Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure



Similar documents
NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

CANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security

Sharing Network Logs for Computer Forensics: A New Tool for the Anonymization of NetFlow Records

NVisionIP: An Interactive Network Flow Visualization Tool for Security

Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite

VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

NetFlow/IPFIX Various Thoughts

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Scalable Extraction, Aggregation, and Response to Network Intelligence

Network Monitoring for Cyber Security

Bridging the gap between COTS tool alerting and raw data analysis

Cisco IOS Flexible NetFlow Technology

Visualization for Network Traffic Monitoring & Security

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

SPACK FIREWALL RESTRICTION WITH SECURITY IN CLOUD OVER THE VIRTUAL ENVIRONMENT

Countermeasure for Detection of Honeypot Deployment

Research on Errors of Utilized Bandwidth Measured by NetFlow

Internet Management and Measurements Measurements

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance

Security Toolsets for ISP Defense

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Anonym: A Tool for Anonymization of the Internet Traffic

Anontool and NetFlow Anonymization Tools

Flow Analysis Versus Packet Analysis. What Should You Choose?

A Visualization Technique for Monitoring of Network Flow Data

Adam J. Slagell Phone: Phinney Dr

NETWORK SECURITY (W/LAB) Course Syllabus

Application Note. Onsight Connect Network Requirements v6.3

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Network Security Administrator

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network Monitoring using MMT:

Gaining Operational Efficiencies with the Enterasys S-Series

Second-generation (GenII) honeypots

Thanks to SECNOLOGY s wide range and easy to use technology, it doesn t take long for clients to benefit from the vast range of functionality.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Configuring DHCP Snooping

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Internet Traffic Measurement

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

UNMASKCONTENT: THE CASE STUDY

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Index Terms Domain name, Firewall, Packet, Phishing, URL.

Network Security Monitoring

Application of Data Mining Techniques in Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

SANS Top 20 Critical Controls for Effective Cyber Defense

Implementation of Botcatch for Identifying Bot Infected Hosts

Network congestion control using NetFlow

Algorithms and Tools for Anonymization of the Internet Traffic

Towards Autonomic DDoS Mitigation using Software Defined Networking

Network Security Demonstration - Snort based IDS Integration -

High Speed Data Transfer from the APS. Kenneth Sidorowicz September 27, 2006

pt360 FREE Tool Suite Networks are complicated. Network management doesn t have to be.

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

How To Manage Sourcefire From A Command Console

A VoIP Traffic Monitoring System based on NetFlow v9

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Intrusion Detection for Mobile Ad Hoc Networks

Traffic Prediction in Wireless Mesh Networks Using Process Mining Algorithms

LogLogic Cisco NetFlow Log Configuration Guide

Network Service, Systems and Data Communications Monitoring Policy

Network Log Anonymization: Application of Crypto-PAn to Cisco Netflows

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

IPTV Traffic Monitoring System with IPFIX/PSAMP

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

Developing Network Security Strategies

Intrusion Detection System using Log Files and Reinforcement Learning

Situational Awareness Through Network Visualization

Traffic Monitoring : Experience

Bio-inspired mechanisms for efficient and adaptive network security

Network Monitoring and Forensics

Flexible Web Visualization for Alert-Based Network Security Analytics

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Transcription:

Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure William Yurcik* <byurcik@gmail.com> Clay Woolam, Greg Hellings, Latifur Khan, Bhavani Thuraisingham University of Texas at Dallas 20 th Annual FIRST Conference Vancouver Canada June 2008

The SCRUB* Architecture packet traces commands processes MSSP CERT (1) SCRUB-tcpdump (2) Organization Enabled for Distributed Sharing SCRUB-PACCT (3) SCRUB-NetFlows (4) SCRUB-Alerts CANINE (format converter) Other Organizations ISAC NetFlows (Cisco, Argus, IPFix) IDS Firewall Virus

SCRUB* Motivation Why Should We Share Security Data? Event correlation across administrative domains is needed based on shared data We cannot continue to stop attacks at organizational borders, we need to cooperate with law enforcement and each other. Chasing attackers away to other organizations does not improve security Need to share security data between organizations in order to Detect attacks Blacklist attackers and attacker techniques Distinguishing normal versus suspicious network traffic patterns

SANS

State-of-the-Art in Security Data Sharing 1 6 All too common 5 Data Sharing Organization 2 4 Policy Domain 3

For Safe Data Sharing: Two Types of Data To Protect Private Data User-identifiable information user content (Email messages, URLs) user behavior (access patterns, application usage) Machine/Interface addresses IP and MAC addresses Sensitive Data System configurations (services, topology, routing) Traffic patterns (connections, mix, volume) Security defenses (firewalls, IDS, routers) Attack impacts

SCRUB* TOOL 1: Anonymizes packet traces packet traces can contain the most private/sensitive data packet traces are the authoritative raw security source Leverage a popular existing tool tcpdump Anonymizes any/all packet fields (12) Each field has multiple anonymization options none/low/medium/high levels of protection for protecting the same data field

SCRUB* TOOL 2: SCRUB-PACCT Anonymizes proccess accounting logs process accounting records contain user IDs and user command behavior process accounting records contain precise timing information for event correlation between systems Anonymizes any/all process accounting fields (16) Each field has multiple anonymization options none/low/medium/high levels of protection for protecting the same data field

SCRUB* TOOL 3: SCRUB-NetFlows Anonymizes NetFlow logs NetFlows logs efficiently aggregate packet traffic by connections Most commonly shared security data Anonymizes any/all NetFlow fields (5) Each field has multiple anonymization options none/low/medium/high levels of protection for protecting the same data field

