activities of nict information security research in...

1

Activities of NICT Information Security Research in Japan

Katsunari Yoshioka, Ph.D

National Institute of Information and Communications Technology (NICT), Japan

Feb 8, 2007@HSN07

2

History and roles of NICT

• GOJ institute of ICT under MIC– First establised as MIC wireless communication lab

• Named as Radio Research Laboratory in 1952– Started to handle network-related technologies

• Renamed as Communication Research Laboratory (CRL) in 1988– Independently funded since 2001

• Renamed as NICT since April 2004

• National research support and standardization– Distribution of Japan Standard Time clock information over LF radio and

Internet NTP– Operating ionospheric radio observatories– Operating JGN2 gigabit research networks

NICT = National Institute of Information and Communications Technology

3

NICT – the Organization

General Affairs Dept.

Financial Affairs Dept.

Strategic Planning Dept.

Research Dept. 1

Research Dept. 2

Research Dept. 3

Collaborative Research Dept.

Research Promotion Dept.

Key Technology Research Promotion Dept.

New Generation Network Research Center

New Generation Wireless Communication Research Center

Kobe Advanced ICT Research Center

Knowledge Creating Communication Research Center

Universal Media Research Center

Information Security Research Center

Applied Electromagnetic Research Center

4

Information Security Research Center• Project Promotion Office

– Management and Promotion

• Network Security Incident Response Group (4, 5)– nicter : Network Incident Analysis and Response

• Traceable Secure Network Group (3, 1)– Traceable Networking and its Testbed, Secure Overlay Network

• Security Fundamentals Group (2, 6)– Cryptography, Security Issues of Electromagnetic Radiation

• Disaster Management and Mitigation Group (3, 4)– Emergency Communication, Disaster Management by Ubiquitous Computing

(Permanent, Short-term)

5

nicter: Network Incident analysis Center for Tactical Emergency Response

6

A short history of computing & insecurity

• Apple II Computer• Commodore • Atari• TI-99• TRS-80

• First Worm developed in Xerox Palo Alto

• First Self-destruct program (Richard Skrenta)• First Self-replicate program (Skrenta’sElk Cloner)

• FBI arrest “414s” Hacker Group

• ©Brain Virus developed by two Pakistanis’• Yale, Cascade, Jerusalem, Lehigh, etc.

• Ken Thompson demo first Trojan Horse• Fred Cohen’s VAX Viruses

• First “Concept”Macro Virus

• Stealth virus (Whale)• Variable Encryption (1260)

• Morris’ Worm

• Robert T Morris fined $10K, 3 years probation

• Melissa virus ($80m)• Excel Macro Virus (cross platform)

•Philippines’“I LOVE YOU” virus

• “Solar Sunrise” -Two California Teens attack on 500 Military, Govt, & Private Computer Systems

• Code Red• Nimda

• Melissa’s author sentenced 20 months jail

• DDoS on 13 “root” servers

• Slammer• Blaster• WeiChia

• MyDoom• Sasser

Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing)

Information Warfare

Computer Crimes

Trusted Operating Systems (Orange Book) Trusted Network (Red Book) – ITSEC

UK Green Book to BS 7799 to ISO 17799

Common Criteria (ISO 15408)

Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering

Protocol Weaknesses/Buffer overflow

• Spyware• Bots

• Phishingattacks proliferated

• Phishingbegins in AOL

• “Cukoo’sEgg” in LBL

Cyber Crimes

• SPAM Mails

Discovery

Experimentation

Criminal Exploitation

1977

1978

1979

1980

1981

1982

1983

1984

1985

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

•Pharmingattacks (DNS poisoning)

• Kevin Mitnickarrested, five years imprisonment

Produced by Meng Chow Kan

7

Botnet

Online BusinessBotnet Controller(IRC Servers)

DNS Servers(Pharming Attacks)

Virus/Worms Authors

Threats :Internet Attacks

Internet Hackers

Social EngineeringIM/Emails/P2P/In-person

Web DefacementsDenial of Services

Spammers

Open ProxiesOpen Mail Relays

Phishers

Phishing Web Sites

Phishers’ “Safe Houses”Bot Herders

Sypware/Trojans/Rootkits

Organized Crimes Syndicates

Produced by Meng Chow Kan

8

Overview of the project

Macro Analysis:• Monitors Darknet of over 0.1 million

Darknet = Globally Announced Unused IP Addresses• Real-time Detection of Incident Candidates such as:

