THE CHALLENGES OF ASSISTING THREATS DETECTION, ANALYSIS, AND RESPONSE BY DATA-MINING TECHNOLOGY - NETWORK MUSCLE LEARNING (NML) PROJECT YUJI ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THE CHALLENGES OF ASSISTING
THREATS DETECTION, ANALYSIS, AND RESPONSE
BY DATA-MINING TECHNOLOGY
NETWORK MUSCLE LEARNING (NML) PROJECT
YUJI SEKIYA (THE UNIVERSITY OF TOKYO)
EUNITY Project Workshop in Japan Apr. 26, 2019 1
BACKGROUND
• We have security incidents.
• Person(s) responsible for Cybersecurity are busy for
incident responses.
• Academic organizaWons also had criWcal incidents in
Japan.
• Need more security EXPERTs.
• But not enough cost and human resource.
• Can AI help the incident response ?
• What kinds of informaWon need for making assistance for
Cybersecurity ?
EUNITY Project Workshop in Japan Apr. 26, 2019 21. Attacks and Anomality Detection using Big
Datasets and Machine Learning.
• Combination with existing IDS/IPS devices
2. Finding the motivation of attackers
• Social Datasets : Web, SNS, Dark Web
• Some motivations for attacks such as politics issue,
CHALLENGES OF making money, and memorial days.
THIS RESEARCH 3. Assistance of Incident / Response
• Collecting Incident / Response cases
• Assist non-expert security operators to analysis
attacker’s behaviors and their decision of incident
response.
4. Providing Open Datasets
EUNITY Project Workshop in Japan
• Datasets for future researches Apr. 26, 2019 3APPROACH
PROACTIVE Cyber Defense AI for Cybersecurity REACTIVE Cyber Defense
using Social Datasets using Infra Datasets
Prediction of trends of cyber Collect cyber threat data
threats by natural language aimed at network devices,
analysis of social data Proactive Reactive servers, client terminals, etc.
Social Server
SNS Dark Motivation and Evidence of
Router EndPoint
Web attacks
Social Network
Datasets Infrastructure
Assistance of Analysis Datasets
and Incident Response
EUNITY Project Workshop in Japan
For Non-Experts Apr. 26, 2019 4PROACTIVE APPROACH
• Picking up social trends published in SNS, Web, etc…
• Tweets of important users.
• ArWcles showing poliWcal, social and religious trends.
• There is always "intent" or "moWve" in the afack.
• It is poliWcal or financial purpose. Machine
Learning Prediction and
Learning Assistance
• CollecWng from Dark Web Sites.
• By collecWng these informaWon and Collecting
learn the relaWonship with cyber afacks, DB
(Social Dataset)
Security Operator
can we predict a trend of cyber threat ?
EUNITY Project Workshop in Japan Apr. 26, 2019 5REACTIVE APPROACH
• When an incident occurred
• Security Operator will …
1. Decide the first acWon
Incident Report
2. Find the evidences of the afack Decision of the
3. IdenWfy the scope of impact countermeasure
plan
4. Decide a fundamental countermeasure
• It highly depends on the person’s skills to perform these workflows Security Operator
• AI can Assistance
• Assist to find THE BEHAVIOR of ATTACKERS
• Assist to make a decision of THE FIRST ACTION
Machine
Learning
EUNITY Project Workshop in Japan Apr. 26, 2019 6Various Datasets
ASSISTANCE OF
DECISION
Incident DetecWon ASSIST(1)
Incident Report
PredicWon Report Machine
Learning Analysis Incident
ASSIST(2) Assistance of
Machine
Finding Evidence
Learning
Security Operator
Finding the afack type
Decide the First Action Taking the
and influence
Fundamental AcWons
Assistance of
Decision
Machine
ASSIST(3)
EUNITY Project Workshop in Japan Learning Apr. 26, 2019 7REACTIVE APPROACH : DATASET COLLECTION EUNITY Project Workshop in Japan Apr. 26, 2019 8
DATASET COLLECTION
• To assist a Security Operator in REACTIVE APPROACH
• Collecting various kinds of data from network infrastructure in real time and store
them uniformly
• Providing high-speed and full-text search by keywords as following.
• IP address, port number, user name, domain name, etc…
• We evaluated
• Google Big Query
• Elastic Search
• We build our own system : HAYABUSA
• Collecting over 100k messages per second
• Searching keywords in few seconds from over hundreds of millions messages.
