Brief self-introduction Name: Yaokai Feng Affiliation Graduate School of Information Science and Electrical Engineering, Kyushu University, Japan Bachelor and Master degrees Tianjin University, China, in 1986 and 1992, respectively Ph.D. Kyushu University, Japan, in 2004 Research background 1 Network security (from 2010) 2 Pattern Recognition (from 2007) 3 Database (from 1999) 1
How to fight against Botnets in IoT Yaokai Feng Kyushu University, Japan
IoT? 3 Internet of Things/everyThing smart everything connect everything IoT
4 IoT is great! At least, we believe It will make our lives better in many aspects
HOWEVER 5
IoT is dangerous! 6
IoT dangerous 7 1) So many different kinds of small devices are connected cheap, poor in resources (cpu, memory) with no/poor security strategies even not made by not made under minimum qualified makers security requirements 2) So many ordinary users can not use smart devices correctly no/poor security consciousness & security knowledge password setting, system configuring, firmware updating, and so on Such small devices are not only potential victims but also potential bots/attackers
(Cont d) 8 3) Physical world security and life safety must be guaranteed The Internet has been extended to the physical world Security problems often result in disasters (vehicles, medical equipments, ) In many cases, security problems must be settled in real time Information security Service security Security in IoT: More critical More complicated More challenging IoT dangerous! Physical world security life safety
IoT is dangerous (examples of small things ) Reported in Russia on Oct. 23, 2013 Wireless LAN in the area of 200m without authentication can be compromised smart iron Even small things may be big threats BBC news on July 8, 2014 smart LED bulbs may leak wifi passwords Then, user network configurations can be exposed, which would open the door to the home or business LAN
IoT is dangerous (example of POS) Autumn ~ Christmas in 2013 from the US retail giant malwares 10 40 million customer credit card information Totally 110 million customer personal information data (CNN on May 5, 2014) In the first quarter of 2014, 1 12% drop in earnings of Target 2 Shares of Target fell about 3% in trading Monday Target CEO was out in May of 2014 leaked
IoT is dangerous (examples of automobiles) BMW updated 2.2 million cars because hackers could open left doors using just a mobile phone (Reported Feb. 2, 2015) Fiat Chrysler recalled 1.4 million automobiles after hackers demonstrated a hack of a Jeep (reported July 24, 2015)
Botnets in IoT 12 More than 25% of the modern botnets include smart devices more complex In the botnets, not only computers but also many kinds of IoT devices A botnet (reported on Jan.16, 2014), more than 100,000 bots, including: home routers, televisions, refrigerators,
A Botnet reported in Japan 13 Dec. 15, 2015 A botnet reported by National Police Agency, Japan a large number of digital video recorders were compromised (PCs with X86 did not get involved) 23/TCP 53413/UDP https://www.npa.go.jp/cyberpolice/detect/pdf/20151215_1.pdf
14 We have to fight! against botnets in IoT --our study and future work
Project name: Proactive Response Against Cyber-attacks Through International Collaborative Exchange (PRACTICE) July, 2011~March, 2016 Funded by: the Ministry of Internal Affairs and Communication, Japan Amounts: (Totally) more than 2bn JP$ (>18M US$) (Research Division) 900M JP$ (8.1M US$) Member organizations: KDDI, Kyushu University/ISIT, Yokohama National University, Japan Datacom, SecureBrain Traffic data collected online ML, DM, Correlation analysis Sensors deployed in 12 countries Analysis Early report
One of our proposals 16 Existing detection technologies include 1.Signature-based failure for new kinds or new variants of attacks 2.Volume-based threshold must be determined in advance 3.Information theory-based Detection performance strongly depends on information theoretic measure 4.Behavior-based Challenge: how to extract normal behavior modes from historical traffic data A Behavior-based proposal for detecting distributed-attacks Attacks collaboratively from multiple hosts
destination historical data frequency distribution unique sources Port 1 Port i Port n #unique sources of some port increased greatly Alert #unique sources #time units How to determine increased greatly? In existing methods, threshold is given from the user However, in this timeproposal, the threshold #unique is sources Global Alerts BestPosition 0< i<n
Example 1 of detection results 18 In August 2011, Morto worm was reported by several organizations try to compromise administrator passwords for Remote Desktop connections (3389/TCP) August 10, 2011 reported by Microsoft (MS11-061, MS11-065) August 29, 2011 reported by F-Secure (security Co. based in Finland) September 7, 2011 reported by JPCERT/CC (security Co. in Japan)
Example 1 of detection results (cont d) Data from Darknet NICTER (190,000 IPs at that time) in June/July/ August, 2011 19 Detection result in July, 2011 Day Time 14 20:00~24:00 22 12:00~20:00 23 We 16:00~20:00 captured it 24at 20:00 00:00~12:00 in July 14 26 04:00~12:00 31 00:00~12:00 Detection result in August, 2011
Example 2 of detection results National Police Agency (Japan) reported on Dec. 15, 2015 a botnet of a large number of digital video recorders using 23/TCP and 53413/UDP 20 Data: traffic data from 10 sensors in PRACTICE project Detection result in November 2015 #global alerts Details 44 53413/UDP(14 times) The above botnet 23/TCP(29 times) 32764/TCP (once, possibly for secret backdoor)
Future work of this proposal 21 So many different kinds of devices in IoT, behavior modes become more complicated In the Future, More complicated behavior modes: multidimensional and multiple Correlation analysis of the alerts for different destination ports/hosts sources destinations
Collecting/analyzing malware specimen 22 One of the works in our succeeding project The present sharable datasets in Japan Since 2008, a workshop on malware researches (MWS) held once every year Its objective: to establish a platform of sharing information and results 5 sharable datasets NICTER Darknet Dataset Traffic pcap data from a Darknet (>290,000 IPs, NICT) PRACTICE Dataset traffic Pcap data from infected PCs FFRI Dataset CCC Dataset log data Traffic data of drive-by-download, when pcap data collected & the malwares hash including values executed of URLs, the pcap collected data & the D3M Dataset in hash a sandbox malwares values (>2600, of (>7000, the collected FFRI honeypots, Company) malwares a committee) (honeypots, NTT)
Sharable datasets in Japan 23 Collecting malwares Client honeypots Many malware specimen have been collected but those in IoT not yet
Finally IoT age is coming up Let s fight together! 24 Are we ready to welcome it? Many things we have to do from security strategies to education We have not much time! Thanks