– New Attack Patterns of Malwares– Rapid Increase of Attacks

Micro Analysis:• Automated Capture and Analysis of Malwares• Code Analysis and Behavior Analysis

Macro-Micro Correlation Analysis:• Automated Correlation of Darknet Traffic and Malwares

Target: Integrated Analysis of Threats in Large Networks

9Operation Room (Beta Version, NICT HQ)

10

Visualization

MacroMacro--Micro Correlation AnalysisMicro Correlation Analysis

Darknet Monitor

MalwareSamples

Government

End users

Code AnalysisCode Analysis Behavior AnalysisBehavior Analysis

Macro analysis System (MacS)Macro analysis System (MacS)

Micro analysis System (MicS)Micro analysis System (MicS)

Virus

Bot

Worm

Honeypot

ISPs

Analysis Engine

3D display3D display

WorldmapWorldmap

Incident Handling byHuman Operator

CorrelationEngline

CorrelationEngline

Incident Reports

report------------------------------------

!

!

!

Overview

11

Macro Analysis(Darknet Monitoring)

12

3-D display of real-time incoming

packet flowSo

urce

IP

Addr

ess

TCP SYN

Showing arrivals of scanning packets

TCP SYN/ACK

Des

tinat

ion

IP A

ddre

ss

Dest

inat

ion

Port

Num

ber

Source Port Number

address scanning

UDP

ICMPTCP of non-SYN or non-SYN/ACK

port scanning

UDP network scan

SYN scan on 8080

Bot-like scan

SYN scan by dasher.worm

13

Automated Analysis Engines• Host Behavior Analyzer

– Behavioral analysis of individual hosts– Automated categorization of attacking hosts by

• Src/Dst Port Numbers• Dst IP Scan Sequences

– Detect new attack patterns• CPD (Change Point Detector)

– Detection of rapid changes of time series data (e.g. scan freq.)

• SOM (Self Organizing Map) Analyzer– Drawing of Overview of Monitored (Darknet) Traffics

14

Host Behavior Analysis

Long-term host behavior analysis contributes to categorize the attackers, emphasizing new attacks.

Long-term analysis emphasizesthe host characteristics

Showing long-term change of per-host trends

15

Detected change point of scan frequency on tcp/1025detected on 09:05 JST Dec. 9, 2005 (later found as an activity of Dasher.A worm)

0

2

4

6

8

10

12

14

16

20051201 20051204 20051207 20051210 20051213 20051216 20051219

アクセス頻度

変化点スコアscoremonitored traffic

Automated Change Point Detection

16

Collaboration of Analyzers

Host Behavior Analyzer + Change Point Detection can

Detect Rapid Increase of New Attacks

Over 20,000 parallel CPD processes

TAP

Alert

MonitoredTraffic

Dispatches process to monitor new attack pattern

Change point!!

17

Self-Organizing Map (SOM) Analyzer

• Take brief look at the monitored darknet traffic• Cluster hosts with similar behaviors

– Circle : cluster of hosts– Radius : number of hosts– Color : intensity of attacks on the specified parameter

Specified parameter

Cluster of hosts intensively accessing

tcp/1025

18

Dec 15th

Dec 16th

Dec 17th

Example : Finding worm variants by SOMs

Type Ⅱ

TypeⅠ

Type Ⅲ

TypeⅠ

TypeⅠ

Type Ⅱ

Type I (Dasher.A-C): tcp/1025

Type II (a Dasher variant) : tcp/1025, 1433, 42

Type III (Dasher.D) : tcp 1025, 1433, 42, 445

19

More in Macro Analysis..

