Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC

Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting System 4 Conclusion -2 -

1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting System 4 Conclusion -3 -

Growth of the Internet usage Number of Internet users in Korea (unit: 1,000) (Source: isis.nida.or.kr) Number of vulnerabilities identified (Source: www.cert.org) -4 -

Attack Trend Exploit the interconnectivity of networks Rapid attacks, sometimes zero-day More sophisticated and evolutionary attack tools Attacks on infrastructure Source: www.cert.org -5 -

DDoS Attacks Deploy a large number of compromised systems to attack a victim host Victim Control message Attacker -6 -

Internet Worm Self-propagating & self-replicating network program -7 -

Internet Worm Slammer worm Infected more than 90% of vulnerable hosts within 10 mins. Caused shutdown of Internet service in Korea. The number of infected slammer hosts in the 30 minutes after release (Source: www.caida.org) -8 -

Botnets Bot A short word for robot Piece of software that allows a system to be remotely controlled Zombie Controlled/corrupted system Botnet A network of Zombie systems DDoS, Spamming, Sniffing, Key Logging, Identity Theft, Hosting of Illegal Software Botnet Bot Bot Bot Bot Herder Bot Control Channel Bot Bot IRC Server -9 -

1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting System 4 Conclusion - 10 -

Early Warning System What is EWS? A system or procedure designed to warn of a potential or an impending problem in order to minimize the damage against problem More important as the damage becomes more tremendous EWS in Real Life Famine EWS Disaster (Tsunami/Earthquake) EWS Disease EWS EWS in Cyber Space Early detection of Cyber Attack and Instant response to it Cyber Attack can be Intrusion, Worm/Virus Outbreak, Information Warfare and so on. - 11 -

EWS Procedure The main procedure of EWS conforms to that of National Cyberspace Security Response System (USA) Phase 4 : Response/Recovery - Modify Security Policy -Final Report P4 P1 Phase 1 : Analysis - Data Collecting/processing - Vulnerability Assessment - Forecasting Cyber Attack Phase 3 : Incident Handling - Federal Coordination - Private, State and Local Coordination P3 P2 Phase 2 : Warning - Issue an Alarm - Sharing Cyber Alert - 12 -

CERT Computer Emergency Response Team Coordinate all of the activities of organizations and institutions involved in efforts to secure national IT network Protect public/national security from cyber threats by handling computer incidents promptly and efficiently Traditionally, EWS is operated by CERT KrCERT US-CERT CERTA CNCERT JPCERT SingCERT AusCERT - 13 -

EWS in Korea Motivation Basic Plan for the Establishment of National Cyber Terror Response System is approved by President, July 2003 Related Organization NCSC (National Cyber Security Center) Central point of government for identifying, preventing and responding to cyber attack and threats in Korea KISA (Korea Information Security Agency) Agency providing public user, industries and organization with information security service CERT KrCERT (Korea CERT) : CERT operated by KISA KN-CERT (Korea National CERT) : CERT operated by NCSC - 14 -

EWS in USA Motivation FISMA : Federal Information Security Management Act of 2002 Planning National Strategy to Secure Cyberspace, Feb. 2003 Related Organization DHS/NCSD (National Cyber Security Division) Division that works to secure cyberspace and America s cyber assets. Within DHS (Department of Homeland Security) CERT/CC (CERT/Coordination Center) CERT Center operated by Carnegie Mellon University US-CERT (U.S. Computer Emergency Readiness Team) US-CERT is charged with protecting USA s Internet infrastructure by coordinating defense against and response to cyber attacks Founded by CERT/CC & NCSD - 15 -

EWS in France Motivation Decree 2001-693, July 2001 : Organize DCSSI State Information System Security Reinforcement Plan, 2004 Related Organization SGDN (Secrétariat général de la défense rationale) By Decree 96-67, SGDN takes charge of Cyber Security of France Belong directly to Prime Minister DCSSI (Direction Centrale de la Sécurité des Systèmes d Information) Execute governmental task in order to protect information system Operate CERTA and ITSOC, under the authority of the SGDN ITSOC (IT Security Organization Center) Research specialized knowledge to prevent and solve security incident Collect data through CERTA and provide authorities with collected data - 16 -

