Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network...
Transcript of Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network...
![Page 1: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/1.jpg)
Distilling & Investigating
Network Activity at Scale
University of California, Santa Barbara
University of California, Berkeley
Georgia Institute of Technology
ARO/MURI Annual Review November 19, 2014
Vern Paxson
![Page 2: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/2.jpg)
![Page 3: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/3.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
![Page 4: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/4.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Sensor Alerts
Data
D
ata
Data
Data
Data
![Page 5: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/5.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Sensor Alerts
Data
D
ata
Data
Data
Data
Enterprise Visibility Inferring Asset Aliasing
Browser Subversion Threats
VAST: Visibility Across Space & Time Enterprise-Scale Investigatory Platform
Augmenting the Local Perspective With Global Information
![Page 6: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/6.jpg)
• Distilling network activity at scale – Browser subversion threats (UCB, UCSB, ICSI) – Enterprise visibility
• Protocol analysis (ICSI, UCB) • Inferring asset aliasing (UCB, ICSI)
– Integrating global vantage points to local perspectives
• SSL Notary (ICSI, UCB) • SumStats (ICSI)
• Investigating network activity at scale – VAST: Visibility Across Space and Time (UCB, ICSI)
Overview
![Page 7: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/7.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
![Page 8: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/8.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
D
ata
D
ata
Browser Subversion Threats
![Page 9: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/9.jpg)
Compromising the browser
Extensions
Malware
![Page 10: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/10.jpg)
● Modify requests (e.g., affiliate fraud)
● Inject page modifications (e.g., ads)
● Keylogging (for visited pages)
● Steal credentials (authenticators)
What can a malicious extension do?
Anything malicious that you can do with
JavaScript having access to the visited page,
the web requests, the browser’s cookies
![Page 11: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/11.jpg)
Approach (Hulk)
● Install extension in Chrome inside a VM
● Visit select & specially crafted pages
● Monitor extension’s activity
● Classify behavior
![Page 12: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/12.jpg)
HoneyPage
<html>
</html>
document.getElementById(“fb_newsfeed”)
<div id=“fb_newsfeed”></div>
![Page 13: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/13.jpg)
Event handler fuzzing
● Extensions register to intercept network
events …
● … We oblige them!
● Pretend to visit Alexa top 1 million domains
● Point to a HoneyPage
● Takes <10 sec on average
![Page 14: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/14.jpg)
Malicious behavior indicators
● Prevents extension uninstall
● Steals email/password from form
● Contains keylogging functionality
● Manipulates security-related HTTP headers
● Uninstalls extensions
![Page 15: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/15.jpg)
Suspicious behavior heuristics
● Injects dynamic JavaScript
● Evals with input >128 chars long
● Produces HTTP 4xx errors
● Performs requests to non-existent domains
![Page 16: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/16.jpg)
Results
● 47,940 extensions from Chrome Web Store
● 392 extensions from Anubis
Analysis result Count
Benign 43,490
Suspicious 4,712
Malicious 130
![Page 17: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/17.jpg)
“SimilarSites Pro”
![Page 18: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/18.jpg)
“SimilarSites Pro”
Enough for “watering hole” attacks …
![Page 19: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/19.jpg)
Defenses
● Prohibit:
● Manipulating configuration pages e.g.,
chrome://extensions
● Uninstalling extensions
● Removing security-related HTTP headers
● Hooking keyboard events
● Require: ● Local inclusion of static files instead of dynamic
JavaScript inclusions
![Page 20: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/20.jpg)
Limitations
● Dynamic analysis incomplete
● Targeted attacks (location, time)
● Multistep/conditional queries of DOM
elements in HoneyPages
● Evasions against HoneyPages
![Page 21: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/21.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
![Page 22: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/22.jpg)
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Data
Data
Observations: Netflow, Probing, Time analysis
Data
Data
Enterprise Visibility Inferring Asset Aliasing
![Page 23: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/23.jpg)
General problem scope: how can remote vantage
points (network monitoring; servers) recognize
recurring instances of the same client?
IP addresses do not suffice: mobility, NAT, DHCP
With control over servers: easy
Use cookies or equivalent
Absent server-side control: hard
Challenge: can we comprehensively identify latent
trackers manifest anywhere in client traffic?
Idea: mine traces for strings unique to known
clients
Inferring Asset Aliasing
![Page 24: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/24.jpg)
![Page 25: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/25.jpg)
Analysis built on 8-byte strings
![Page 26: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/26.jpg)
![Page 27: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/27.jpg)
To date: 16 days of ICSI border traffic
31M connections; 18M outbound Internal DHCP, NAT logs 300 clients behind NAT
![Page 28: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/28.jpg)
![Page 29: Distilling & Investigating Network Activity at Scale - Seclab · Distilling & Investigating Network Activity at Scale ... Analysis to determine dependencies between assets and missions](https://reader033.fdocuments.in/reader033/viewer/2022051307/5ac80a137f8b9aa1298bd234/html5/thumbnails/29.jpg)
Interim Results:
Cookie:_tmpi=MjAxNDAxMjY_MzpDQUVTRUtyY2xuSDd5SD
VzRS1LaDB4eng2S3c6MzA;_tmid=-3256379668746322853”
GET
/pixel/2189/?sync=103&che=[cachebuster]&uuid=2492377121
373197670 HTTP/1.1
{"id":"356489051444763","type":"IMEI_NUMBER”}
Skype, Dropbox URLs; Symantec User-Agent
Game plan:
- Complete ICSI analysis
- Scale up to LBNL analysis (ext./int.)