Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
2014. 04. 18
오 대 명 주재웅
Email: [email protected]
SeoulTech UCS Lab 2014-1st
Copyright ⓒ 2014 by USC Lab All Rights Reserved.
Systems for Detecting Advanced Persistent Threats
a Development Roadmap using Intelligent Data Analysis
Table of Contents
1.연구배경 및 목적
2.APT 배경지식
1)Advanced Persistent Threats
2)Intelligent Data Analysis for Intrusion Detection
3.APT 분석의 새로운 Framework 소개
1)Analysis Framework
2)Application of framework
4.APT 탐지시스템 개발
1)The Framework Used as Development Roadmap for Design
2)Roadmap based system design, general aspects
3)Roadmap based system design, concrete aspects
5.Test case
6.결론 2
3
연구배경 및 목적
연구배경 및 목적
4
• Cyber-attacks against companies and governments are increasing in
complexity, persistence and numbers.
• Common intrusion detection methods lack the ability to detect APT.
연구배경
연구배경 및 목적
5
• Analysis framework is proposed to relate complex attack attributes to
detection and business aspects.
• The framework is used to define a development roadmap for designing
advanced intrusion detection systems.
연구목적
6
APT 배경지식
–Advanced Persistent Threats
–Intelligent Data Analysis for Intrusion Detection
What is APT?
7
The term “Advanced Persistent Threat” is loosely used for a wide variety of
cyber threats. In essence it always implies a threat in which the attacker is
determined and has a specific goal.
• Advanced
Can utilize a wide range of attack.
• Persistent
As well as to establish a permanent, undetectable presence in the
environment.
• Threat
APT attacks target organizations to achieve a specific objective.
Intrusion Detection System
8
• Intrusion
- Any unauthorized access, not permitted attempt to access/damage
or malicious use of information resources
• Intrusion Detection
- Detection of break-in and break-in attempts via automated software
systems
• Intrusion Detection Systems(IDS)
- Defense systems, which detect and
possibly prevent intrusion detection
activities
IDS Monitoring Process
9
Information sources
Data capturing tools
Feature extraction
Analysis engines
Decision of responses
• Information sources:
Network traffic or host log file.
• Data capturing tools:
Capture events and categorized.
• Feature extraction:
feature extractor are useful in event analysis engines.
• Analysis engines:
various intrusion detection methods are implemented to
investigate the behavior.
• Decision of responses:
According to the results of the analysis to determine the
response.
IDS Monitoring Location
10
• Host-Base IDS
• Network-Base IDS
Host-Base IDS
11
Use OS auditing and monitoring mechanisms to find applications taken over
by attacker
• Log all relevant system events (e.g., file/device accesses)
• Monitor shell commands and system calls executed by user applications
and system programs
- Pay a price in performance if every system call is filtered
12
Host-Base IDS
Host-Base IDS
Network-Base IDS
13
Deploying sensors at strategic locations
• For example, Packet sniffing
Inspecting network traffic
• Watch for violations of protocols and unusual connection patterns
• Look into the packet payload for malicious code
Network-Base IDS
14
Network-Base IDS
Intrusion Detection Method
15
• Signature Detection
• Anomaly Detection
Signature Detection
16
A signature detection system compares a data sample to the signatures in the system.
When a signature matches, a warning is issued.
Signature of attacks
(Login name=‘Sadan’)
Learned patterns
(Login name=‘Sadan’) Match?
Abnormal!
Yes
No
Signature database
Data stream
17
Advantages
• Quality and reliability of the signature detection results;
• Low false positive rate;
• Detected attacks a clear definition;
• After installation, can immediately detect the attacker.
Disadvantages
• Can’t capable of detecting unknown characteristics of attacks.
• frequent updating of the signature database.
Signature Detection
Anomaly Detection
18
Anomaly detection methods learn what is considered to be normal behavior in
a network or computer system, and report anomalies as alerts.
For example,if a user who usually logs in around 10 am from university
dormitory logs in at 5:00 am from an IP address of China, then an anomaly
has occurred.
Anomaly Detection
19
Two methods are used in learning what normal behavior is.
• supervised learning methods.
These methods use labeled datasets to understand what is normal and what,
possibly, is an attack. These methods are relatively successful without having
too many false classifications.
• unsupervised learning algorithms.
These methods use unlabeled data to find anomalies but usually generate a
lot of false positives.
Anomaly Detection
20
Advantages
• Can potentially detect unknown attacks;
Disadvantages
• High rate of missed detections and false alarms;
• The initial training for a long time.
• In the process of training cannot protect the network.
• Difficult to put specific attack associated with the alert.
21
APT 분석의 새로운 Framework 소개
– Analysis Framework
– Roadmap based system design, general aspects
Analysis Framework
22
• Signature Detection
• Anomaly Detection
• Combines signature detection and anomaly detection
An analysis framework to relate attack characteristics to detection location and methods.
Analysis Framework
23
1th column 2th column 3th column
Analysis Framework
24
4th column 5th column 6th column 7th column
Application of framework
25
Attack setps Goal
1 External reconnaissance Obtaining information about the structure of the network,
public services and people working at the company.
2 Gaining access Gaining a foothold in the attacked network. Ranging from
technical oriented methods to social engineering.
