activities of nict information security research in...
TRANSCRIPT
1
Activities of NICT Information Security Research in Japan
Katsunari Yoshioka, Ph.D
National Institute of Information and Communications Technology (NICT), Japan
Feb 8, 2007@HSN07
2
History and roles of NICT
• GOJ institute of ICT under MIC– First establised as MIC wireless communication lab
• Named as Radio Research Laboratory in 1952– Started to handle network-related technologies
• Renamed as Communication Research Laboratory (CRL) in 1988– Independently funded since 2001
• Renamed as NICT since April 2004
• National research support and standardization– Distribution of Japan Standard Time clock information over LF radio and
Internet NTP– Operating ionospheric radio observatories– Operating JGN2 gigabit research networks
NICT = National Institute of Information and Communications Technology
3
NICT – the Organization
General Affairs Dept.
Financial Affairs Dept.
Strategic Planning Dept.
Research Dept. 1
Research Dept. 2
Research Dept. 3
Collaborative Research Dept.
Research Promotion Dept.
Key Technology Research Promotion Dept.
New Generation Network Research Center
New Generation Wireless Communication Research Center
Kobe Advanced ICT Research Center
Knowledge Creating Communication Research Center
Universal Media Research Center
Information Security Research Center
Applied Electromagnetic Research Center
4
Information Security Research Center• Project Promotion Office
– Management and Promotion
• Network Security Incident Response Group (4, 5)– nicter : Network Incident Analysis and Response
• Traceable Secure Network Group (3, 1)– Traceable Networking and its Testbed, Secure Overlay Network
• Security Fundamentals Group (2, 6)– Cryptography, Security Issues of Electromagnetic Radiation
• Disaster Management and Mitigation Group (3, 4)– Emergency Communication, Disaster Management by Ubiquitous Computing
(Permanent, Short-term)
5
nicter: Network Incident analysis Center for Tactical Emergency Response
6
A short history of computing & insecurity
• Apple II Computer• Commodore • Atari• TI-99• TRS-80
• First Worm developed in Xerox Palo Alto
• First Self-destruct program (Richard Skrenta)• First Self-replicate program (Skrenta’sElk Cloner)
• FBI arrest “414s” Hacker Group
• ©Brain Virus developed by two Pakistanis’• Yale, Cascade, Jerusalem, Lehigh, etc.
• Ken Thompson demo first Trojan Horse• Fred Cohen’s VAX Viruses
• First “Concept”Macro Virus
• Stealth virus (Whale)• Variable Encryption (1260)
• Morris’ Worm
• Robert T Morris fined $10K, 3 years probation
• Melissa virus ($80m)• Excel Macro Virus (cross platform)
•Philippines’“I LOVE YOU” virus
• “Solar Sunrise” -Two California Teens attack on 500 Military, Govt, & Private Computer Systems
• Code Red• Nimda
• Melissa’s author sentenced 20 months jail
• DDoS on 13 “root” servers
• Slammer• Blaster• WeiChia
• MyDoom• Sasser
Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing)
Information Warfare
Computer Crimes
Trusted Operating Systems (Orange Book) Trusted Network (Red Book) – ITSEC
UK Green Book to BS 7799 to ISO 17799
Common Criteria (ISO 15408)
Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering
Protocol Weaknesses/Buffer overflow
• Spyware• Bots
• Phishingattacks proliferated
• Phishingbegins in AOL
• “Cukoo’sEgg” in LBL
Cyber Crimes
• SPAM Mails
Discovery
Experimentation
Criminal Exploitation
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
•Pharmingattacks (DNS poisoning)
• Kevin Mitnickarrested, five years imprisonment
Produced by Meng Chow Kan
7
Botnet
Online BusinessBotnet Controller(IRC Servers)
DNS Servers(Pharming Attacks)
Virus/Worms Authors
Threats :Internet Attacks
Internet Hackers
Social EngineeringIM/Emails/P2P/In-person
Web DefacementsDenial of Services
Spammers
Open ProxiesOpen Mail Relays
Phishers
Phishing Web Sites
Phishers’ “Safe Houses”Bot Herders
Sypware/Trojans/Rootkits
Organized Crimes Syndicates
Produced by Meng Chow Kan
8
Overview of the project
Macro Analysis:• Monitors Darknet of over 0.1 million
Darknet = Globally Announced Unused IP Addresses• Real-time Detection of Incident Candidates such as:
– New Attack Patterns of Malwares– Rapid Increase of Attacks
Micro Analysis:• Automated Capture and Analysis of Malwares• Code Analysis and Behavior Analysis
Macro-Micro Correlation Analysis:• Automated Correlation of Darknet Traffic and Malwares
Target: Integrated Analysis of Threats in Large Networks
9Operation Room (Beta Version, NICT HQ)
10
Visualization
MacroMacro--Micro Correlation AnalysisMicro Correlation Analysis
Darknet Monitor
MalwareSamples
Government
End users
Code AnalysisCode Analysis Behavior AnalysisBehavior Analysis
Macro analysis System (MacS)Macro analysis System (MacS)
Micro analysis System (MicS)Micro analysis System (MicS)
Virus
Bot
Worm
Honeypot
ISPs
Analysis Engine
3D display3D display
WorldmapWorldmap
Incident Handling byHuman Operator
CorrelationEngline
CorrelationEngline
Incident Reports
report------------------------------------
!