EUNITY Project Workshop in Japan Apr. 26, 2019 9DATASET COLLECTION
• Design and ImplementaWon of Data CollecWon System
• Developed by IIJ Team
• HAYABUSA
• Using all CPU cores for searching
• Full text indexed search
• CollecWng over 100k lines / sec
in real-Wme
Hiroshi Abe, Keiichi Shima, Yuji Sekiya, Daisuke Miyamoto, Tomohiro Ishihara, and Kazuya Okada, “Hayabusa: Simple and Fast Full-Text Search Engine for Massive System Log Data”,
Proceedings of the 12th International Conference on Future Internet Technologies, ACM, DOI: 10.1145/3095786.3095788, June 2017
EUNITY Project Workshop in Japan Apr. 26, 2019 10ASSISTANCE OF FINDING ATTACKER’S BEHAVIORS
Access to malicious site
The host accessed to the same site (key = dst addr)
(key = dst addr) (value = src addr) Domain Name resolved by
(value = src addr) infected host
(key = src addr)
(value = domain)
Infected
host
Ar>cles related to
the domain name
SNS Dark
(key = domain) Web
(value = sentences)
The destination address of
External BlackList User Authen>ca>on DB
Infected Host
(key = dst addr) (key = mac addr)
(key = src addr)
(value = src addr) (value = username)
(value = dst addr)
EUNITY Project Workshop in Japan Apr. 26, 2019 11• GitHub
HAYABUSA : OPEN SOURCE SOFTWARE
• https://github.com/hirolovesbeer/hayabusa
• https://github.com/hirolovesbeer/hayabusa
13
EUNITY Project Workshop in Japan Apr. 26, 2019 12REACTIVE APPROACH : PICTURIZATION EUNITY Project Workshop in Japan Apr. 26, 2019 13
DEFINING FEATURE VALUES OF DATASET
Pattern
Collection Characteristic
Recognization
Traffic (pcap) How convert the SVM, Bagging, Bosting,
Malware (exe, pdf, ..) dataset to Decision Tree, Decision Forest
Web site (html) feature values ? Neural Network, K-means, K-NN,
…
• CollecWon
• Network dataset tends to be large amount
• ConverWng Feature Value
• Which values are useful ?
• Need semanWcs ?
EUNITY Project Workshop in Japan Apr. 26, 2019 14BASIC IDEA OF PICTURIZATION
• DetecWng malicious IP address using images
• The images are generated following packet arrival interval
• Using Darknet and Honeypot data as learning dataset
DetecWng
Packet analysis Image Analysis Malicious IP address
Network device Block
Packet Image CNN
Apr. 26, 2019 15
EUNITY Project Workshop in JapanANALYSIS OF HOST BEHAVIOR
TCP SYN Packets Picturize SYN Packet BEHAVIORS
• This method can apply to the analysis • Not 5 tuples, just using timestamp, window size, sequence number
of the behavior of hosts. • Converting host behaviors to a image and process it using CNN
• Just using SYN packets, it can be algorithm
analyzed on over 100Gbps links.
BAD
GOOD
Ryo Nakamura, Yuji Sekiya, Daisuke Miyamoto, Kazuya Okada, Tomohiro Ishihara, “Malicious Host DetecWon
EUNITY Project Workshop in Japan by Imaging SYN Packets and A Neural Network”, InternaWonal Symposium on Networks, Computers and Apr. 26, 2019 16
CommunicaWons (ISNCC 2018), Rome, Italy, June 2018ANALYSIS OF ACCESSED URL How to vectorize?
