AGILIS: an on-line map reduce environment for collaborative security

1. AGILIS: an on-line map reduce environmentfor collaborative securityMIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaRoberto BaldoniUniversitàdegliStudidi Roma “La Sapienza”baldoni@dis.uniroma1.it, http://www.dis.uniroma1.it/~baldoni/Prin Meeting - San Vito diCadoreJoint Work with IBM Haifain the contextofCoMiFin EU Project14/2/2011

2. Middleware LaboratoryMIDLABFocus and structure of the talk Requirements coming from the financial context;Collaborative event processing for Cyber Security Edge vs centralized event processing over the internetAgilisEsper Roberto Baldoni

3. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaThe case of the Financial Critical Infrastructure

4. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial Ecosystem"webification" of critical financial services, such as home banking, online trading, remote payments;Cross-domain interactions, spanning different organization boundaries are in place in financial contexts;Heterogeneous infrastructure systems such as telecommunication supply, banking, and credit card companies working on heterogeneous data; Roberto Baldoni

5. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial Ecosystem A payment card fraud (2008)100 compromised payment cards used by a network of coordinated attackers retrieving cash from 130 different ATMs in 49 countries worldwide, totaling 9 million of US dollars. High degree of coordination, half an hour to be executedevade all the local monitoring techniques used for detecting anomalies in payment card usage patterns. The fraud has been detected only later, after aggregating all the information gathered locally by each financial institution involved in the payment card scam Roberto Baldoni

6. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial EcosystemDistributed Denial Of Service Attack (2007, Northern Europe) render web-based financial services unreachable from legitimate users. DDoS attack targeted a credit card company and two DNS. Internet restored only after several trial-and-error activities carried out manually by network administrators of the attacked systems and of their Internet Service Providers (ISPs).Long preparation time (days), short attack time (seconds)Roberto Baldoni

7. Middleware LaboratoryMIDLABEconomicsof a DDOSrender internet-based financial services unreachable from legitimate users.

8. Use of Botnets (rented now with a credit card in a few minutes)

9. Three examples of DDOS campaign in Cyberwarfare:

10. Estonia 2007

11. Georgia 2008

12. Iran (in progress!). Stuxnet worm invaded Iran’s Supervisory Control and Data Acquisition systemsMcAfee report 2010 “in the crossfire: criticalinfrastructures in the ageof cyber war “ Roberto Baldoni

13. Middleware LaboratoryMIDLABEconomicsof a DDOScost of downtime from major attacks exceeds U.S. $6 million per day

14. damage to reputation

15. loss of personal information about customers

16. one out of five DDos attacks is accompanied with an extorsionMcAfee report 2010 “in the crossfire: criticalinfrastructures in the ageof cyber war “ Roberto Baldoni

17. Middleware LaboratoryMIDLABThe case of Collaborative Cyber Security in Financial EcosystemBoth previous attacks cannot be detected quickly through information available at the IT infrastructure of a single financial player (i.e., using local monitoring)Need of Information SharingExchange non-sensitive status information Set up of agreementsAdvantages of a global monitoring systemDamage mitigationQuick reactionRoberto Baldoni

18. Middleware LaboratoryMIDLABBarriers to CollaborationBarriers to collaboration

19. Understanding the economics

20. Trust

21. Legal IssuesLLYODSFrance TelecomUBSInternetAT&TSWIFTUnicreditEDFEventswarningsRoberto Baldoni

22. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaCollaborative event Processing for cyber security: The CoMiFin ProjectApplicationLevelCollaborationLevelInternet level

23. Middleware LaboratoryMIDLABCollaborative Cyber Security PlatformMonitoring and reaction to threats (MitM, Stealty Scan , Phishing, …)Black/white lists distribution (for credit reputation, trust level, …) Anti-terrorism lists (with name check VAS)Anti money laundering monitoringRisk management support Some Requirements on the platform uneven workload along the time High throughput high computational power Large storage capabilities Timeliness Roberto Baldoni

24. Middleware LaboratoryMIDLABContract

25. set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements.

