slide 1 28 september 2006 aro kickoff meeting phillip porras cyber-ta: secure collaborative threat...

28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance

Cyber-Threat Analytics

Introduction

Phillip Porras - [email protected] Science Laboratory, SRI International

www.cyber-ta.org

28 September 2006

Introduction Project OverviewChallengesConsortium Members

Today’s Agenda2005 SummaryWeb Portal

Cyber-TA Kickoff Meeting


Collaborative Wide-Area (National-scale) Threat Detection and Mitigation

Problem Space:

• develop efficient "RICH" security content sharing infrastructures

• advance the state of the art on collaborative large-scale detection and mitigation schemes

• new threat dissemination/mitigation schemes to characterize emerging attack patterns - actionable results

AND • Protect the security postures (user privacy, policies, topologies, defenses, vulnerabilities) of

the data contributor

• Minimize (remove) the reliance on trust among contributors and repositories Research

(Large-scale) (Large-scale) MALWARE Researchers DATA PRIVACY Researchers

Operations

Cyber-TA Overview

Introduction Project OverviewChallengesConsortium Members


Cyber-TA Kickoff Meeting


Grand Challenges

• How to achieve an IA Common Operating Picture with mutually suspicious organizations, e.g., IC members, coalition partners, other law enforcement

• How to construct national-scale realtime correlation / alert forensic systems that scale to millions of events per day

• How to achieve privacy preserving IA data sharing (protocols, repositories, registration, analyses) with “minimal-trust”

• How to quantify the impact of our proposed privacy preserving countermeasures to the adversary workfactor

Project OverviewChallengesConsortium Members


IntroductionCyber-TA Kickoff Meeting


2006 Consortium MembersData Privacy Group

Prof. Vitaly Shmatikov, University of Texas at AustinRoger Dingledine, Moria LaboratoryProf. Joan Feigenbaum, Yale University

Encrypted Computation GroupBrent Waters, SRIProf. Dan Boneh, Stanford UniversityProf. Amit Sahai, University of California at Los Angeles

Active and Passive Malware Analysis and MitigationProf. Paul Barford, University of WisconsinProf. Karl Levitt, University of California at DavisProf. Wenke Lee, Georgia-Tech Institute of TechnologyProf. Peng Ning, North Carolina State UniversityProf. Dawn Song, Carnegie Mellon UniversityPhil Porras / Al Valdes / Vinod Yagneswaren /

Jian Zhang / Steven Cheung / Linda Briesemeister, SRI

Threat Ops Center and Commercial TransitionMarcus Sachs, SRI InternationalRay Granvold, Promia IncorporatedLivio Ricciulli, Force-10 Networks Inc.Johannes Ulrich SANS Institute

IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members



DataPrivacy

Threat Detection

Cyber-TA Plans for 2006

Threat Mitigation

ThreatOps

Center

AppsProducts

9:00 - 9:40am Cliff Wang (ARO) / Phil Porras (SRI International)

Opening Remarks, Introductions, Project Overview

9:40 - 10:05am Vitaly Shmatikov (University of Texas) Data and Traffic Privacy

10:05 - 10:30am Brent Waters (SRI International)

Privacy-Preserving Encryption-data analysis

10:30 - 10:45am Break

10:45 - 11:10am Vinod Yegneswaran (SRI International) Active monitoring systems

11:10 - 11:35am Phil Porras (SRI International) Massive and distributed data correlation

11:35 - 12:00pm Wenke Lee (Georgia Tech)

Collaborative mitigation techniques

NOON - 1:00pm Lunch

1:00 - 1:25pm Marc Sachs (SRI International) Threat operations center and demonstration capabilities

1:25 - 1:50pm Livio Ricciulli (Force-10 Networks) Ultra-High-Volume Infrastructure protection

1:50 - 2:15pm Ray Granvold (Promia Inc.) Experiences in DoD NOC security management

2:15 - 2:30pm Closing Remarks

Today’s Agenda




Design and field a security log repository and data collection infrastructure that

– allows mutually suspicious coalition partners to securely participate in alert sharing communities

– prevents leakage of contributor vulnerabilities and security posture while reporting detailed security log content

– provides extensive contributor control over anonymity services• resistant to “insider” repository browsing• resistant to traffic-based fingerprinting (to a degree!)• resistant to active data fingerprinting threats

– is scalable data analysis for 1000’s of contributors and in the presence of anonymized content

Examine collaborative malware defense strategies

2005 Prototype Release




CTA Infrastructure - Release Notes

1st reference implementation and deployment of a Privacy-Preserving Threat Recon Infrastructure w/ data analysis services

– User-controllable anonymization IDS/Firewall logs, aggregator, TLS over onion routing daemon, large-scale data repository center, web-based data portal/query/analysis of anoynmized logs

– Primary objectives of release:• Red team data production and adversary models • Provide datasets for web portal and data analysis purposes• Examine network link, including TOR, reliability and bandwidth issues• Rapid-prototype platform to build distributed correlation systems

– Initial release targets: SRI Menlo Campus, Rosslyn Corporate Office, UC Davis Computer Science Lab, SANS Institute Bethesda, MD




CTA System Diagram

Internet

Encrypted Anonymous Log Delivery Protocol

Sensor Z

CTA_Anonymizer v0.9

GP ASCII Log Parser

Anonymizer Service

Alert Aggregator

Meta-data ExtractorPlugin

MIXNETDeliver Daemon

XML SPEC

Log Parsing Rules

Field AnonymizationPolicy

Aggregation Policy

User meta-data Plugin policies

INFOSEC Log

Delivery Ack

TLS Session

TOR Circuit

TCP/IP

Cyber-TA RDBMS Manager

Delivery Ack

TLS Session

TOR Circuit

TCP/IP

1-30-day Summary Table Generator

Web Portal Query,Data Analyzer

www.cyber-ta.org(cyberta.dshield.org)




Adversary Models – What’s in and out of scope?

IN SCOPE• Direct Contributor Linkage From Repository

• Network Traffic Analysis Agents

OUT OF SCOPEActive fingerprinting threats• PPFIX Dictionary Attacks• Multi-event pattern analysis• Rare-rule stimulation

Two-sided traffic analysis• Traffic-based timing attacks • Long lived connection statistical analyses

Org N

Org 2

Repository Insider

ActiveFingerprinter

TimingAttacks

TrafficEavesdropper




Internet Portal and Analysis

CTA_Repository - Inventory View– provides a concise summary of entire REP

content– provides quick assessment of recent REP

dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...)

– size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count)

CTA_Repository - Inventory View– provides a concise summary of entire REP

content– provides quick assessment of recent REP

dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...)

– size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count)

http://www.cyber-ta.org Web portal password – available upon request




Internet Portal and AnalysisRates/Trends Graphs –User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc.

Rates/Trends Graphs –User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc.

Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs

Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs





Web Portal – Where to get info / access ?

www.cyber-ta.org

• Today’s slides

• General project info

• Publications

• Software releases

• Live Internet monitoring

• Data set / resources

• Project news

• Consortium partner info

• Contributor registration




slide 1 28 september 2006 aro kickoff meeting phillip porras cyber-ta: secure collaborative threat...

Documents