LAN-Security Monitoring Project - The University of Tokyo Assoc. Prof., Hideya Ochiai, Ph.D.

LAN-Security Monitoring Project

       The University of Tokyo
     Assoc. Prof., Hideya Ochiai, Ph.D.

Background
• Cyber Threats in Local Area Networks (LANs)
   • Vulnerabilities tend to remain inside LANs.
   • E.g.,
       • Most of smart-home devices, smart-building devices, etc. can be
         easily accessed directly without authentication.
       • Routers are deployed with default username/password for login
         from LAN-side.
       • Support-expired operating systems are working without applying
         further patches (E.g. Windows XP).
• Cyber Space Situation around LANs
   • Malware Distribution by Phishing E-mails
       • Malware can be delivered into the hosts of Local Area Networks
         even if they have firewalls at the routers.
   • Malware Distribution over HTTPs (Phishing Sites)
       • Malware can be delivered into the hosts of Local Area Networks
         because inspection of the payloads of HTTPs is not possible.
   • Connection of Malware-Infected Smartphones via Wi-Fi
       • Through Wi-Fi, malware can be spread from inside of the network.

How Malware Spreads inside a LAN

• Malware that spreads inside a LAN tries to find open
  TCP/UDP ports available for further intrusion.
   • It has to access hosts on the LAN, one-by-one, by sending IP
     packets to all the IP addresses.
• Spyware that tries to intrude and retrieve data may also
  work in the same way.
   • E.g., to find available database servers (MySQL, PostgreSQL),
     it sends IP packets to all the IP addresses.

Here, “ARP Requests” to find the MAC address of the
 target IP address will be broadcasted from the malicious
 host to the entire local network.

ARP Request prior to IP Packets

  Host A                            Host B

                                   A wants to find B
            ARP Request

                         By monitoring ARP requests,
               we can see that A wanted to communicate with B

Connection Graph generated in this way

Internet GW

Malicious Host 1

                   Malicious Host 2

So … LAN Security Monitoring Project
• We introduce ‘LAN-Security Monitoring Device’ to see malicious
  activities happened inside a LAN.
                                                         LAN-Security Monitoring Device
                                                           Though it is not a real camera, it works
                                                           like a ‘cyber-space surveillance camera’.

                                                               (*) it captures all the broadcast packets.

                                                                             ARP Request
                                 Data Server                                   broadcasted to entire LAN

                                                LAN: Local Area Network

                                               Printer
Smartphones   Smart Appliances

LAN Security Monitoring Project
           -- System Architecture –
                                                                    Report

                                      ② Analysis of suspicious activities
                                               on the Server                    ③ Report to the
                                          with machine learning.             network administrator
                                                                                  by e-mail.
         LAN
                      Monitoring Device

① Install a monitoring device into a LAN.
  It will be automatically connected to the server,
  and start monitoring.

Monitoring Device
① Connect your ‘LAN-Security Monitoring Device’ to a LAN port of your switch hub or router.
  (*) connecting to guest network is better (it is better not to deploy into critical networks).

  Switching Hub or Router

                                             ② Power on your ‘LAN-Security Monitoring Device’.

• As a surveillance camera `captures the view arrived at the device’, this
  device captures all the broadcasted frames in its LAN arrived at the device.
• The data shall be compressed, encrypted and transferred to the server
  securely-operated in the University of Tokyo through a secured channel at
  mid-night.
• If malicious activities are observed in the LAN, the server side program will
  detect its phenomenon, and notify to the network administrator.
  (*) this service will start from after April 2019.

Malicious Activity Detected on 2019-02-04

Joint Project – Collaborators (as of 2019-02-16)
•   Chulalongkorn University, Thailand               Installation
                                                      4 Universities
•   Asian Institute of Technology, Thailand           6 Home networks
•   National University of Laos, Laos
•   University of Information Technology, Myanmar
•   Universiti Kuala Lumpur, Malaysia
•   Indian Institute of Technology Hyderabad, India
•   Bangladesh University of Engineering and Technology, Bangladesh
•   Nara Institute of Science and Technology, Japan
•   Individuals (for Home Networks)

Call for Collaborations
      & How to Join the Project
1. Please contact me (Associate Prof. Dr. Hideya Ochiai)
   E-mail: ochiai@elab.ic.i.u-tokyo.ac.jp
           or lan-security@hongo.wide.ad.jp
2. We will discuss and design our collaboration points.
   •   Installation of Monitoring Devices
   •   Intrusion Detection Algorithms (with Machine Learning)
   •   Development of System Platforms
   •   Student Exchanges
   •   Application of Funds
3. Deploy collaboration
               This activity will create achievements.
               E.g., Publications, Ph.D., Social Impacts