SCRUB* Fields of Interest Between Data Sources 1. Transport Protocol Number data sources: packet, NetFlows, alerts 2. IP Address data sources: packet, NetFlows, alerts 3. Ports data sources: packet, NetFlows, alerts 4. Payload data sources: packet, alerts 5. Timestamp data sources: packet, process accounting, NetFlows, alerts

Multi-Level Anonymization Options Black Marker (filtering/deletion) Pure Randomization (replacement) Keyed Randomization (replacement) Annihilation/Truncation (time, accuracy reduction) Prefix-Preserving Pseudonymization (IP address) Grouping (accuracy reduction) Bilateral Classification Enumeration (time, adding noise) Time Shift (time, adding noise)

A Problem with Anonymization for Sharing: Privacy vs. Analysis Tradeoffs while anonymization protects against information leakage it also destroys data needed for security analysis Zero-Sum? (more privacy <> less analysis & vice versa) to date, no quantitative measurements of how useful anonymized data is for security analysis

Empirically Measuring Anonymization Privacy/Analysis Tradeoffs Series of experiments to test effects of different anonymizations options Use snort IDS alarms as a metric for security analysis snort alarms Data Set

Summary There is a critical need for security data sharing between organizations Anonymization can provide safe data sharing Multi-Field: prevent information leakage Multi-Level: no one-size-fits-all anonymization solution A practical data sharing infrastructure is needed which supports multiple data sources SCRUB* tool suite for packet traces, process accounting, NetFlows, alerts Privacy/analysis anonymization tradeoffs can be characterized Zero-Sum tradeoff? (not always, more complex than this) Multi-Level anonymization options can/should be tailored to requirements of sharing parties to optimize tradeoffs More tradeoff measurements are in progress

References Background on Using Anonymization to Safely Share Security Data A.J. Slagell and W. Yurcik, Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization, 1st IEEE Intl. Workshop on the Value of Security through Collab. (SECOVAL), 2005. A.J. Slagell and W. Yurcik, Sharing Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization, ACM Computing Research Repository (CoRR) Technical Report cs.cr/0409005, September 2004. X. Yin, K. Lakkaraju, Y. Li, and W. Yurcik, Selecting Log Data Sources to Correlate Attack Traces For Computer Network Security: Preliminary Results, 11th Intl. Conf. on Telecomunications, 2003. W. Yurcik, James Barlow, Yuanyuan Zhou, Hrishikesh Raje, Yifan Li, Xiaoxin Yin, Mike Haberman, Dora Cai, and Duane Searsmith, Scalable Data Management Alternatives to Support Data Mining Heterogeneous Logs for Computer Network Security, SIAM Workshop on Data Mining for Counter Terrorism and Security, 2003. J. Zhang, N. Borisov, and W. Yurcik, Outsourcing Security Analysis with Anonymized Logs, 2nd IEEE Intl. Workshop on the Value of Security through Collab. (SECOVAL), 2006. J. Zhang, N. Borisov, W. Yurcik, A.J. Slagell, and Matthew Smith, Future Internet Security Services Enabled by Sharing of Anonymized Logs, Workshop on Security and Privacy in Future Business Services held in conjunction with International Conference on Emerging Trends in Information and Communication Security (ETRICS), University of Freiburg Germany, 2006. SCRUB* Tool (1) SCRUB-tcpdump < http://scrub-tcpdump.sourceforge.net/> W. Yurcik, C. Woolam, G. Hellings, L. Khan, and B. Thuraisingham, SCRUB-tcpdump: A Multi-Level Packet Anonymizer Demonstrating Privacy/Analysis Tradeoffs, 3rd IEEE Intl. Workshop on the Value of Security through Collab. (SECOVAL), 2007. SCRUB* Tool (2) SCRUB-PACCT <http://security.ncsa.uiuc.edu/distribution/scrub-padownload.html> C. Ermopoulos and W. Yurcik, NVision-PA: A Process Accounting Analysis Tool with a Security Focus on Masquerade Detection in HPC Clusters, IEEE Intl. Conf. on Cluster Computing (Cluster), 2006. K. Luo, Y. Li, C. Ermopoulos, W. Yurcik, and A.J. Slagell, SCRUB-PA: A Multi-Level Multi-Dimensional Anonymization Tool for Process Accounting, ACM Computing Research Repository (CoRR) Technical Report cs.cr/0601079, January 2006. W. Yurcik and C. Liu, A First Step Toward Detecting SSH Identity Theft in HPC Cluster Environments, Discriminating Masqueraders Based on Command Behavior, 1st Intl. Workshop on Cluster Security (Cluster-Sec) in conjunction with 5th IEEE Intl. Symposium on Cluster Computing and the Grid (CCGrid), 2005. SCRUB* Tool (3) SCRUB-NetFlows < http://scrub-netflows.sourceforge.net/> > Y. Li, A.J. Slagell, K. Luo, and W. Yurcik, CANINE: A Combined Converter and Anonymizer Tool for Processing NetFlows for Security, 13th Intl. Conf. on Telecomunications Systems, 2005. K. Luo, Y. Li, A.J. Slagell, and W. Yurcik, CANINE: A NetFlows Converter/Anonymizer Tool for Format Interoperability and Secure Sharing, FLOCON Network Analysis Workshop (Network Flow Analysis for Security Situational Awareness), 2005. A.J. Slagell, J. Wang, and W. Yurcik, Network Anonymization: The Application of Crypto-PAn to Cisco NetFlows, IEEE/NSF/AFRL Workshop on Secure Knowledge Management (SKM), 2004.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information