!
!
Overview
11
Macro Analysis(Darknet Monitoring)
12
3-D display of real-time incoming
packet flowSo
urce
IP
Addr
ess
TCP SYN
Showing arrivals of scanning packets
TCP SYN/ACK
Des
tinat
ion
IP A
ddre
ss
Dest
inat
ion
Port
Num
ber
Source Port Number
address scanning
UDP
ICMPTCP of non-SYN or non-SYN/ACK
port scanning
UDP network scan
SYN scan on 8080
Bot-like scan
SYN scan by dasher.worm
13
Automated Analysis Engines• Host Behavior Analyzer
– Behavioral analysis of individual hosts– Automated categorization of attacking hosts by
• Src/Dst Port Numbers• Dst IP Scan Sequences
– Detect new attack patterns• CPD (Change Point Detector)
– Detection of rapid changes of time series data (e.g. scan freq.)
• SOM (Self Organizing Map) Analyzer– Drawing of Overview of Monitored (Darknet) Traffics
14
Host Behavior Analysis
Long-term host behavior analysis contributes to categorize the attackers, emphasizing new attacks.
Long-term analysis emphasizesthe host characteristics
Showing long-term change of per-host trends
15
Detected change point of scan frequency on tcp/1025detected on 09:05 JST Dec. 9, 2005 (later found as an activity of Dasher.A worm)
0
2
4
6
8
10
12
14
16
20051201 20051204 20051207 20051210 20051213 20051216 20051219
アクセス頻度
変化点スコアscoremonitored traffic
Automated Change Point Detection
16
Collaboration of Analyzers
Host Behavior Analyzer + Change Point Detection can
Detect Rapid Increase of New Attacks
Over 20,000 parallel CPD processes
TAP
Alert
MonitoredTraffic
Dispatches process to monitor new attack pattern
Change point!!
17
Self-Organizing Map (SOM) Analyzer
• Take brief look at the monitored darknet traffic• Cluster hosts with similar behaviors
– Circle : cluster of hosts– Radius : number of hosts– Color : intensity of attacks on the specified parameter
Specified parameter
Cluster of hosts intensively accessing
tcp/1025
18
Dec 15th
Dec 16th
Dec 17th
Example : Finding worm variants by SOMs
Type Ⅱ
TypeⅠ
Type Ⅲ
TypeⅠ
TypeⅠ
Type Ⅱ
Type I (Dasher.A-C): tcp/1025
Type II (a Dasher variant) : tcp/1025, 1433, 42
Type III (Dasher.D) : tcp 1025, 1433, 42, 445
19
More in Macro Analysis..
