Growing Challenges. Securing the Internet Cloud: Challenges and Opportunities. Traffic Growing Rapidly on Fixed and Mobile Networks!

Transcription

1 Securing the Internet Cloud: Challenges and Opportunities Farnam Jahanian Computer Science and Engineering University of Michigan December 5, 2009 Growing Challenges Traffic Growing Rapidly on Fixed and Mobile Networks! IP traffic will double every 2 years through 2011 Proliferation of smart devices and applications. Video Internet will drive much of this growth. High quality of experience is essential for video, cloud computing and SaaS. Security Threats Clog Bandwidth and Increase Costs 5% of internet traffic is malicious. Attacks have grown rapidly over the last decade. Respecting no geographical boundaries and propagating to the entire populations in a matter of minutes. A widening gap between common low-level amateur attacks and multi-gigabit professional attacks. Page 4 1

2 A Global Challenge This chart depicts where Internet attacks originate 24h snapshot. Internet threats are a global phenomenon. Source: Arbor Networks Page 5 Internet Threat Evolution Page 7 2

3 Availability Attacks Worms These attacks disrupt infrastructure DoS Estonia 'Cyberwar' Page 8 How Botnets Are Lo-bot-omizing Your PC Viruses Virulence: The Impact of Slammer (2003) During Slammer, 75K hosts infected in 30 min. Page 10 3

4 A Dramatic Transformation and Escalation ID Theft Phishing These attacks rely on taking control SPAM Page 13 Spyware Threat Evolution: Bots Have Arrived Malicious Internet activities now motivated by economic incentives and political considerations: DoS Extortion Identity Theft and Fraud Phishing SPAM Spyware Espionage and Information Theft Attackers have learned: A compromised system is more useful alive than dead! A compromised system provides anonymity. A network of compromised hosts provides a powerful delivery platform. Page 15 4

5 Attack Botnet Lifecycle Framework Propagation: To recruit new members, bots rely on an array of built-in propagation vectors. Communication: After a new infection, a bot establishes a C&C connection with a controller. Attacks: Malicious bots attack Internet users and infrastructure. Zombie Attacker C&C Overlay HTTP FTP P2P IM Zombie C&C Overlay C&C Overlay Attack Victim Zombie Propagation Command and Control Attack Page 19 Framework for Security Services in the Network Cloud Page 25 5

6 Framework for In-Cloud Security Idea: move more security services into the network cloud Point solution Distributed solution Shift monitoring and data collection to the sensing lightweight elements (perhaps even hosts), shift detection and policy generation into the network, and be opportunistic about policy enforcement Separation of control-plane (e.g. DSN and BGP) and dataplane monitoring Anomaly detection algorithms based on traffic sampling and clustering of network flows Page 26 Over the last 10 years Distributed Denial-of-Service Detection, Backtracing and Mitigation Dark Cloud: Distributed darknet monitoring AV-Cloud: Anti-virus in the network cloud Page 27 6

7 Distributed Denial of Service Attacks Page 30 Distributed Denial-of-Service Attacks (circa1999) Attacks to disrupt network infrastructure and web site availability AT&T Target MCI Upstream Network DS3/Gig Ethernet Saturation X 512K Circuit Comca st Impact: Internet Service Provider - Damage to network infrastructure and critical IP Services. Attack Target - Loss of connectivity, increased costs, tarnished brand. Subscriber - Unknowing participant in attack consumes resources (today: victim of phishing, identify and data theft) 7

8 DDoS Detection and Remediation Cut traffic off here Not here Requires global visibility and outreach Page 32 Key Concepts Leverage coarse-grained network flow statistics from routers and fine-grained measurements near a target Push anomaly detection into the upstream ISP network / push blocking of attack traffic toward the source and away from the target Correlate events seen at different locations to aid in the detection and backtracing of coordinated attacks Page 33 8

9 Key Idea: In-Cloud Detection, Backtracing and Mitigation Sensor Infrastructure-level Cyber attacks Mission-Critical Network Unavailable Sensor Sensor BGP Off-Ramping and Re-injection Sensor Peering Point POP Customer y Sensor Core Router Peering Point Core Router Mitigation Devices POP Clean Traffic Goes To Enterprise Network 9