3 Internal reconnaissance Gain more knowledge of the attacked network.
4 Expanding access Obtaining more priviledges at systems, access to more systems
in the network and access to more network segments.
5 Gathering target Information Methods aimed at locating information and services of interrest.
6 Information extraction Extracting information from the network. Generally malware
that extracts to servers within a botnet.
7 Control of information leaks Controlling the methods used in phases 2 through 6. Generally
Command and Control networks for botnets.
8 Erasing tracks Obscuring attacks.
26
APT 탐지 시스템 설계를 위한 로드맵
‒ The Framework Used as Development Roadmap for Design
‒ Intelligent Data Analysis for Intrusion Detection
‒ Roadmap based system design concrete aspects
The Framework Used as Development Roadmap for Design
27
• The analysis framework presented in section III gives
insight into what needs to be detected, where it can be
detected, how it can be detected, and why it needs to be
detected.
• what needs to be detected: the steps of an APT attack, the
methods that can be used, and the attack features that
can be detected.
• The detection location column of the framework contains
the information where the attack related features can be
detected.
• Combinations of attack features and detection locations
limit the choices of detection methods and analysis
methods.
The Framework Used as Development Roadmap for Design
28
The analysis framework columns as input for ID system design
Roadmap based system design, general aspects
• What must be detected?
• Where can APTs be detected?
• Why should APTs detected?
• How should APTs be detected?
29
Roadmap based system design, general aspects
What must be detected?
The first columns in the framework are attack related aspects.
This specifies the type of attack
Distinguishing these steps provides an overview of the
progress of an attack.
changes in behavior of successfully attacked clients or servers
could be detected.
30
Roadmap based system design, general aspects
Where can APTs be detected?
Detection of the attack steps and attack features is limited
by the location where data is gathered.
Data can be gathered from log-files, by looking at activity
in computer memory or by capturing network traffic.
A choice for one type of detection location limits the
features which can be detected.
Activities in attack step four, expanding access, are partly
executed on clients or servers without generating traffic.
31
Roadmap based system design, general aspects
Why should APTs detected?
From a business perspective this means that a detection
system should be effective, accurate and secure against
attacks itself.
The economic damages due to a successful cyber attack
can be very high
The costs of the system should not be higher than the
expected losses through successful attacks.
The result is that the prevention of high-impact attacks like
APTs warrant higher investments.
32
Roadmap based system design, general aspects
How should APTs be detected?
Anomaly detection data analysis
Other applications of intelligent data analysis
33
Roadmap based system design, general aspects
How should APTs be detected?
Anomaly detection data analysis
• When intelligent data analysis is applied to anomaly
detection a choice must be made for a learning approach
• supervised learning which uses a labeled dataset to create a
classification model.
• unsupervised learning which classifies on the assumption
that anomalies are differ from a normal situation
34
Roadmap based system design, general aspects
How should APTs be detected?
Other applications of intelligent data analysis
• Intelligent data analysis can also be used to improve the
performance of signature detection and to automate the
creation of signatures.
• implement rule-learning approaches
Ex) An example is fuzzy rule-based anomaly detection.
This approach uses labeled datasets to create rules that
define the clusters of normal and anomalous behavior.
this dataset can be increased by using decisions on reported
alerts to manually label the data or clusters.
improve the accuracy of the local analysis elements of a
system.
35
Roadmap based system design concrete aspects
• a probing element for gathering data
• a low level analysis element for analyzing data locally
• a high level analysis element to globally analyze data
• a reporting element to inform SOC workers in appropriate
ways on what is going on
36
Roadmap based system design concrete aspects
37
A basic architecture of an ID system capable to detect
ATPs(Advanced Threat Protection)
Roadmap based system design concrete aspects
38
1) Multiple probes are deployed in a network
2) The probes pass the data to local analysis elements
3) These elements perform analysis to detect low level attack methods.
4) They report an event to the central analysis element when they find a
possible low level attack.
5) The central analysis element combines all attack events and tries to
correlate low level attack events to APT attack scenarios.
6) The central analysis element finally passes possible attacks to a
reporting element.
Roadmap based system design concrete aspects
39
A basic architecture of a local analysis element
Roadmap based system design concrete aspects
40
A basic architecture of a central analysis element
41
A Test Case
A Test Case
Step 1. Reconnaissance: The first step of all attacks is
reconnaissance of the target organization.
Step 2. Gaining access: After the first step the attackers
proceed to use the profile information of employees to
construct phishing emails, which look legitimate.
Steps 3&4. Internal reconnaissance and expanding access
Steps 5&6. Gathering and extracting information
Steps 7&8. Control and erasing tracks
42
결론
The approach presented uses a framework for analysis of
attacks which links low level attack methods to detection
methods and intelligent data analysis methods.
The framework is used as a roadmap towards a system
design capable of detecting APTs.
Applying the framework in the described way results in a
design in which detection methods are being selected based
on appropriate analysis of occurring APT behavior
(changes).
43
결론
Three recommendations for future research can be made
• the features used for analysis are determining whether an
attack can be detected based on anomaly detection
algorithms.
• Second, the design approach in this paper still required
analysis of alerts by experts
• a new reference dataset for research in intrusion detection
is needed to get more relevant information on the success
rate of algorithms
44
Q&A
45
Thanks!
46