• Shellcode Detection– Very fast detection of buffer-overflow shellcodes by focusing on
program structures– Applicable for darknet/live traffic with payloads
• IRC Bot Analysis (experimental phase)– Distinguish bots from human users by their communication
timing to IRC servers– Applicable for live traffic without payloads
20
Micro Analysis(Malware Analysis)
21
Visualization
MacroMacro--Micro Correlation AnalysisMicro Correlation Analysis
Darknet Monitor
MalwareSamples
Government
End users
Code AnalysisCode Analysis Behavior AnalysisBehavior Analysis
Macro analysis System (MacS)Macro analysis System (MacS)
Micro analysis System (MicS)Micro analysis System (MicS)
Virus
Bot
Worm
Honeypot
ISPs
Analysis Engine
3D display3D display
WorldmapWorldmap
Incident Handling byHuman Operator
CorrelationEngline
CorrelationEngline
Incident Reports
report------------------------------------
Overview
22
23
Malware Code Analysis
Virus executable
victim (virtual) machine
Virus report
XML HTML
Human readable
virus report
memory dump &
disassemble
closed experimental environment
asm
APIAPIunique stringsdetailed analysisAnalyzer
Result Sample
24
Malware Behavior Analysis
Virus executable
dummy servers (DNS, FTP, HTTP, IRC, SMTP, TFTP)victim machine
registry&fileaccess log
packetcapture
serverlog
behavior definitions
pattern match
Virus report
XML HTML
Human readable
virus report
closed experimental environment
AnalyzerExtract behaviors and summarize them with description
Result Sample
25
Macro-Micro Correlation
Binding Darknet Traffic and Sample Malwares
26
CorrelationManager
Correlator
Profiler
MicSDB
MacSDB
Host BehaviorAnalyzer
(2) Packet Logs
(3) Packet Logs
Packet Logs
(4) Send Profiles
(4) Send Profiles
(5) Correlation Results
Macro Analysis System
Micro Analysis System
Macro-Micro Correlation Analysis System
NemeSysDB
Malware Behavior Analyzer
Trigger
(1) New Attack Detected
AnalysisResults
Macro-Micro Correlation Analysis: Flow
DarknetTraffic
Malware
Samples
27
Macro-Micro Correlation Analysis
NemeSys DB
Correlation ManagerProfiler
Correlator
Profileparameter 1parameter 2parameter 3parameter 4…
PF of MW1parameter 1parameter 2parameter 3parameter 4…
…PF of MW1
parameter 1parameter 2parameter 3parameter 4…
PF of MW1parameter 1parameter 2parameter 3parameter 4…
PF of MW1parameter 1parameter 2parameter 3parameter 4…
PF of MW1parameter 1parameter 2parameter 3parameter 4…
Single Attacking Hosts detected
28
Parameters in ProfilesTable. 1 Parameters in Network Behavior Profile
Characteristic Name of Parameter Description
Destination port DstPort_Count List of all destination ports used in attack packets and their counts
Destination port DstPort_Trans List of all transition probabilities of every pair of destination ports over time
Source port SrcPort_Unique Number of unique source ports used in attack packets per unit time
Source port SrcPortDif_Stats Basic statistics (e.g. mean, variance) of difference of source ports between consecutive attack packets
Destination IP address DstIPDif_Stats
Basic statistics of difference of destination IP addresses between consecutive attack packets
Destination IP address DstIP_Unique
Number of unique destination IP addresses of attacked packets per unit time
Protocol Protocol_Count List of all protocol used in attack packets, and their counts
Flag Flag_Conut List of all TCP flags used in attack packets and their counts
Time NumPacketRate Number of attack packets per unit time
Payload PayloadSig_Count List of all payload signature (hash) and their counts
Payload Payload_Stats Basic statistics of size of attack packets payload
TTL TTL_Stats Basic statistics of TTL of attack packets
Identification Id_Stats Basic statistics of id of attack packets
Sequence number SeqNum_Stats Basic statistics of sequence number
29
A Host that attacked our Darknet on 2005/12/18
Candidate #1
Candidate #2
30
In Progress@ Network Security Incident Response Group
• Correlation using Traffic from High-Interactive Sensors– exploit code– bot C&G messages
• Automated generation of malware removal tools
• Automated attack signature generation for IDS– signature based on exploit code detection
• Incident (severity) prediction – based on machine learning– focus on vulnerability information release
31
Information Security Research Center• Project Promotion Office
– Management and Promotion
• Network Security Incident Response Group (4, 5)– nicter : Network Incident Analysis and Response
• Traceable Secure Network Group (3, 1)– Traceable Networking and its Testbed, Secure Overlay Network
• Security Fundamentals Group (2, 6)– Cryptography, Security Issues of Electromagnetic Radiation
• Disaster Management and Mitigation Group (3, 4)– Emergency Communication, Disaster Management by Ubiquitous Computing
(Permanent, Short-term)
32
Botnet Analysis
Following Slides are provided by Dr. Yuki Kadobayashi (Traceable Security Network Group & NAIST)
33
Malicious activities with pseudonyms:the case of IRC bot analysis
• IRC(Internet Relay Chat)
• User joins channels
• Suspicious: channels with unusual number of users– Bots pretending as users
• Discussion: famous channels may have large number of participants too– Two more techniques
“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.
34
Malicious activities with pseudonyms:programs do not think
“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.
35
Malicious activities with pseudonyms:cooperative behavior
Synchronization
(a) Bots
(b) Legitimate hosts
BotBot--mastermaster
BotBotss
Command & ControlCommand & Control(C&C)(C&C)
synchronized activities“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.
36
VMM-based IPS fornullification of bufferoverflow exploitation
Following Slides are provided by Dr. Ruo Ando (Traceable Security Network Group)
37
Observation and analysis of development process:tailored Xen Virtual Machine Monitor
• Xen with improved exception handler• detect and prevent buffer overruns without recompiling software
"Improving VMM based IPS for real-time snapshot and nullification of bufferoverflow exploitation“, The 1st Joint Workshop on Information Security, 2006.
