tracing iot devices for anomaly detection purposes©sentation... · mirai telnet -> upload file...

Tracing IoT devices for anomaly

detection purposes

Robin Gassais

December 7, 2017

École Polytechnique de Montréal

DORSAL lab

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Agenda

Context

IoT – Smart Home

Approach

Tracing multiple systems

Analyzing multiple traces

Use-case

Mirai botnet

Future Work

Context Approach Use-case Future work

2

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Context Approach Use-case Future workheterogeneous

3

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Embedded Linux based systems

Limited resources

20 billions of smart devices in 2020

Heterogeneous market

Context Approach Use-case Future workheterogeneous

3

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

ARM virtual machine

Central device to collect and analyse

the traces

Safe communication : SSH

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

4

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

Virtual Bridge - Qemu

Lttng - relayd Lttng - sessiond Lttng - sessiond

5

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

5

SNAPSHOT

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

?6

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

Source : Slideshare - Security Monitoring with eBPF - Alex Maestretti, Brandan Gregg

7

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

8

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Biggest DDoS attack ever seen : 3 Tbps, 500 000 devices

IP surveillance camera, video recorder, router

Twitter, Ebay, Netflix, Github, Paypal down via Dyn DNS

Context Approach Use-case Future workheterogeneous

What’s Mirai?

9

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

ownHACKER C&C

Victim’s server

infect obey

connect

connect

10

attack

order

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

HACKER C&C

Victim’s server

connect

connect

connect

11

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Experiment

C&C

Network monitoring

Debian Jessie

192.168.1.186

Router

DNS

Ubiquity nanostation M2

| OpenWRT

Rpi2

Vulnerable device

Yocto | Busybox |

Telnetd

192.168.1.226

Lttng - relayd Lttng - deamon

12

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Results

13

Mirai

Telnet -> upload file -> chmod on it : 14,9 s

Using all the kernel tracepoints – live mode

Now

Chmod on a new created directory: 1,33 s

execve, faccessat, chmod – snapshot mode (send 1s)

Chmod on a new created directory: 0,98 s

faccessat, chmod – snapshot mode (send 0,7s)

No Network, not physical devices

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

METTRE RESULTATS

Context Approach Use-case Future workheterogeneous

Results

14

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Future work

Detection rules? Machine learning?

Physical objects

Tradeoff between snapshot frequency,

nomber of tracepoints to monitor and

performance of the device

Context Approach Use-case Future workheterogeneous

15

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context Approach Use-case Future work

Thank you!

Questions? Suggestions? Solutions?

robin.gassais@polymtl.ca

16