Network Security Incident Analysis System for Detecting Large-scale Internet Attacks

Network Security Incident Analysis System for Detecting Large-scale Internet Attacks Dr. Kenji Rikitake Security Advancement Group NICT, Japan September 6, 2005

Our goals Collaborative monitoring, centralized network security incident analysis and handling among Japanese Internet Service Providers (ISPs), including: real-time analysis for early-warning trends in-depth analysis for detecting new threats recommendation to the ISPs and users Protecting National IT infrastructure 6-SEP-2005 APEC-OECD Joint WG 2

Our partners Telecom-ISAC Japan Wide-area monitoring with probes on ISPs Incident handling with contingency plans Clearing house of incident info for ISPs Internet Security research communities Academic network administrators Virus and malware analysis experts Datamining and statistics experts 6-SEP-2005 APEC-OECD Joint WG 3

Our project and Telecom-ISAC Reports to the gov t and general users Recommendations to the member ISPs Telecom-ISAC Japan Operation Center Incident handling system Incident-information dissemination via Web Operators Wide-area monitoring system for the ISPs ISPs probes probes probes Integrated database for analyzed data and incidents In-depth analysis system (for long-term and detailed analysis with human experts) Real-time analysis system (of primary short-term statistic analysis and incident detection) Analysis experts Incident Analysis Center (operated by NICT) Honeypot networks Blackhole networks Academic network probes Traffic statistics from partner ISPs and networks Partner networks and sensor systems 6-SEP-2005 APEC-OECD Joint WG 4

Roles of our analysis center Real-time monitoring from various kinds of network providers from various types of information sources for detecting precursors ASAP Real-time (automated) analysis In-depth analysis (with the experts) Archiving events for future analyses 6-SEP-2005 APEC-OECD Joint WG 5

Required functions (1/2) Flow control and synchronization of different types of monitored data of different time resolutions and frames Parallel analysis of multiple algorithms for finding out clues of new incident trends such as virus or DDoS attack breakouts Visualization by multiple methods for helping the experts to find anomalies 6-SEP-2005 APEC-OECD Joint WG 6

Required functions (2/2) Large-scale incident database storage for archiving massive (tera-to-petabyte) amount of incident-related data for fast retrieval by the experts and the indepth analyzing tools for storing non-realtime large statistic data Workbench for in-depth analysis behavioral analysis of quarantined viruses 6-SEP-2005 APEC-OECD Joint WG 7

Configuration schematics of the Incident Analysis System Output for visualization, reporting, and recommendation Online Monitored Data Flow Control and Synchronization Large-scale Incident Database Offline Monitored Data Real-time Analysis Process A Real-time Analysis Process B In-depth Analysis Process X In-depth Analysis Process Y Monitoring Process Incident Analysis Experts 6-SEP-2005 APEC-OECD Joint WG 8

Monitoring networks and the probes Monitoring methods Capturing packets (raw and digested) Blackhole networks responding only to ICMP echo requests no actual hosts only attack packets coming TCP first-client-packet monitor sending a dummy ACK to a SYN request Effective to obtain HTTP methods for attacks Traffic/alert logs (syslog, IDS logs) 6-SEP-2005 APEC-OECD Joint WG 9

A real-time analysis method example: change-point detection Detecting timing of rapid change of a time-variant data flow Faster than repetitive statistical testings - Fast real-time learning - Adaptive to long-term change Detection Score - Fast detection - Low false-alarm rate - Applicable to DDoS by detecting rapid quantitative change of traffics Change Point Data flow Time 6-SEP-2005 APEC-OECD Joint WG 10

A change-point analysis example MS Blaster activities detected 12/AUG/2004 5am JST 18/AUG/2004 1pm JST Change-point score Number of dropped packets for TCP Port 135 time Analysis data provided by NEC 6-SEP-2005 APEC-OECD Joint WG 11

Other candidate algorithms for the real-time traffic analysis Rare-ratio analysis determining how rare an event is, by using the standard/gaussian distribution model Differential analysis comparing event rate difference between shortterm and long-term time frames Those analyses are effective for comparing logs of multiple IDSes of different network traffic characteristics 6-SEP-2005 APEC-OECD Joint WG 12

An example of in-depth analysis: DDoS attacks on a well-known site The virus generates simultaneous HTTP requests on specific days of month The attacked site can no longer serve normal HTTP requests In-depth analysis performed by our engineers Using actual traffics captured at the victim server With cooperation of Telecom-ISAC and OCN (ISP of NTT in Japan) twice on August 2004 and August 2005 6-SEP-2005 APEC-OECD Joint WG 13

In-depth DDoS analysis summary (1/2) Preprocessing per-minute log of captured data making digests of per-minute logs discarding unrelated payload contents preserving necessary data for analysis reducing the amount of data to process making access history of hosts for each IP source address 6-SEP-2005 APEC-OECD Joint WG 14

In-depth DDoS analysis summary (2/2) Making per-host attack activity ranking based on the history of each host using numbers of transmitted bytes, packets, HTTP requests, and session connection time Profiling based on HTTP methods per-hour summary for each method sent Passive operating system estimation using TCP signatures (p0f) 6-SEP-2005 APEC-OECD Joint WG 15

