name-anomaly detection in icn · 2017-05-17 · name-anomaly detection in icn information-leakage...
TRANSCRIPT
Name-AnomalyDetectioninICNInformation-leakageinNDN
DaishiKondo1,2,ThomasSilverston3,HidekiTode4,Tohru Asami5 andOlivierPerrin1,2
1UniversitédeLorraine,LORIA(CNRSUMR7503)2InriaNancy– GrandEst
3NationalInstituteforinformationandCommunicationTechnology4GraduateSchoolofEngineering,OsakaPrefectureUniversity
5GraduateSchoolofInformationScience&Technology,UniversityofTokyo
3rd FRA-JPNmeeting,April24-262017,Tokyo
Information-leakage
• OneofthemainsecuritythreatinInternet– ITSecurityRisksSurvey2014:ABusinessApproachtoManaginghttp://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf
• CyberEspionage– TargetedAttacks(malware,website,externalmemorydevice)
• Examples:Sony,Target– $100Mupgradingsystems– 46%dropinbenefits
[UnderstandingTargetedAttacks:TheImpactofTargetedAttacks]
2
TargetedAttacks
3
Source:ITSecurityCenterIPA:ITPromotionAgencyhttp://www.ipa.go.jp/security/english/newattack_en.html
• InfectsPCviaemails• Probesnetwork• Steals Information
CountermeasuresTrainemployees?Humanerrors
Information-Centric Networking• Internetismostlyusedtoaccesscontent
– Video:80%ofglobalconsumertrafficby2019• [CiscoVNI2015]
– TCP/IP:host-to-host communicationparadigm• Usersareinterestedwithcontentnotlocation• Information-CentricNetworking
– Named-DataNetworking(NDN)[CoNext 2009]– Host-to-content communication
• Packetaddressrefers tocontentnameandnotlocation(host)• New« Networklayer »
forFutureInternet– Dataatthecore ofthe
communication
4
67% of Internet trafficwas video traffic in 2014
Video traffic will accountfor 80% of Internet traffic
NDNOverview• Packetaddressrefers tocontentnamenotlocation
– Named-DataNetworking• Twoprimitives
– Interest,userrequestscontentbyissuinganInterestmessage
– Data,anodehavingthecontentanswerwithaDatamessage
• In-NetworkCaching• Dataatthecore ofthecommunication• New ‘NetworkLayer’forContentDelivery
5
Publisher
User2User1
RouterB
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom-- --
RouterAafterreceivingDataFIB
PIT
CachedcopiesinCS/doctor/index.htm
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom/doctor/index.htm User1
RouterAafterreceivingInterestFIB
PIT
CachedcopiesinCS--
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom-- --
RouterBafterreceivingDataFIB
PIT
CachedcopiesinCS/doctor/index.htm
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom/doctor/index.htm RouterA
RouterBafterreceivingInterestFIB
PIT
CachedcopiesinCS--
FIB PIT
ContentStore
RouterA
FIB PIT
ContentStore
1
2
3
4
5
8
7
6NDN/CCN packetInterest: Request for contentData/Content Object: Data to userNDN/CCN componentFIB: Forwarding Information BasePIT: Pending Interest TableCS: Content Store
[2] http://www.doctor-project.org/outcome/deliverable/DOCTOR-D1.1.pdf
OverviewofNamed-DataNetworking(NDN)
OverviewofNamed-DataNetworking(NDN)
7
Publisher
User2User1
RouterB
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom-- --
RouterAafterreceivingDataFIB
PIT
CachedcopiesinCS/doctor/index.htm
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom/doctor/index.htm User1
RouterAafterreceivingInterestFIB
PIT
CachedcopiesinCS--
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom-- --
RouterBafterreceivingDataFIB
PIT
CachedcopiesinCS/doctor/index.htm
Name Forwardto/doctor RouterB/doctor/obj RouterC
Name Comingfrom/doctor/index.htm RouterA
RouterBafterreceivingInterestFIB
PIT
CachedcopiesinCS--
FIB PIT
ContentStore
RouterA
FIB PIT
ContentStore
1
2
3
4
5
8
7
6
ICN messagesInterest: request for a contentData: Data message to user
Two kinds of packets that can leak information
ICN componentsFIB: Fwd. Info. BasePIT: Pending Interest TableCS: Content Store
http://www.doctor-project.org/outcome/deliverable/DOCTOR-D1.1.pdf
Information-leakagewithDataPackets
8
Enterprise Network
The Internet
Gatekeeper(Network Administrator)
Attacker
Malware
Normal Agent
Employee A
Comp1/Pub/Info1
Comp1/Priv/Info1
Firewall
1) Gatekeeper has white list ofpublic contents
2) Every new content is checkedby gatekeeper to register it intowhite list
3) Any content cannot be accessedunless it is listed in white list
Rules to Publish Content
Gatekeeper can prevent information leakagethrough Data packet (reply messages)
§ DatapacketincludesØData,contentname,etc.