26. The contractalsocontainsthe hardware and software requirements a member has to provision in order to be admitted into the SR.

27. Objective

28. each SR has a specic strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks)

29. Deployment

30. highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).Roberto BaldoniThe notion of semantic room

31. Middleware LaboratoryMIDLABThe notion of semantic room: relationship with cloud computingPrivate cloud

32. Deploymentof the semanticroomthrough the federationofcomputing and storagecapabilities at eachmember

33. Eachmemberbrings a private cloudto federate

34. Public Cloud

35. Deploymentof the semanticroom on a third party cloud provider

36. The third party ownsallcomputing and storagecapabilities

37. HybridapproachApplicationLevelCollaborationLevelInternet LevelRoberto Baldoni

38. Middleware LaboratoryMIDLABData Management problems in the semantic room Jurisdiction and regulation (Where and how will data be governed?) Ownership of Data (Who owns the data in the semantic room?) Data PortabilityData anonymizationData Retention/Permanence (What happens to data over time?)Security and Privacy (How is data secure and protected?)Reliability, Liability and Quality of Service of the partner of the semantic room Government Surveillance (How much data can the government get from a semantic room?)………………….Roberto Baldoni

39. Middleware LaboratoryMIDLABcontractA specific collaborative platform: CoMiFin ArchitectureRoberto Baldoni

40. Middleware LaboratoryMIDLAB IBM System S [ICDCS 06] high cost of ownershipCentralized data management No cooperative approachCooperative Intrusion Detection Systems (e.g. Dshiels)Correlation among local warnings High cost of ownership Obscure data managementRelated work Roberto Baldoni

41. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaPreventing Stealthy Scan Through centralized processingApplicationLevelCollaborationLevelInternet level

42. Middleware LaboratoryMIDLABCollaborative Stealthy scan Attacker performs port scanning simultaneously at multiple sites trying to identify TCP/UDP ports that have been left open. Those ports can then be used as the attack vectorsAdded value of collaboration: Ability to identify an attacker trying to conceal his/her activity by accessing only a small number of ports within each individual domainAction taken: black list IP addresses update historical records Roberto Baldoni

43. Middleware LaboratoryMIDLABCollaborative Stealthy scan detectionAttack subjects: External web servers in DMZ’s of the SR membersPattern: “Unusually” high number of requests

44. Originating from a particular source IP address, and

45. Directed to distinct (machine, port) pairsAction taken:Matching source IP’s are banned from the future access to external web serversDefining the attackUse of common scanning tools (nmap)

46. Use of real trace (e.g., ITOC US Army) Roberto Baldoni

47. Middleware LaboratoryMIDLABCollaborative Stealthy scan detectionRank-Syn algorithm.

48. Analyze the sequence of SYN, ACK, RST packets in the three-way TCP handshake. Specifically, in normal activities the following sequence is verified (i) SYN, (ii) SYN-ACK, (iii) ACK.

49. In the presence of a SYN port scan, the connection looks like the following: (i) SYN, (ii) SYN-ACK, (iii) RST (or nothing)

50. For a given IP address, if the number of incomplete connections is higher than a certain threshold T, we can conclude that the IP address is likely carrying out malicious port scanning activities. Roberto Baldoni

51. Middleware LaboratoryMIDLABRaw data: TCPdump10:53:14.647181 IP 9.148.30.136.pop3 > 9.148.17.85.madcap: R 0:0(0) ack 1 win 010:53:14.653813 IP 9.148.17.85.sis-emt > 9.148.30.136.xfer: S 268426387:268426387(0) win 65535 <mss 1460,nop,nop,sackOK>10:53:14.653817 IP 9.148.30.136.xfer > 9.148.17.85.sis-emt: R 0:0(0) ack 268426388 win 0Normalized data format:LogEvent: sourceIp, destIp,sourcePort, destPort, startTime, endTime, bytesSent, bytesRecieved, returnStatus;Online data summaryHistorical Data FormatBlackList: List of IP addressesStealthy scan detection Roberto Baldoni