38
Observation and analysis of development process: buffer-overrun detection at Xen VMM
"Improving VMM based IPS for real-time snapshot and nullification of bufferoverflow exploitation“, The 1st Joint Workshop on Information Security, 2006.
39
Information Security Research Center• Project Promotion Office
– Management and Promotion
• Network Security Incident Response Group (4, 5)– nicter : Network Incident Analysis and Response
• Traceable Secure Network Group (3, 1)– Traceable Networking and its Testbed, Secure Overlay Network
• Security Fundamentals Group (2, 6)– Cryptography, Security Issues of Electromagnetic Radiation
• Disaster Management and Mitigation Group (3, 4)– Emergency Communication, Disaster Management by Ubiquitous Computing
(Permanent, Short-term)
40
Investigation of security issues on electromagnetic radiation
The following slides are provided byDr. Akihiko Yamamura
(Security Fundamentals Group)
41
Information leakage by electromagnetic emanation
Electromagnetic wave, which is emanated unintentionally from running IT devices, contains information of processing signals from the devices.
Therefore, the signal in the equipment is reconstituted by monitoring and analyzing electromagnetic emanation, as a result,there is a possibility of information leakage. Because the evidence of the information acquisition does not remain, the information leakage caused by electromagnetic emanation is a serious threat on the information security.
scanner colorprinter
printer
PC
FAX multifunction machine
42
Reconstitution of monitor display image
monitor display image reconstituted image
It has been confirmed that it is able to reconstitute monitor display image from electromagnetic wave which is emanated unintentionally from the running personal computer (PC).
43
Experiment of Security Fundamentals Group: reconstitution of monitor display image
Reconstitution image by emanated electromagnetic wave
Security fundamentals group monitored electromagnetic emanation of desktop PC from 4 meters distance. This is the result of reconstituted monitor display image.
monitored desktop PC
Electromagnetic wave monitoring& Image reconstitution device
antenna
44
e-voting system ATM system
Possibility of information leakage from monitor display image
a serious threat on the information security !!
The fact that the PC monitor display image can be reconstitutedmeans there is a possibility that information displayed on monitorsof other equipments also can be reconstituted.
Target of TEMPEST
e-voting system
Target of TEMPEST
e-voting system
Target of TEMPEST
ATM
information
45
Effectivity of TEMPEST font
Monitor display image
Enlarged view of constitution image
If we use common font, we can also read a character in constitution image.
46
Effectivity of TEMPEST font
Monitor display image
Enlarged view of reconstitution image
But, when we use proposed TEMEPST font, we are hard to read a character in reconstitution image.
47
Information Security Research Center• Project Promotion Office
– Management and Promotion
• Network Security Incident Response Group (4, 5)– nicter : Network Incident Analysis and Response
• Traceable Secure Network Group (3, 1)– Traceable Networking and its Testbed, Secure Overlay Network
• Security Fundamentals Group (2, 6)– Cryptography, Security Issues of Electromagnetic Radiation
• Disaster Management and Mitigation Group (3, 4)– Emergency Communication, Disaster Management by Ubiquitous Computing
(Permanent, Short-term)
48
Information Acquisition on Disasters
The following slides are provided byDr. Osamu Takizawa
(Disaster Management and Mitigation Group)
49
Information Sharing by Distributed RFID Tags for Disaster Area
•Use of RFID tags for information exchanges at disaster sites.
•Hybrid use of both active and passive tags.
•Active tags for beacon
•Passive tags for read and write the shared information.
50
Hybrid RFID Tag
12.5cm
50cm 10m
Passive Tag・No battery・Rewritable(110Byte)
Active Tag•Battery embedded•Intermittent Beacon
51
Reader-Writer for Passive Tags
Information Acquisition
Passive Tag
Reader-Writer
52
Reader-Writer for Active Tags
Reception of beacon
Active Tag
Active Tag Receiver
53
Experiments and Drills (Sep. 3, 2006)
•Evaluation of the effectiveness (distance, etc) of tags
•Targets : Human (4), Sign Board(2), Container box (2)
•Two Seekers with Reader-writer
•Showed Significant Improvement in Finding the hybrid tags
54
Drills
Finding Victim by Robot Transit of survivor Attaching Tags to the survivor
Attaching Tags on the site Information Acquisition by other member
55
Conclusions
• NICT Information Security Research Center– Incident Analysis and Response– Malware Analysis, Bot Analysis,– VMM-based IPS– Security Issues of Electromagnetic Radiation– Information Sharing by Distributed RFID Tags for
Disaster Area
– A LOT MORE!
http://www2.nict.go.jp/y/y201/src-web/index-e.html
56
Thank you for listening!!
Q & A