Research Activity in EWS Early Detection of Incident Incident (Intrusion) Forecasting Method Alert Correlation Threat Assessment Issue of an alarm or warning Design of main framework for EWS Partnership with other related organization Effective visualization of event Response/Recovery Traceback Mechanism Establishment of national cyber security policies or law - 17 -

1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting System 4 Conclusion - 18 -

Intrusion Forecasting System Intrusion Forecasting System Forecast cyber attacks in advance The most significant part in EWS Analysis phase corresponding to the National Cyberspace Security Response System The speed and precision of detection is a key factor of EWS Development of an intrusion forecasting system is necessary - 19 -

Intrusion Forecasting System Architecture - 20 -

Intrusion Forecasting System Architecture DC Module Collect data from various sensors Pre-processing for the DA module DA Module Analyze the collected data Predict possibilities of cyber attack REP Module Create alarm reports Alarm visualization - 21 -

Forecasting in Real Life Weather Forecasting Case Three Important Forecasting Steps Analyze the present state Predict a future state Interpret the model results Methods of Weather forecasting Folklore forecast Persistence forecast Climatology forecast Trend forecast Analog forecast Numerical forecast Ensemble forecast - 22 -

Intrusion Forecasting Methods Forecasting Methods against Cyber Attack Still at primary level compared to other forecasting areas predict virus day or possibility of cyber threat by exploiting security vulnerabilities Commercial intrusion forecasting system is currently in beginning phase Some researches have applied existing forecasting techniques to the prediction of worms or viruses Related organization Warning virus/malicious code : Ahnlab, Hauri, SANS (Internet Storm Center) Threat management system : Symantec (DeepSight TMS), Computer Associated (etrust Security Management) - 23 -

Intrusion Forecasting Method (1) Data Mining Method Data Mining Method Extract implicit, previously unknown, and potentially useful information from large data sets or databases Widely used in the various forecasting areas Stock prices, weather forecasting, and earthquake forecasting Possible to handle numerous traffic variables difficult to analyze intuitively Clustering Analysis, Decision Tree, Genetic Algorithm, etc. Advantages vs. Disadvantages Advantages Consider not only quantitative changes of multiple variables but also changes of their distribution Disadvantages High computational complexity Difficult to understand the results - 24 -

A CASE STUDY : Data Mining Method DDOS attack detection method using cluster analysis A Proactive detection of DDoS attack Detect DDoS attack proactively by exploiting the sequential movement of DDoS Attack phases of DDoS attack attacker phase1 phase3 handler handler phase2 agent agent phase4 phase5 victim - 25 -

A CASE STUDY : Data Mining Method DDOS attack detection method using cluster analysis Feature selection process Select several features to detect the symptoms of a DDoS attack Indicate abnormal changes in traffic according to each phase of the attack. Selected features Distribution of source/ip port Distribution of destination IP/port Packet type Occurrence rate of TCP SYN, UDP, ICMP The entropy values of the selected features are calculated to measure the randomness in their distribution. Entropy H = n i= 1 P i log 2 P i - 26 -

A CASE STUDY : Data Mining Method DDOS attack detection method using cluster analysis Results of clustering analysis variable cluster 1 normal 2 ph1 3 ph 2 4 attack 5 post attack 6 normal Entropy of src IP 1.59 0.71 0.08 0.02 0.13 1.06 Entropy of src port 1.61 0.56 0.12 12.4 11.4 1.07 Entropy of dest IP 1.58 4.91 0.07 12.6 11.5 1.06 Entropy of dest port 1.50 0.55 0.12 12.6 11.5 1.07 Entropy of packet type 1.12 0.53 0.04 0.02 0.12 1.36 Number of packet 37.0 41.4 1.19 6225 2876 normal 4.70 Occurrence rate of SYN Occurrence rate of UDP Occurrence rate of ICMP 0.02 0.00 0.00 0 0 0.87 0 0.99 0 0 phase 0 2 0 0 0 0 0.44 normal 0 0 post attack attack phase 1-27 -

