2014. 04. 18

오 대 명 주재웅

Email: wdm1517@gmail.com

SeoulTech UCS Lab 2014-1st

Copyright ⓒ 2014 by USC Lab All Rights Reserved.

Systems for Detecting Advanced Persistent Threats

a Development Roadmap using Intelligent Data Analysis

Table of Contents

1.연구배경 및 목적

2.APT 배경지식

1)Advanced Persistent Threats

2)Intelligent Data Analysis for Intrusion Detection

3.APT 분석의 새로운 Framework 소개

1)Analysis Framework

2)Application of framework

4.APT 탐지시스템 개발

1)The Framework Used as Development Roadmap for Design

2)Roadmap based system design, general aspects

3)Roadmap based system design, concrete aspects

5.Test case

6.결론 2

3

연구배경 및 목적

연구배경 및 목적

4

• Cyber-attacks against companies and governments are increasing in

complexity, persistence and numbers.

• Common intrusion detection methods lack the ability to detect APT.

연구배경

연구배경 및 목적

5

• Analysis framework is proposed to relate complex attack attributes to

detection and business aspects.

• The framework is used to define a development roadmap for designing

advanced intrusion detection systems.

연구목적

6

APT 배경지식

–Advanced Persistent Threats

–Intelligent Data Analysis for Intrusion Detection

What is APT?

7

The term “Advanced Persistent Threat” is loosely used for a wide variety of

cyber threats. In essence it always implies a threat in which the attacker is

determined and has a specific goal.

• Advanced

Can utilize a wide range of attack.

• Persistent

As well as to establish a permanent, undetectable presence in the

environment.

• Threat

APT attacks target organizations to achieve a specific objective.

Intrusion Detection System

8

• Intrusion

- Any unauthorized access, not permitted attempt to access/damage

or malicious use of information resources

• Intrusion Detection

- Detection of break-in and break-in attempts via automated software

systems

• Intrusion Detection Systems(IDS)

- Defense systems, which detect and

possibly prevent intrusion detection

activities

IDS Monitoring Process

9

Information sources

Data capturing tools

Feature extraction

Analysis engines

Decision of responses

• Information sources:

Network traffic or host log file.

• Data capturing tools:

Capture events and categorized.

• Feature extraction:

feature extractor are useful in event analysis engines.

• Analysis engines:

various intrusion detection methods are implemented to

investigate the behavior.

• Decision of responses:

According to the results of the analysis to determine the

response.

IDS Monitoring Location

10

• Host-Base IDS

• Network-Base IDS

Host-Base IDS

11

Use OS auditing and monitoring mechanisms to find applications taken over

by attacker

• Log all relevant system events (e.g., file/device accesses)

• Monitor shell commands and system calls executed by user applications

and system programs

- Pay a price in performance if every system call is filtered

12

Host-Base IDS

Host-Base IDS

Network-Base IDS

13

Deploying sensors at strategic locations

• For example, Packet sniffing

Inspecting network traffic

• Watch for violations of protocols and unusual connection patterns

• Look into the packet payload for malicious code

Network-Base IDS

14

Network-Base IDS

Intrusion Detection Method

15

• Signature Detection

• Anomaly Detection

Signature Detection

16

A signature detection system compares a data sample to the signatures in the system.

When a signature matches, a warning is issued.

Signature of attacks

(Login name=‘Sadan’)

Learned patterns

(Login name=‘Sadan’) Match?

Abnormal!

Yes

No

Signature database

Data stream

17

Advantages

• Quality and reliability of the signature detection results;

• Low false positive rate;

• Detected attacks a clear definition;

• After installation, can immediately detect the attacker.

Disadvantages

• Can’t capable of detecting unknown characteristics of attacks.

• frequent updating of the signature database.

Signature Detection

Anomaly Detection

18

Anomaly detection methods learn what is considered to be normal behavior in

a network or computer system, and report anomalies as alerts.

For example,if a user who usually logs in around 10 am from university

dormitory logs in at 5:00 am from an IP address of China, then an anomaly

has occurred.

Anomaly Detection

19

Two methods are used in learning what normal behavior is.

• supervised learning methods.

These methods use labeled datasets to understand what is normal and what,

possibly, is an attack. These methods are relatively successful without having

too many false classifications.

• unsupervised learning algorithms.

These methods use unlabeled data to find anomalies but usually generate a

lot of false positives.

Anomaly Detection

20

Advantages

• Can potentially detect unknown attacks;

Disadvantages

• High rate of missed detections and false alarms;

• The initial training for a long time.

• In the process of training cannot protect the network.

• Difficult to put specific attack associated with the alert.

21

APT 분석의 새로운 Framework 소개

– Analysis Framework

– Roadmap based system design, general aspects

Analysis Framework

22

• Signature Detection

• Anomaly Detection

• Combines signature detection and anomaly detection

An analysis framework to relate attack characteristics to detection location and methods.

Analysis Framework

23

1th column 2th column 3th column

Analysis Framework

24

4th column 5th column 6th column 7th column

Application of framework

25

Attack setps Goal

1 External reconnaissance Obtaining information about the structure of the network,

public services and people working at the company.

2 Gaining access Gaining a foothold in the attacked network. Ranging from

technical oriented methods to social engineering.

