Selected Topics of IT Security ( ) Seminar description

Transcription

1 Selected Topics of IT Security ( ) Seminar description Sebastian Abt, Frank Breitinger April 3, Introduction The lecture and accompanying seminar target at master-level students interested in IT security. As the lecture will specifically deal with aspects of fuzzy hashing, internet security and botnets, topics surrounding these fields of research will be dealt with in the seminar. All topics are related to current research activities of h da s CASED research group. 2 Guideline and Timeline This is a 5 credit points lecture, meaning at least 150 hours of work in total. The seminar aims at complementing specific topics discussed in the lecture. During the seminar each group (consisting of 2 students) is required to hold a 45 minutes presentation and deliver a term paper of max. 20 pages. Presentations and term papers can be given/submitted in either German or English language. We encourage all students to practice their English language skills by delivering their results in English. For the term paper, Springer s lecture notes on computer science formatting has to be used 1. Term papers will be made available to all course participants after the seminar. Students are required to do a good proportion of literature survey. The proposed timeline for the seminar is as follows: Date Topic Assigned to Brüchert, Schaeffer Faatz, Thurner fällt aus Burkard, Stoss Kopp, Bielinski Klemm, Winterstein / / Wachtel / Dietz / Foks Important! Term paper and presentation slides must be sent to the organizers in PDF format at latest 3 days before your presentation day

2 3 Topics Topics are supposed to be jointly prepared by two students. The following topics will be handed out for preparation during the seminar. If you may have a specific topic that fits in the overall context, feel free to submit a short written proposal (15-20 sentences) so we can discuss the preparation of it. Topics within Sec. 3.1 are being supervised by Sebastian Abt, topics within Sec. 3.2 are being supervised by Frank Breitinger. As 8 teams (16 students) are participating we expect that 4 teams work in the area of internet security and botnets and 4 teams work in the area of fuzzy hashing. 3.1 Internet security and botnets Internet security research is one special research topic of h da s CASED group. Currently, our focus is on network-based anomaly detection using network flow data in general and on flow-based botnet detection in particular. Network flow data (e.g. Cisco Netflow, IETF IPFIX) are communication statistics that serve as representations of unidirectional network communication. A network flow f is defined by a 5-tuple f = (IP src, IP dst, P ort src, P ort dst, L4 P rotocol). The features defining a network flow are called flow keys. Using these flow keys, information describing the amount of data exchanged (e.g. number of bytes and packets) as well as TCP header flags (SYN, RST, FIN, ACK, PSH, URG) set during communication (in case of TCP communication) can be collected on network devices and can be exported to a network flow collector. As network flow data do not contain any information about the exchanged packets payloads, using network flow data for anomaly detection does not only lead to massive data reduction, but also respects the end-user s privacy much better than any approach utilizing deep packet inspection. Furthermore, as network flow data can be gathered on active network devices (e.g. routers or switches), network providers can re-use existing infrastructure for data collection and do not need to deploy further specialized devices. This makes the use of network flow data for anomaly detection very attractive from an economic point of view Analysis of TCP state attacks and countermeasures The Transmission Control Protocol (TCP) is one of the central protocols used in the TCP/IP stack, as it offers reliable and connection-oriented network communication. Due to imbalances in the resource utilization on client- and server-side, however, TCP is vulnerable to state exhaustion attacks. In this topic, students shall analyze different state exhaustion attacks and common countermeasures. Especially, students shall evaluate kernel-level hardening strategies for Linuxor BSD-based systems Analysis of botnet command and control channels Botnets serve as an IT infrastructure to the internet underground economy. By infecting and infiltrating many different network hosts, botmasters can build large networks of remotely controlled computer systems. In order to being 2