Intrusion Forecasting Method (2) Probabilistic Modeling Probabilistic Modeling Capture evidence of intrusions in terms of a probability from the current network state Enable system administrator to understand the degree of risk on a probabilistic scale Markov chain, Bayesian method, etc. Advantages vs. Disadvantages Advantages Easy to understand the possibility of attacks based on a probabilistic scale Highly applicable in the determination of the warning level Disadvantages Difficult to construct the state profile and transition probabilities between them Require correct decision of a system administrator - 28 -

A CASE STUDY : Probabilistic Modeling An effective DDOS attack detection and packet-filtering scheme Effectiveness of DDoS attacks Detection & Filtering DDoS attacks are viewed as congestion event in routers Effectively detected at the victim network, but effectively filtered when closer to the attack source Attack source networks Further upstream ISP network The victim s ISP network The victim s network Effectiveness of attack detection increase Effectiveness of packet filtering increase victim - 29 -

A CASE STUDY : Probabilistic Modeling An effective DDOS attack detection and packet-filtering scheme Measure for deciding congestion level in a congestion router Decide congestion level using packet loss probabilities Congestion occurred at an output queue in a transit router if packet loss probability is larger than given threshold Detect attacks in routers through the use of queueing model messages messages R1 R2-30 -

A CASE STUDY : Probabilistic Modeling An effective DDOS attack detection and packet-filtering scheme R12 R13 R2 R7 L7 R9 R6 L6 R1 victim R8 R10 R5 R4 R3 AMs AMs messages IMs PFMs Detection & Filtering strategy R11 Detect attacks in routers through the use of queueing models Perform congestion control in consideration of packet loss probabilities in routers Local & global detection by exchanging congestion messages In local detection Each transit router checks its output queues for deciding congestion levels as the local detection In global detection Identify an attack and its route - 31 -

Intrusion Forecasting Method (3) Time-Series Analysis Main Idea Detect intrusions early in broadband networks using the exponential smoothing method Extract traffic volume at a destination port to find anomalies earlier and more precisely 1,200,000,000 Total Traffic tal traffic volume 1,000,000,000 800,000,000 600,000,000 400,000,000 200,000,000 0 date 120000000 port 1434 90000000 60000000 30000000 0 date 200703 201122 201541 202000 210515 210937 211356 220524 220943 221402 221821 222243 230706 231125 231544 232003 240518 240937 241356 241815 242234 250254 250716 251135 251554 252013 260032 260451 260910 261329 261748 262207 270228 byte 200703 201124 201545 202006 210526 210947 211408 220538 220959 221420 221841 222305 230730 231151 231612 232033 240550 241011 241432 241853 242314 250336 250800 251221 251642 252103 260124 260545 261006 261427 261848 262309 270332 byte Traffic volume at port 1434-32 -

A CASE STUDY : Time-Series Analysis Fast detection scheme for broadband network using traffic analysis Experimental Results Detection of anomalies at port 1434 Detection of anomalies at port 80 Detection of anomalies at port 445 Detection of anomalies at port 137-33 -

1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting System 4 Conclusion - 34 -

Conclusions To defend networks against current cyber attacks, the importance of EWS is emphasized Many countries operate EWS through CERT Intrusion forecast system Most significant part in EWS Intrusion forecasting system architecture Data Collection module Data Analysis module Reporting module Intrusion forecasting techniques Forecasting in real-life Weather, stock, power, etc. Forecasting methods against cyber attacks Data mining method Probabilistic modeling Time-series analysis - 35 -

- 36 -