring and reaction to threats (MitM, Stealty Scan , Phishing, …)Black/white lists distribution (for credit reputation, trust level, …) Anti-terrorism lists (with name check VAS)Anti money laundering monitoringRisk management support Some Requirements on the platform uneven workload along the time High throughput high computational power Large storage capabilities Timeliness Roberto Baldoni
25. set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements.
26. The contractalsocontainsthe hardware and software requirements a member has to provision in order to be admitted into the SR.
30. highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).Roberto BaldoniThe notion of semantic room
38. Middleware LaboratoryMIDLABData Management problems in the semantic room Jurisdiction and regulation (Where and how will data be governed?) Ownership of Data (Who owns the data in the semantic room?) Data PortabilityData anonymizationData Retention/Permanence (What happens to data over time?)Security and Privacy (How is data secure and protected?)Reliability, Liability and Quality of Service of the partner of the semantic room Government Surveillance (How much data can the government get from a semantic room?)………………….Roberto Baldoni
40. Middleware LaboratoryMIDLAB IBM System S [ICDCS 06] high cost of ownershipCentralized data management No cooperative approachCooperative Intrusion Detection Systems (e.g. Dshiels)Correlation among local warnings High cost of ownership Obscure data managementRelated work Roberto Baldoni
41. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaPreventing Stealthy Scan Through centralized processingApplicationLevelCollaborationLevelInternet level
42. Middleware LaboratoryMIDLABCollaborative Stealthy scan Attacker performs port scanning simultaneously at multiple sites trying to identify TCP/UDP ports that have been left open. Those ports can then be used as the attack vectorsAdded value of collaboration: Ability to identify an attacker trying to conceal his/her activity by accessing only a small number of ports within each individual domainAction taken: black list IP addresses update historical records Roberto Baldoni
45. Directed to distinct (machine, port) pairsAction taken:Matching source IP’s are banned from the future access to external web serversDefining the attackUse of common scanning tools (nmap)
46. Use of real trace (e.g., ITOC US Army) Roberto Baldoni
48. Analyze the sequence of SYN, ACK, RST packets in the three-way TCP handshake. Specifically, in normal activities the following sequence is verified (i) SYN, (ii) SYN-ACK, (iii) ACK.
49. In the presence of a SYN port scan, the connection looks like the following: (i) SYN, (ii) SYN-ACK, (iii) RST (or nothing)
50. For a given IP address, if the number of incomplete connections is higher than a certain threshold T, we can conclude that the IP address is likely carrying out malicious port scanning activities. Roberto Baldoni
51. Middleware LaboratoryMIDLABRaw data: TCPdump10:53:14.647181 IP 9.148.30.136.pop3 > 9.148.17.85.madcap: R 0:0(0) ack 1 win 010:53:14.653813 IP 9.148.17.85.sis-emt > 9.148.30.136.xfer: S 268426387:268426387(0) win 65535 <mss 1460,nop,nop,sackOK>10:53:14.653817 IP 9.148.30.136.xfer > 9.148.17.85.sis-emt: R 0:0(0) ack 268426388 win 0Normalized data format:LogEvent: sourceIp, destIp,sourcePort, destPort, startTime, endTime, bytesSent, bytesRecieved, returnStatus;Online data summaryHistorical Data FormatBlackList: List of IP addressesStealthy scan detection Roberto Baldoni
52. Example of semantic room for stealthy scan: IngredientsEPL QueryEPL QueryEPL QueryEPL QueryEPL QuerySubscriberMiddleware LaboratoryMIDLABBranch jBranch 1Esper CEP EngineGatewayPOJOsI/O socketI/O socketadapterInput StreamssnifferMain Engine...Output StreamsBranch NPOJOsGatewayI/O socketsuspected IPsadapterScanner listsniffer Roberto Baldoni
56. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaPreventing Stealthy Scan through edge processingApplicationLevelCollaborationLevelInternet level
61. Agilis consists of a distributed network of processing and storage elements hosted on a cluster of machines (also geographycally dispersed) Roberto Baldoni
65. Middleware LaboratoryMIDLABDemo: Done at Haifa IBM Research LAB (2009)Simple and homemade attacks artificial tracesSimple stealty scan detection algorithm8 Linux Machines on a LAN, each of which with 2GB of RAM and 20GB of disk spaceOne machine was hosting all the management processes (JT, XS Catalogue)Each of the remaining 7 hosts modeled a single SR participant DMZ web server under attackTT and XS data serverScenarios: Single intruding host that generated a series of TCP/SYN requests targeting a fixed set of 300 unique ports on each the 7 attacked serversrequests injected at constant rate of 10, 20, and 30 req/server/secratio of attack to legitimate traffic 1:5blacklisting threshold: 20,000 requests and 1000 unique portprocessing window: 4 minutesResults:No overloadDetection latency 700 sec, 430 sec, 330 sec Roberto Baldoni
66. Middleware LaboratoryMIDLABDemo: work we are doing in our LAB (2010)The video shows a semantic room implemented in Agilis usingNmap for producing the attack
67. Real TCP dumpsJoint work with Giorgia Lodi and Leonardo Aniello Roberto Baldoni