3 Internal reconnaissance Gain more knowledge of the attacked network.

4 Expanding access Obtaining more priviledges at systems, access to more systems

in the network and access to more network segments.

5 Gathering target Information Methods aimed at locating information and services of interrest.

6 Information extraction Extracting information from the network. Generally malware

that extracts to servers within a botnet.

7 Control of information leaks Controlling the methods used in phases 2 through 6. Generally

Command and Control networks for botnets.

8 Erasing tracks Obscuring attacks.

26

APT 탐지 시스템 설계를 위한 로드맵

‒ The Framework Used as Development Roadmap for Design

‒ Intelligent Data Analysis for Intrusion Detection

‒ Roadmap based system design concrete aspects

The Framework Used as Development Roadmap for Design

27

• The analysis framework presented in section III gives

insight into what needs to be detected, where it can be

detected, how it can be detected, and why it needs to be

detected.

• what needs to be detected: the steps of an APT attack, the

methods that can be used, and the attack features that

can be detected.

• The detection location column of the framework contains

the information where the attack related features can be

detected.

• Combinations of attack features and detection locations

limit the choices of detection methods and analysis

methods.

The Framework Used as Development Roadmap for Design

28

The analysis framework columns as input for ID system design

Roadmap based system design, general aspects

• What must be detected?

• Where can APTs be detected?

• Why should APTs detected?

• How should APTs be detected?

29

Roadmap based system design, general aspects

What must be detected?

The first columns in the framework are attack related aspects.

This specifies the type of attack

Distinguishing these steps provides an overview of the

progress of an attack.

changes in behavior of successfully attacked clients or servers

could be detected.

30

Roadmap based system design, general aspects

Where can APTs be detected?

Detection of the attack steps and attack features is limited

by the location where data is gathered.

Data can be gathered from log-files, by looking at activity

in computer memory or by capturing network traffic.

A choice for one type of detection location limits the

features which can be detected.

Activities in attack step four, expanding access, are partly

executed on clients or servers without generating traffic.

31

Roadmap based system design, general aspects

Why should APTs detected?

From a business perspective this means that a detection

system should be effective, accurate and secure against

attacks itself.

The economic damages due to a successful cyber attack

can be very high

The costs of the system should not be higher than the

expected losses through successful attacks.

The result is that the prevention of high-impact attacks like

APTs warrant higher investments.

32

Roadmap based system design, general aspects

How should APTs be detected?

Anomaly detection data analysis

Other applications of intelligent data analysis

33

Roadmap based system design, general aspects

How should APTs be detected?

Anomaly detection data analysis

• When intelligent data analysis is applied to anomaly

detection a choice must be made for a learning approach

• supervised learning which uses a labeled dataset to create a

classification model.

• unsupervised learning which classifies on the assumption

that anomalies are differ from a normal situation

34

Roadmap based system design, general aspects

How should APTs be detected?

Other applications of intelligent data analysis

• Intelligent data analysis can also be used to improve the

performance of signature detection and to automate the

creation of signatures.

• implement rule-learning approaches

Ex) An example is fuzzy rule-based anomaly detection.

This approach uses labeled datasets to create rules that

define the clusters of normal and anomalous behavior.

this dataset can be increased by using decisions on reported

alerts to manually label the data or clusters.

improve the accuracy of the local analysis elements of a

system.

35

Roadmap based system design concrete aspects

• a probing element for gathering data

• a low level analysis element for analyzing data locally

• a high level analysis element to globally analyze data

• a reporting element to inform SOC workers in appropriate

ways on what is going on

36

Roadmap based system design concrete aspects

37

A basic architecture of an ID system capable to detect

ATPs(Advanced Threat Protection)

Roadmap based system design concrete aspects

38

1) Multiple probes are deployed in a network

2) The probes pass the data to local analysis elements

3) These elements perform analysis to detect low level attack methods.

4) They report an event to the central analysis element when they find a

possible low level attack.

5) The central analysis element combines all attack events and tries to

correlate low level attack events to APT attack scenarios.

6) The central analysis element finally passes possible attacks to a

reporting element.

Roadmap based system design concrete aspects

39

A basic architecture of a local analysis element

Roadmap based system design concrete aspects

40

A basic architecture of a central analysis element

41

A Test Case

A Test Case

Step 1. Reconnaissance: The first step of all attacks is

reconnaissance of the target organization.

Step 2. Gaining access: After the first step the attackers

proceed to use the profile information of employees to

construct phishing emails, which look legitimate.

Steps 3&4. Internal reconnaissance and expanding access

Steps 5&6. Gathering and extracting information

Steps 7&8. Control and erasing tracks

42

결론

The approach presented uses a framework for analysis of

attacks which links low level attack methods to detection

methods and intelligent data analysis methods.

The framework is used as a roadmap towards a system

design capable of detecting APTs.

Applying the framework in the described way results in a

design in which detection methods are being selected based

on appropriate analysis of occurring APT behavior

(changes).

43

결론

Three recommendations for future research can be made

• the features used for analysis are determining whether an

attack can be detected based on anomaly detection

algorithms.

• Second, the design approach in this paper still required

analysis of alerts by experts

• a new reference dataset for research in intrusion detection

is needed to get more relevant information on the success

rate of algorithms

44

Q&A

45

Thanks!

46