52. Example of semantic room for stealthy scan: IngredientsEPL QueryEPL QueryEPL QueryEPL QueryEPL QuerySubscriberMiddleware LaboratoryMIDLABBranch jBranch 1Esper CEP EngineGatewayPOJOsI/O socketI/O socketadapterInput StreamssnifferMain Engine...Output StreamsBranch NPOJOsGatewayI/O socketsuspected IPsadapterScanner listsniffer Roberto Baldoni

53. Middleware LaboratoryMIDLABExample of semantic room for stealthy scan: Ingredients Roberto Baldoni

54. Middleware LaboratoryMIDLABTestbed: latency measurementTwo Semantic roomsMan-In-The-Middle Attack

55. Stealthy ScanRoberto Baldoni

56. MIDLABMiddleware LaboratorySapienza Università di RomaDipartimento di Informatica e SistemisticaPreventing Stealthy Scan through edge processingApplicationLevelCollaborationLevelInternet level

57. Middleware LaboratoryMIDLABExample of semantic room for stealthy scan: IngredientsWebSphereeXtreme Scale (WXS): in-memory distributed storage

58. High-level language for processing logic: Jaql (SQL-like, supports flows)

59. Distributed processing runtime: MapReduce

60. Distributed file system for long-term storage: HDFS

61. Agilis consists of a distributed network of processing and storage elements hosted on a cluster of machines (also geographycally dispersed) Roberto Baldoni

62. Middleware LaboratoryMIDLABData Dissemination: AgilisRe-define InputFormat, OutputFormatTaskTrackerTaskTrackerJob TrackerJaql queryHDFS AdapterWXS AdapterMap-Reduce (Hadoop)JaqlInterpreterGatewayTaskTrackerCat 1Cat 2Distributed In-Memory Store (WXS)Storage containerAGILISJaql AdapterStorage containerDistributed File System (HDFS) Roberto Baldoni

63. Middleware LaboratoryMIDLABExample of semantic room for stealthy scan: architecture Roberto Baldoni

64. Middleware LaboratoryMIDLABCollaborative Stealthy scan detection with AgilisDetection ofstealtyscan Roberto Baldoni

65. Middleware LaboratoryMIDLABDemo: Done at Haifa IBM Research LAB (2009)Simple and homemade attacks artificial tracesSimple stealty scan detection algorithm8 Linux Machines on a LAN, each of which with 2GB of RAM and 20GB of disk spaceOne machine was hosting all the management processes (JT, XS Catalogue)Each of the remaining 7 hosts modeled a single SR participant DMZ web server under attackTT and XS data serverScenarios: Single intruding host that generated a series of TCP/SYN requests targeting a fixed set of 300 unique ports on each the 7 attacked serversrequests injected at constant rate of 10, 20, and 30 req/server/secratio of attack to legitimate traffic 1:5blacklisting threshold: 20,000 requests and 1000 unique portprocessing window: 4 minutesResults:No overloadDetection latency 700 sec, 430 sec, 330 sec Roberto Baldoni

66. Middleware LaboratoryMIDLABDemo: work we are doing in our LAB (2010)The video shows a semantic room implemented in Agilis usingNmap for producing the attack

67. Real TCP dumpsJoint work with Giorgia Lodi and Leonardo Aniello Roberto Baldoni

68. Middleware LaboratoryMIDLABTestbed: latency measurementTwo Semantic roomsMan-In-The-Middle Attack

69. Stealthy ScanRoberto Baldoni

AGILIS: an on-line map reduce environment for collaborative security

More Related Content

AGILIS: an on-line map reduce environment for collaborative security