§ CharacteristicofDatapacketØDatapacketcannotbesentifnotareplyfromInterestpacket
9
Information-LeakagethroughDataPacket
Only Interest packets can leak information from network
Information-leakagewithInterest
Enterprise Network
Outside Network
Malware
C&C Server
Firewall
Bot
Interest Packet
Data Packet
Interest/Data Packet
Preparation for Attack1. C&C server
(Control malware via bots)2. Bot3. Malware
Interest Name can be used to leak information through Targeted Attacks (request messages)
Summary:Information-leakagethroughNDNpackets
11
• Interest/Data packetsare“Request/Reply”- Contentname,etc.
• Data packetscanbefiltered out outbyadmin.- White/Blacklistsof(un)authorizedcontentnames
• CustomerList,BankingInfo,etc.
• Interestpacketsaresentoutthenetworktoexternalpublishersasrequests(“free”names)- MalwarescanuseInterest toleakInformationthroughTargetedAttacks(steganography-embedded)
RiskAnalysisofInformation-LeakagethroughInterestPacketsinNDN
• Performing information-leakage with names in NDN Interest packets
• Preventinformation-leakageinNDN(Interest)– MajorthreatintheInternet– Named-DataNetworking:architectureforFutureInternet
• Proposal– Interest(Packet)filteringbasedonanomalousnames
• firewall• Methodology
– StudyNamesintheInternetwithURLs• Assumption
– NDNNameswillbebasedonURLs• EasytotranslatecurrentURLNamesintoNDNnames
AttackModelandCountermeasure§ Attackmodel
ØMalwarebuildsanomalousnamestoleakinformationØsteganography-embedded
§ Countermeasures1. Name-basedfiltersusingNamestatistics2. Name-basedfilterusingone-classSVM
§ Assumption§ NDNnameswillbeextensionofURLsinthecurrentInternet
13
URLs Dataset
• WebCrawlingof7mainorganizations– Amazon,Ask,Stackoverflow,BBC,CNN,Google,Yahoo
• 1millionURLsforeachorganization/(Organization)/(Directory 1)/…/(Directory n)/(File)?(Query)#(Fragment)
<path><net_loc> <query> <fragment>
Directory Part File Part
URLs Parameters(RFC1808)Lengthof<PATH> Numberof‘/’in<path>
Lengthof<QUERY> Similarityofcharactersin<PATH>
Lengthof<FRAGMENT> Similarityofcharactersin<QUERY>
LengthofDirectory Similarity ofcharactersin<FRAGMENT>
LengthofFile
CharacterFrequenciesinURLs
19/5/16
URLs <PATH>
URLs <QUERY>
URLs <FRAGMENT>
URLsStatistics
100 162 23
21 57 5
0.95 0.95 0.95
0.950.950.95
Legitimate names: 95th percentile
URLsStatistics§ URLattributesandcomputedpercentiles
§ similarityofaveragedfrequenciesofalphabetsinPathandQuerycomparedtotypicalEnglishtext[6]
ØHighsimilaritywithtypicalEnglishtext=>UsingWordNet[7]forsteganography
17
[6] Frequency analysis, https://en.wikipedia.org/wiki/Frequency_analysis
[7] G. A. Miller, “WordNet: A Lexical Database for English," Commun. ACM, vol. 38, no. 11, pp. 39–41, Nov. 1995.