10 2008 Global Deployment Deployed by 300+ ISPs, cable operators and mission critical networks 70% of Internet s transit traffic being monitored by our solution in 2008 Page 37 CloudAV: Anti-virus in the Cloud Page 51 10

11 Case Study: Anti-virus in the Cloud Network Component Host Component Page 52 Limitations of Antivirus Software Antivirus is the predominate method of detecting and stopping malicious software AV fails to detect modern threats Worst: 54.9% Best: 86.6% AV host software is complex Maintenance overhead Frequent signature updates Risk of security vulnerabilities Avast Antivirus ClamAV F-Prot F-Secure Kaspersky McAfee Symantec Trend Micro Detected 84.7% 59.7% 79.9% 86.6% 85.3% 54.9% 81.9% 82.0% Arbor Malware Library (AML) dataset of 7220 samples (Nov. 06 Nov.'07) Page 53 11

12 Coverage Degradation AML dataset of 7220 samples (Nov. 06 Nov.'07) Antivirus detection coverage degrades significantly as threats approach 0-day ( 2007 (detection result for 5000 malware samples - May (antivirus signatures were updates the day after the collection ended) Architecture and Deployment Model (shift data collection and enforcement to host, and detection and policy enforcement to network service) Lightweight host agent runs on desktops, laptops, and other devices Network service hosts the backend file analysis engines and fields requests from the host agent. Archival and forensics service stores information on file analysis results and provides a query and alerting interface Page 57 12

13 Simplified Host Agent Cross Platform Mobile Devices Mail Server Frontends Page 60 Improved Coverage Single engine from 82% to 52% Ten engines from 98% to 88% For zero-day 88% vs. 52% Decrease in incremental coverage Detection rates are calculated by taking the avg. rate across ( 2007 N. (detection all combinations result for 5000 of N malware engines samples for a given - May AML dataset of 7220 samples (Nov. 06 Nov.'07) 13

14 Vulnerability Window AML data set + archive of McAfee DAT signature files with 1-week granularity ~30% samples already detected ~30% samples never detected ~70% eventually detected Average time between observation and detection is 48 days. Large window of vulnerability: retrospective detection is essential to discover previously infected hosts (i.e. re-scanning and generating detailed forensics information) Recent Extension to Mobile Environments Mobile devices (Apple iphone, T-Mobile G1, Nokia N800) run commodity operating systems Open platforms such as iphone SDK and Google Android Proliferation of native third party applications Jon Oberheide, Kaushik Veeraraghavan and Evan Cooke have shown (Mobivirt 2008): in-cloud model enhances mobile security and reduces on-device software complexity (Nokia s N800 and N95) In-cloud network service with mobile-specific behavioral analysis and multiple virtualized detection engines possible to spend bandwidth resources to significantly reduce ondevice CPU, memory, and power consumption. New Project funded by Google and NSF Page 77 14

15 Discussion & Limitations (Usenix Security 2008 by Oberheide, Cooke and Jahanian) Disconnected operation Local caching, policy decision False positives Confidence, engine thresholds, management Detection engine licensing Price/perf, free engines, lock-in Sources of malicious code DLL results, file types configurable Context and environment Can execute candidate files in VM Privacy implications Tunable collection and display Page 78 Warp UP Page 91 15

16 Crimeware as a Service (CaaS) Page 94 Crimeware as a Service (CaaS) Crimeware as a Service (CaaS) Cloud computing advantages not limited to legitimate applications Service / subscription model More control / more profit for attackers Parallels between cloud apps / crimeware: Cloud Type Legitimate Services Crimeware Services IaaS Amazon EC2, Mosso Renting out infected botnets PaaS Google App Engine, MS Azure Botnet-backed spam services SaaS SalesForce, SAP ByDesign Malware packing, CAPTCHAs Page 95 16

17 Real-world CaaS Recent CaaS activity in the wild Rudimentary crimeware (e.g. AV Scanner and online packing) services already starting to appear Screenshots thanks to Jorge Mieres / Evil Fingers! Page 96 Acknowledgements Students and Collaborators at University of Michigan, Arbor Networks and Merit Network And of course our research sponsors and collaborators: Page 99 17

18 Thank You 18