Upload File

tracing iot devices for anomaly detection purposes©sentation... · mirai telnet -> upload file...

  • Home
  • Documents
  • Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on
18
Tracing IoT devices for anomaly detection purposes Robin Gassais December 7, 2017 École Polytechnique de Montréal DORSAL lab

Upload: others

Post on 26-Dec-2019

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

Tracing IoT devices for anomaly

detection purposes

Robin Gassais

December 7, 2017

École Polytechnique de Montréal

DORSAL lab

Page 2: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Agenda

Context

IoT – Smart Home

Approach

Tracing multiple systems

Analyzing multiple traces

Use-case

Mirai botnet

Future Work

Context Approach Use-case Future work

2

Page 3: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Context Approach Use-case Future workheterogeneous

3

Page 4: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Embedded Linux based systems

Limited resources

20 billions of smart devices in 2020

Heterogeneous market

Context Approach Use-case Future workheterogeneous

3

Page 5: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

ARM virtual machine

Central device to collect and analyse

the traces

Safe communication : SSH

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

4

Page 6: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

Virtual Bridge - Qemu

Lttng - relayd Lttng - sessiond Lttng - sessiond

5

Page 7: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

5

SNAPSHOT

Page 8: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

?6

Page 9: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

Source : Slideshare - Security Monitoring with eBPF - Alex Maestretti, Brandan Gregg

7

Page 10: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

8

Page 11: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Biggest DDoS attack ever seen : 3 Tbps, 500 000 devices

IP surveillance camera, video recorder, router

Twitter, Ebay, Netflix, Github, Paypal down via Dyn DNS

Context Approach Use-case Future workheterogeneous

What’s Mirai?

9

Page 12: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

ownHACKER C&C

Victim’s server

infect obey

connect

connect

10

Page 13: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

attack

order

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

HACKER C&C

Victim’s server

connect

connect

connect

11

Page 14: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Experiment

C&C

Network monitoring

Debian Jessie

192.168.1.186

Router

DNS

Ubiquity nanostation M2

| OpenWRT

Rpi2

Vulnerable device

Yocto | Busybox |

Telnetd

192.168.1.226

Lttng - relayd Lttng - deamon

12

Page 15: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Results

13

Mirai

Telnet -> upload file -> chmod on it : 14,9 s

Using all the kernel tracepoints – live mode

Now

Chmod on a new created directory: 1,33 s

execve, faccessat, chmod – snapshot mode (send 1s)

Chmod on a new created directory: 0,98 s

faccessat, chmod – snapshot mode (send 0,7s)

No Network, not physical devices

Page 16: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

METTRE RESULTATS

Context Approach Use-case Future workheterogeneous

Results

14

Page 17: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Future work

Detection rules? Machine learning?

Physical objects

Tradeoff between snapshot frequency,

nomber of tracepoints to monitor and

performance of the device

Context Approach Use-case Future workheterogeneous

15

Page 18: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context Approach Use-case Future work

Thank you!

Questions? Suggestions? Solutions?

[email protected]

16


nancydeborah.files.wordpress.com · Web viewchmod The chmod command allows you to alter access rights to files and directories. All files and directories have security permissions

A Big Stepsweiss/course...5 CSci 132 Practical UNIX with Perl Making files executable To change the mode of the file, you use the chmod command. chmod is a mnemonic: chmod ch for change,

40th International Man Made Fibre Conference, … · Web viewSpun – and Yarndyed Polyester yarn for Automotive Textiles This year approximately 14,9 million new cars will be produced

Introduction to Unix€¦ · $ chmod o=r myscript.sh To give read and execution access together, $ chmod o=rx myscript.sh 41/49. What is a Process? A computer process is an instance

CSN08101 Digital Forensics · – cp – mv – cat – less – more – tail – head – wc – chmod • Concepts Summary – Pipe and redirection – Basic permissions – Filename

User Management 16101301 - National Chiao Tung University · 2016-10-13 · • chmod 600 lctseng-*-20151001.tar.bz q Delete home directory • rm –rf /home/lctseng • rm –f

Franck Riboud - danone-danonecom …danone-danonecom-prod.s3.amazonaws.com/user_upload/... · STAGE ENHANCED NUTRITION 14,4 14,9 ... Morocco : becoming majority shareholder of Centrale

SETTING UP AN IOT MOSQUITTO SERVER AND BUILDING A USER ... · APPENDIX Bash script #! /bin/bash while : do value=$(chmod 777 /home/srv/password.txt) value=$(/home/srv/password.txt)

МИНИСТЕРСТВО ВНУТРЕННИХ ДЕЛ РОССИЙСКОЙ ...https://мвд.рф/upload/site1/document_news/008/922...разбой 9423 -14,9 8234 -5,3 с незаконным

QML Profiler - KDAB … · lttng-tools to control the tracing session ... many more that can be useful to know for debugging and profiling. p.23 I/O tracing Kernel Tracepoints Tracing