URLsSimilarity
Legitimate names exceed average similarity
NamesFilteringHeuristics§ FilterbasedonmeasuredURLparameters
§ Length(Path,Query,Fragment,Direction,File),#/§ 95th percentile
§ 33%anomalousURLs(67%arelegitimatenames)§ FilterwithSimilaritymeasure
§ Previousextendedfilter§ Characterfrequenciesw.r.t.averagefrequenciesinURLsdataset(Path,Query,Fragment)
§ 15%anomalousURLs(85%legitimatenames)
Attacker20
§ LeakeddataØ 3.4MBZipfilecompressing3Pdffilesfrom
latestITU-Trecommendations[9]§ Thresholdforeachattributeinanomalous
§ Dictionarycodingwith65,536dictionarywordsfromWordNet[7]Ø Tablewitheachdictionarywordand4
hexadecimaldigitstoeachword(onewordisequalto2Bytes)
[9] ITU-T, http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx
Flow to create anomalous names with dictionary coding(i.e., steganography) in “com” domain
comnetorginfojpfruk
Attacker exploits one-class SVMto extract legitimate URLs
E.g.,ndn://attacker.com/info-leak/apple
ndn://attacker.com/info-leak/apple?
ndn://attacker.com/info-leak/apple?key1=banana
ndn://attacker.com/info-leak/apple?key1=bananandn://attacker.com/info-leak/……
Name-BasedFilterUsingOne-ClassSVM
§ One-classSVM[4]isunsupervisedmethodtoperformanomalydetectionØAdaptedifnotmanysamples
§ RegardingNDNarchitecture,therearecurrentlynotanomaloustrafficnornamesavailableØExtractingURLpropertiesascharacteristicsoflegitimatenamesandapplyingthemforone-classSVMfilter
21
[4] B. Scholkopf, et al., “Estimating the Support of a High-Dimensional Distribution,” Neural Comput., vol. 13, no. 7, pp. 1443–1471, Jul. 2001.
Filter using one-class SVM inspects namesdropped by filter using search engine
information
PerformanceEvaluation§ Performancemetric
ØPer-packetthroughputofinformation-leakage(Bytes/Interest_packet)
§ EachTLDdatasetisseparatedintotwosetstocreatename-basedfilterusingone-classSVMØTrainingsetforeachTLD:800,000URLsØTestingsetforeachTLD:200,000URLs
§ AssumptionØDefendingknowsattackmethod(i.e.,steganography-embedded Interestpackets)butnotitsparameters
ØAttackerknowscountermeasurebutnotitsparametersØThiscaseisofbenefittoattacker
22
PerformanceEvaluation
By using filter, malware has to send 264 times (2.06 KB/ 7.79B) more Interest packets
to the attacker than without using filter
• WithoutSVMfilter• Attackerbuildsnamesandleakinformation(steganography)• 2.06Kbytes/Interest_packets
• WithSVMfilter(tunedparameters)• 7.79Bytes/Interest_packets
ProjectANRDoctor(2014-2017)http://www.doctor-project.org/
• Deploymentofnewnetworkfunctionsandprotocols(e.g.:NDN)inavirtualizednetworkingenvironment(e.g.:NFV)
– Monitoring,managingandsecuring(usingSDNforreconfiguration)
• Partners:Orange,Thlaes,Montimage,UTT,LORIA/CNRS(900k€)
24
Conclusion• Information-leakageismainInternetSecuritythreat
– TargetedAttacks
• NDNasFutureInternetarchitecture– Preventleakageinformationfromnames(InterestPackets)
• Steganography-embeddedattacksinNames
• NDNNamesfilteringheuristics– BasedonURLsstatistics– Upto15%ofanomalousURLs– FirewallforNDN
• SVM-basedfilteringheuristics– Chokethroughputofinformation-leakage– Upto264moreInterestpacketstoleakthesameamountofinformation
• DesigningNamingSchemeforNamed-DataNetworking(NDN)– PrivacyinNDN