Digested log values and fields of each DDoS attacking packets + TCP -UNIX time() value -Packet length - Source IP address - Destination IP address -IP header flags - TCP header length - T for identifying TCP - Source port number - Destination port number - Sequence number - Ack number -TCP flags -TCP payload length - HTTP method (if existed) + UDP -UNIX time() value - Source IP address - Destination IP address -IP header flags - U for identifying UDP - Source port number - Destination port number -UDP payload length + ICMP -UNIX time() value - Source IP address - Destination IP address -IP header flags - I for identifying ICMP -Type -Code - ICMP payload length 6-SEP-2005 APEC-OECD Joint WG 16

DDoS activity of July 31, 2005 1000000 GET / HTTP/1.1 GET / HTTP/1.0 GET HTTP/1.1 climbing up 100000 POST / HTTP/1.1 POST / HTTP/1.0 POST /cgi-bin/.. HTTP/1.1 10000 POST /cgi-bin/.. HTTP/1.0 1000 100 10 1 15:32:00 15:51:00 16:10:00 16:29:00 16:48:00 17:07:00 17:26:00 17:45:00 18:04:00 18:23:00 18:42:00 19:01:00 19:20:00 19:39:00 19:58:00 20:17:00 20:36:00 20:55:00 21:14:00 21:33:00 21:52:00 22:11:00 22:30:00 22:49:00 23:08:00 23:27:00 23:46:00 Numbers of packets Time in JST 6-SEP-2005 APEC-OECD Joint WG 17

DDoS activity of August 1, 2005 1000000 100000 10000 1000 100 10 1 0:00:00 0:46:00 1:32:00 2:18:00 3:04:00 3:50:00 4:36:00 5:22:00 6:08:00 6:54:00 7:40:00 8:26:00 9:12:00 9:58:00 10:44:00 11:30:00 12:16:00 13:02:00 13:48:00 14:34:00 15:20:00 16:06:00 16:52:00 17:38:00 18:24:00 19:10:00 19:56:00 20:42:00 21:28:00 22:14:00 23:00:00 23:46:00 GET / HTTP/1.1 traffic jumped up POST /cgi-bin/... HTTP/1.1 traffic slightly decreased GET / HTTP/1.0 has a similar pattern to GET / HTTP/1.1 GET / HTTP/1.1 GET / HTTP/1.0 POST / HTTP/1.1 POST / HTTP/1.0 POST /cgi-bin/.. HTTP/1.1 POST /cgi-bin/.. HTTP/1.0 Time in JST 6-SEP-2005 APEC-OECD Joint WG 18 Numbers of packets

DDoS activity of August 2, 2005 1000000 100000 10000 GET / HTTP/1.1 back to previous amount of traffic GET / HTTP/ 1.1 GET / HTTP/ 1.0 POST / HTTP/ 1.1 POST / HTTP/ 1.0 POST /cgi-bin/.. HTTP/1.1 POST /cgi-bin/.. HTTP/1.0 POST /cgi-bin/... HTTP/1.1 remained almost the same 1000 100 10 GET / HTTP/1.0 reduced to almost zero after 7am 1 0:00:00 0:44:00 1:28:00 2:12:00 2:56:00 3:40:00 4:24:00 5:08:00 5:52:00 6:36:00 7:20:00 8:04:00 8:48:00 9:32:00 10:16:00 11:00:00 11:44:00 12:28:00 13:12:00 13:56:00 14:40:00 15:24:00 16:08:00 16:52:00 17:36:00 18:20:00 19:04:00 19:48:00 20:32:00 21:16:00 22:00:00 22:44:00 23:28:00 Time in JST 6-SEP-2005 APEC-OECD Joint WG 19 Number of packets

Operating systems estimated for the DDoS attacking hosts (The DDoS virus has been known as Windows-specific) Windows 2000 SP4, XP SP1 Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) Windows XP Pro SP1, 2000 SP3 Windows XP Pro SP1, 2000 SP3 (NAT!) Windows XP/2000 [GENERIC] Windows 3.11 (Tucows) (firewall!) OpenBSD 3.0 {note: this is probably a Web proxy server OS} Windows XP/2000 (RFC1323 no tstamp) [GENERIC] Windows 2000 SP4, XP SP1 (firewall!) Windows XP (RFC1323, w+) [GENERIC] 6-SEP-2005 APEC-OECD Joint WG 20

Trends observed from the monitored DDoS activities Increased on the day 1 of the month two GET activities Steady traffics two POST HTTP/1.1 activities two POST HTTP/1.0 activities While the above three trend groups were the same as in 2004, detailed traffic time variance have been changed 6-SEP-2005 APEC-OECD Joint WG 21

Another candidate algorithms for in-depth analysis and visualization: self-organizing maps - SOMs are effective to detect similarities between diffrent datasets - The meaning of the resulting figures is non-trivial, though similar patterns for / and /cgi... POST methods similarity detected on incoming TCP packets and HTTP POST methods 6-SEP-2005 APEC-OECD Joint WG 22

Schedule and things to do Research towards data integration needed More expertise and research works needed to understand the relationship between data trends and actual incidents happening on the networks More information sources needed We need to be careful on the legal requirements and rights of the network users (i.e., privacy of traffics) Schedule December 2005: 1st beta-version demo of Incident Analysis Center System Production-level operation on 2007 6-SEP-2005 APEC-OECD Joint WG 23