• Shellcode Detection– Very fast detection of buffer-overflow shellcodes by focusing on

program structures– Applicable for darknet/live traffic with payloads

• IRC Bot Analysis (experimental phase)– Distinguish bots from human users by their communication

timing to IRC servers– Applicable for live traffic without payloads

20

Micro Analysis(Malware Analysis)

21

Visualization

MacroMacro--Micro Correlation AnalysisMicro Correlation Analysis

Darknet Monitor

MalwareSamples

Government

End users

Code AnalysisCode Analysis Behavior AnalysisBehavior Analysis

Macro analysis System (MacS)Macro analysis System (MacS)

Micro analysis System (MicS)Micro analysis System (MicS)

Virus

Bot

Worm

Honeypot

ISPs

Analysis Engine

3D display3D display

WorldmapWorldmap

Incident Handling byHuman Operator

CorrelationEngline

CorrelationEngline

Incident Reports

report------------------------------------

Overview

23

Malware Code Analysis

Virus executable

victim (virtual) machine

Virus report

XML HTML

Human readable

virus report

memory dump &

disassemble

closed experimental environment

asm

APIAPIunique stringsdetailed analysisAnalyzer

Result Sample

24

Malware Behavior Analysis

Virus executable

dummy servers (DNS, FTP, HTTP, IRC, SMTP, TFTP)victim machine

registry&fileaccess log

packetcapture

serverlog

behavior definitions

pattern match

Virus report

XML HTML

Human readable

virus report

closed experimental environment

AnalyzerExtract behaviors and summarize them with description

Result Sample

25

Macro-Micro Correlation

Binding Darknet Traffic and Sample Malwares

26

CorrelationManager

Correlator

Profiler

MicSDB

MacSDB

Host BehaviorAnalyzer

(2) Packet Logs

(3) Packet Logs

Packet Logs

(4) Send Profiles

(4) Send Profiles

(5) Correlation Results

Macro Analysis System

Micro Analysis System

Macro-Micro Correlation Analysis System

NemeSysDB

Malware Behavior Analyzer

Trigger

(1) New Attack Detected

AnalysisResults

Macro-Micro Correlation Analysis: Flow

DarknetTraffic

Malware

Samples

27

Macro-Micro Correlation Analysis

NemeSys DB

Correlation ManagerProfiler

Correlator

Profileparameter 1parameter 2parameter 3parameter 4…

PF of MW1parameter 1parameter 2parameter 3parameter 4…

…PF of MW1

parameter 1parameter 2parameter 3parameter 4…




Single Attacking Hosts detected

28

Parameters in ProfilesTable. 1 Parameters in Network Behavior Profile

Characteristic Name of Parameter Description

Destination port DstPort_Count List of all destination ports used in attack packets and their counts

Destination port DstPort_Trans List of all transition probabilities of every pair of destination ports over time

Source port SrcPort_Unique Number of unique source ports used in attack packets per unit time

Source port SrcPortDif_Stats Basic statistics (e.g. mean, variance) of difference of source ports between consecutive attack packets

Destination IP address DstIPDif_Stats

Basic statistics of difference of destination IP addresses between consecutive attack packets

Destination IP address DstIP_Unique

Number of unique destination IP addresses of attacked packets per unit time

Protocol Protocol_Count List of all protocol used in attack packets, and their counts

Flag Flag_Conut List of all TCP flags used in attack packets and their counts

Time NumPacketRate Number of attack packets per unit time

Payload PayloadSig_Count List of all payload signature (hash) and their counts

Payload Payload_Stats Basic statistics of size of attack packets payload

TTL TTL_Stats Basic statistics of TTL of attack packets

Identification Id_Stats Basic statistics of id of attack packets

Sequence number SeqNum_Stats Basic statistics of sequence number

29

A Host that attacked our Darknet on 2005/12/18

Candidate #1

Candidate #2

30

In Progress@ Network Security Incident Response Group

• Correlation using Traffic from High-Interactive Sensors– exploit code– bot C&G messages

• Automated generation of malware removal tools

• Automated attack signature generation for IDS– signature based on exploit code detection

• Incident (severity) prediction – based on machine learning– focus on vulnerability information release

31








32

Botnet Analysis

Following Slides are provided by Dr. Yuki Kadobayashi (Traceable Security Network Group & NAIST)

33

Malicious activities with pseudonyms:the case of IRC bot analysis

• IRC(Internet Relay Chat)

• User joins channels

• Suspicious: channels with unusual number of users– Bots pretending as users

• Discussion: famous channels may have large number of participants too– Two more techniques

“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.

34

Malicious activities with pseudonyms:programs do not think

“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.

35

Malicious activities with pseudonyms:cooperative behavior

Synchronization

(a) Bots

(b) Legitimate hosts

BotBot--mastermaster

BotBotss

Command & ControlCommand & Control(C&C)(C&C)

synchronized activities“A proposal of metrics for botnet detectionbased on its cooperative behavior”, IEEE/IPSJSAINT 2007 Measurement workshop, to appear.