Chmod, Umask, Stat, Fileperms, And File Permissions

${Unix Tools} - University of Cambridgexfig, tgif, gimp graphics drawing tools *topnm, pnmto*, [cd]jpeg graphics format converters passwd change your password chmod change file permissions

Sigil Manual - storage.googleapis.com · Sigil Manual, Release 0.2.0 You have to do this from the console. First, make the installer executable and then run it: chmod +x installer.bin

Oracle Financial Services Asset Liability Management ......of this guide can be accessed from . ... administrator. • Give Execute permission to the file using the command: chmod

KINEPOLIS GROUP · ¦ð óñUõu Belgium 33,0% France 14,9% Canada 26,7% Spain 9,4% The Netherlands 12,0% Luxembourg 3,1% Switzerland Poland 0,9% YE 2018 ¦ð óñUõu Box Office

Alkol Tüketim Kültürü ve Alkol Araştırmaları ile Alkol ...yıllarında yürütülen ulusal sağlık araştırmaları, 15 yaş ve üzeri nüfusun %10,4-14,9’unun alkollü içecek

Open Access Efficient Conditional Tracepoints in Kernel Space · Efficient Conditional Tracepoints in Kernel Space The Open Cybernetics & Systemics Journal, 2012, Volume 6 13 This

Earth System Grid (ESG) - DKRZ · myscript.sh) Run with: $ bash myscript.sh Or: $ chmod +x myscript.sh $ ./myscript.sh NEVER: sh myscript.sh (it’s not an sh script) It’s a list

Cisco ISE integration with Microsoft SCCM Server · 2019. 1. 22. · >chmod 755 mdm.properties A sample successful log is attached FYR (ISESCCMPolicyFixLog) 2017-07-12 15:54:06,518

artesao - Specify 7ftp.nupelia.uem.br › users › agostinhoaa › publications...25,7 609,7 12,8 392,1 2,0 138,5 3,0 14,6 11,0 59,9 220,0 141,0 208,0 80,6 14,9 105,0 Resultados e

FROHE WEIHNACHTEN - Der Andechser im Ratskellerderandechser-wiesbaden.de/wp-content/uploads/2017/...FROHE WEIHNACHTEN MERRY X-MAS Obazda . WINTER FAVORITEN Schweinshaxe4,6 14,9 im

Privacy and Personal Data Collection Disclosure€¦ · 3. Use the chmod command to change permissions so that the QEMU user can access the file: chmod a+rwx system_disk.raw 4. Use

Upgrading the Cisco Prime Service Catalog Virtual Appliance · Changethebackupfile chown oracle.oracle CPSCUSER_11.0_backup.dmp ownershipandpermissions: Step 4 chmod a+r CPSCUSER_11.0_backup.dmp

Real-time Debugging using GDB Tracepoints and other ... · Real-time Debugging using GDB Tracepoints and other Eclipse features GCC Summit 2010 2010-010-26 [email protected]

Linux Basics - Technische Universität München · Debian? Red Hat? Fedora? Gentoo? Arch Linux? cat my movie collection jgrep Hackers chmod 777 * ./con gure && make && make install

Heikki Vauhkonen 2008 Tulikivi Corporation. Sales69,682,1-14,9 Operating profit1,08,2-88,3 Percentage of sales1,410,0 Profit before income tax0,27,8-97,9

Project Mustang - Neues in Java SE 6alt.java-forum-stuttgart.de/jfs/2006/folien/E7_Adelhardt_Sun.pdf · Windows system tray JVMTI: attach on demand LCD font support chmod free disk

WAP TO DEMONSTRATE FORK SYSTEMCALLmycnis.weebly.com/uploads/4/1/8/7/4187501/os_record.doc  · Web view$ chmod ugo +r Gives read, permissions only to user ,group and others $ chmod

Oracle Clusterware 11GR2 - · PDF fileOracle Clusterware 11GR2 ... #chmod -R 775 /u01/app/11.2.0/oracle. ... ASM and RAC databases Oracle RAC Backup and Recovery RAC Services RAC ,

Annual Report 2015-16 - Amazon Web Services · oxfam intermon annual report 1 annual report 2015-16 ... 16 sustainable food ... 14,9% oxfam intermon annual report “. ,

# forward · 2019. 1. 23. · ## /wrk/mishra/sav gunzip sav_data/*.gz Check quality of all the files chmod ... python cutadapt -b CCTACGGGAGGCAGCAG -o ${i%}.noprimer ${i%} done #

Ghostor: Toward a Secure Data-Storage System from ... · Alice’s Client Doctor’s Client Chmod Hash(Object) [first operation] Signed by PSK Signed by Server •Suppose Alice and

Real-time Debugging using GDB Tracepoints and other Eclipse features

EMC Storage Monitoring and Reporting 4.0.3 Installation ... · 2. Navigate to the /sw folder. 3. Change the permissions of the installer. For example: chmod +x .sh

REPUBLIC OF CYPRUS MINISTRY OF ENERGY, COMMERCE, …€¦ · In January – June 2015 domestic exports grew by 14,9% reaching €0,5 billion from €0,4 billion in the same period