3 able to control these infected hosts, botmasters have to employ command and control (C&C) channels. In this topic, students shall survey current state of the art of C&C communication, sketch the characteristics of specific classes of C&C communication and shall identify possibly yet unknown strategies for C&C and covert communication Simulation of botnet behaviour using ns-3 Analysis of botnet behaviour is an ongoing and demanding research effort. Traditionally, analysis is performed by reverse engineering of malware/bot samples and/or targeted infection of specific observation points. In this topic, students shall evaluate a new approach by utilizing the discrete-event network simulator ns-3 2 for simulation and analysis of botnet behaviour. Specifically, students shall develop a characteristic model of IRC-based botnets using centralized command and control and, using this model, shall simulate bot propagation, communication and effects of botnet take-down Flow-based classification of network hosts Being able to correctly classify the behaviour of networks hosts according to a pre-defined taxonomy is essential for network-based anomaly detection. In this topic, students shall utilize unlabeled network flow traces from an ISP network and develop a classification system that is at least capable of differentiating between servers and clients. Classification shall be performed using appropriate machine learning techniques, for instance artificial neural networks, support vector machines or hidden markov models Survey and classification of network anomalies Over time, many different kind of network-based attacks have been developed. In an anomaly detection context, these attacks have to be classified according to anomaly classes. In this topic, students shall survey existing literature on network attacks and from these attacks shall derive an attack taxonomy that serves as an anomaly classification framework. Specifically, students shall analyze in detail differences between attacks and anomaly classes and discuss their specific characteristics. The taxonomy shall be complete in the sense, that for each anomaly an appropriate class can be identified. 3.2 Fuzzy hashing in general Traditional / cryptographic hash functions are widely spread and used in different cases (e.g., file identification, hash tables in databases,...). Due to their security properties (e.g., the avalanche effect) they have one main property: one changing bit within the input changes approximately 50% of the hash value. Thus cryptographic hash functions cannot be used to identify similar files. A similarity preserving hash function aka fuzzy hash function should overcome this issue and map similar inputs to similar hash values. In general we distinguish between algorithms working on the byte level and the semantic level

4 3.2.1 Survey on similarities preserving hash functions for binaries Binaries (*.exe, *.dll) are very common file types for Windows. But even if the same source code is compiled twice, the binary code looks completely different and fuzzy hash functions working on the byte level are useless. It is therefore one aim of this topic to do an exhaustive literature survey. Depending on the amount of literature 3, the overall result may vary. If there is a lot of literature, it is sufficient to present and compare different hashing approaches. If there isn t sufficient literature available, you should give an overview of existing algorithms that allow to detect similarity between two binary files (without generating a fingerprint, e.g., bsdiff 4 ). hashing between binaries Survey on similarity preserving hash functions for pictures Images uses very different file types and thus the underlying byte sequence is very different although they are in fact identical. One aim of this topic is to do an exhaustive literature survey. Depending on the amount of literature, the overall result may vary. If there is a lot of literature, it is sufficient to present and compare different hashing approaches. If there isn t sufficient literature available, you should give an overview of existing algorithms that allow to detect similarity between two pictures (without generating a fingerprint). hashing between images Survey on similarity preserving hash functions for PDF PDF is a very widespread file type mostly containing texts and images. One idea to find the similarity between PDF files is focusing on the written content. Thus, this topic could also be treated as identifying the similarity between different texts. One aim of this topic is to do an exhaustive literature survey. Depending on the amount of literature, the overall result my vary. If there is a lot of literature, it is sufficient to present and compare different hashing approaches. If there isn t sufficient literature available, you should give an overview of existing algorithms that allow to detect similarity between texts (without generating a fingerprint). A point of entrance might be n-grams and then computing the Jaccard similarity between those n-gram hashes 5 or algorithms for plagiarism detection. hashing between images Performance of hash functions on the byte and semantic level The difference between both approaches is that byte level hash functions only work on the byte stream and thus they are expected to be faster than hash functions on the semantic level. This topic is two-parted. On the one hand 3 e.g., Paper: Graph-based comparison of Executable Objects

5 you should do an exhaustive literature survey. On the other hand you should analyze the performance in detail for some common algorithms working on the byte and semantic level Analyzing perceptual hashing A perceptual hash is a fingerprint of a multimedia file derived from various features from its content. Unlike cryptographic hash functions which rely on the avalanche effect of small changes in input leading to drastic changes in the output, perceptual hashes are close to one another if the features are similar. In this topic you should analyze an existing open source tool called phash 6. Which algorithms are used to find similarities among different file types? How are different file types identified? What are the limits of the tool? 4 Misc All topics discussed in this seminar are related to current research at CASED and publicly funded research projects. If you re interested in writing your master s thesis in one of these areas or are motivated to work as student assistent in highly innovative fields of research, please get in touch with Sebastian Abt or Frank Breitinger or have a look at fachgruppen/fachgruppe-it-sicherheit.html. 5 Contact information Sebastian Abt, M.Sc. Frank Breitinger, M.Sc. sebastian.abt at h-da.de frank.breitinger at cased.de Room: D15, 3.04 Room: CASED building, Office hours: By arrangement per mail Office hours: By arrangement per mail 6 5