36

VMM-based IPS fornullification of bufferoverflow exploitation

Following Slides are provided by Dr. Ruo Ando (Traceable Security Network Group)

37

Observation and analysis of development process:tailored Xen Virtual Machine Monitor

• Xen with improved exception handler• detect and prevent buffer overruns without recompiling software

"Improving VMM based IPS for real-time snapshot and nullification of bufferoverflow exploitation“, The 1st Joint Workshop on Information Security, 2006.

38

Observation and analysis of development process: buffer-overrun detection at Xen VMM

"Improving VMM based IPS for real-time snapshot and nullification of bufferoverflow exploitation“, The 1st Joint Workshop on Information Security, 2006.

39








40

Investigation of security issues on electromagnetic radiation

The following slides are provided byDr. Akihiko Yamamura

(Security Fundamentals Group)

41

Information leakage by electromagnetic emanation

Electromagnetic wave, which is emanated unintentionally from running IT devices, contains information of processing signals from the devices.

Therefore, the signal in the equipment is reconstituted by monitoring and analyzing electromagnetic emanation, as a result,there is a possibility of information leakage. Because the evidence of the information acquisition does not remain, the information leakage caused by electromagnetic emanation is a serious threat on the information security.

scanner colorprinter

printer

PC

FAX multifunction machine

42

Reconstitution of monitor display image

monitor display image reconstituted image

It has been confirmed that it is able to reconstitute monitor display image from electromagnetic wave which is emanated unintentionally from the running personal computer (PC).

43

Experiment of Security Fundamentals Group: reconstitution of monitor display image

Reconstitution image by emanated electromagnetic wave

Security fundamentals group monitored electromagnetic emanation of desktop PC from 4 meters distance. This is the result of reconstituted monitor display image.

monitored desktop PC

Electromagnetic wave monitoring& Image reconstitution device

antenna

44

e-voting system ATM system

Possibility of information leakage from monitor display image

a serious threat on the information security !!

The fact that the PC monitor display image can be reconstitutedmeans there is a possibility that information displayed on monitorsof other equipments also can be reconstituted.

Target of TEMPEST

e-voting system

Target of TEMPEST

e-voting system

Target of TEMPEST

ATM

information

45

Effectivity of TEMPEST font

Monitor display image

Enlarged view of constitution image

If we use common font, we can also read a character in constitution image.

46

Effectivity of TEMPEST font

Monitor display image

Enlarged view of reconstitution image

But, when we use proposed TEMEPST font, we are hard to read a character in reconstitution image.

47








48

Information Acquisition on Disasters

The following slides are provided byDr. Osamu Takizawa

(Disaster Management and Mitigation Group)

49

Information Sharing by Distributed RFID Tags for Disaster Area

•Use of RFID tags for information exchanges at disaster sites.

•Hybrid use of both active and passive tags.

•Active tags for beacon

•Passive tags for read and write the shared information.

50

Hybrid RFID Tag

12.5cm

50cm 10m

Passive Tag・No battery・Rewritable（110Byte）

Active Tag•Battery embedded•Intermittent Beacon

51

Reader-Writer for Passive Tags

Information Acquisition

Passive Tag

Reader-Writer

52

Reader-Writer for Active Tags

Reception of beacon

Active Tag

Active Tag Receiver

53

Experiments and Drills (Sep. 3, 2006)

•Evaluation of the effectiveness (distance, etc) of tags

•Targets : Human (4), Sign Board(2), Container box (2)

•Two Seekers with Reader-writer

•Showed Significant Improvement in Finding the hybrid tags

54

Drills

Finding Victim by Robot Transit of survivor Attaching Tags to the survivor

Attaching Tags on the site Information Acquisition by other member

55

Conclusions

• NICT Information Security Research Center– Incident Analysis and Response– Malware Analysis, Bot Analysis,– VMM-based IPS– Security Issues of Electromagnetic Radiation– Information Sharing by Distributed RFID Tags for

Disaster Area

– A LOT MORE!

http://www2.nict.go.jp/y/y201/src-web/index-e.html

56

Thank you for listening!!

Q & A

activities of nict information security research in...

Documents