www.iij.ad.jp/index.html
• Analysis URL literatures
as just a BYTE STREAM w w w . i i j . a d . j p / i n d e x . h t m l
• Bag-of-Bytes Processing
7777772E69696A2E61642E6A703F696E6465782E68746D6C
II. Real-Wme
TABLE • DetecWon
R ESULTS OF ACCURACY AND TRAINING TIME USING
W HITELIST 1 AND B LACKLIST 1 IN TABLE I
Optimizer Accuracy (%) Training time (s) 77,77,77,77,77,72,2E, 3F,F6,69,96,6E,E6,64,
Our method Adam 94.18 32 E6,69,96,69,96,6A,A2, 46,65,57,78,82,2E,E6,
– AdaDelta 93.54 31 2E,E6,61,16,64,42,2E, 68,87,74,46,6D,D6,6C
– SGD 88.29 31
E6,6A,A7,70
eXpose[6] Adam 90.52 119
– AdaDelta 91.31 119
– SGD 77.99 116
TABLE III. URL DATASETS FOR PREDICTING Keiichi Shima, Daisuke Miyamoto, Hiroshi Abe, Tomohiro Ishihara, Kazuya Okada, Yuji Sekiya, Hirochika Asai, Yusuke Doi, “Classification of URL
[1] Keiichi Shima, Daisuke Miyamoto, Hiroshi Abe, Tomohiro Ishihara, Kazuya Okada, Yuji Sekiya,
bitstreams using Bag of Bytes”, 1st International Workshop on Network Intelligence (NI2018), Feb 2018 (http://member.wide.ad.jp/~shima/publications/
Hirohchika Asai, Yusuke Doi, “Classification of URL bitstreams with Bag of Bytes”, First International
20180219-ni2018-url-clf.pdf)
Type Content
EUNITY Project Workshop in Japan Workshop on NetworkCount Intelligence (NI2018), DOI : 10.1109/ICIN.2018.8401597, 20-22 February 2018
[2] J. Saxe and K. Berlin, “eXpose: A character-level convolutional neural network with embeddings for 9 Apr. 26, 2019 17
detecting maliciou URLs, file paths and registry keys,” CoRR, vol. abs/1702.08568, February 2017.
Blacklist 3 Phishing site URLs reported at PhishTank.com before 39,776
2017-05-25. This list is used as a black list forPROACTIVE APPROACH : MOTIVATION ANALYSIS EUNITY Project Workshop in Japan Apr. 26, 2019 18
ANALYSIS OF ATTACKER’S MOTIVATION
• Social Dataset Collection System
• SNS
• Surface Web
• Dark Web
• Finding the Related Sentence and
Keywords of Attacking
• Making Learning Dataset from the
Past Attacks
• Natural Language Processing
• Prototype Works
Munkhdorj Baaatarsuren, and Yuji Sekiya, “Cyber afack predicWon using social data analysis”, IOS
Press, Journal of High Speed Networks, vol. 23, no. 2, pp. 109-135
EUNITY Project Workshop in Japan Apr. 26, 2019 19Features and metrics used in the experiments
metric operation CVSS access access authentication
name level score vector complexity
example OS 7.5 NETWORK LOW NONE
PRELIMINARY EVALUATION original APPLICATION LOW LOCAL LOW MULTIPLE
value 1.0 0.1-3.9 1.0
Fig. 2. Current implementation of the system
1.0 1.0
quantified OS MEDIUM ADJACENT NETWORK MEDIUM SINGLE
value 2.0 4.0-6.9 2.0 2.0 2.0
• Finding the moWvaWon of Past RealHARDWARE
Afacks HIGH NETWORK HIGH NONE
• CollecWng Past Real Afacks 3.0 7.0-8.9
Critical
3.0 3.0 3.0
• Categorized by Incident Types 9.0-10.0
• TA : Targeted Afack, AH : Account Hijacking, DDoS,
SQL InjecWon
Table 5
Fig. 3. Daily histogram of the number of news articles published
before a cyber attack
• CollecWng SNS Datasets, Web Pages Prediction accuracy of the experiments using SVM
TA AH DDoS SQLi
• Any Signs of Afacks ? Vector A 62.4% 60.7% 70.3% 59.1%
• Making Labeled Datasets Vector A* 61.0% 56.7% 62.0% 53.4%
Vector B 56.0% 64.0% 62.0% 56.8%
A*= [W1 · S 1 , W2 · S 2 , .., W1000 · S 1000 ] where S i is the sentiment score for Wi TA: Targeted attack,
EUNITY Project Workshop in Japan Apr. 26, 2019 20NATURAL LANGUAGE Report of Incident
PROCESSING OF INCIDENTS Event ID:xxxxxxxxxxxxxx
Event Summary: WordPress Login Brute Force Afempt
Occurrence Count: 7
• Incident Log including Human InteracWons of E-mails Host and ConnecWon InformaWon
Source IP: 192.0.2.xxx
• Teacher Datasets Source Port: aaaaa
DesWnaWon IP: 10.0.0.yyy
• E-mails of Incident Response DesWnaWon Port: 80
DesWnaWon IP GeolocaWon: Somewhere, USA
ConnecWon DirecWonality: OUTGOING
• The reason of the Incident and the Countermeasure Protocol: TCP
• First Step: Log Time: 2018-11-xx at 01:10:xx
AcWon: Not Blocked
• Assistance using the Similar Incident Response CVSS Score: -1
Vendor ClassificaWon: THREAT,vulnerability
• Future Goals: Vendor Priority: criWcal
Threat Name: WordPress Login Brute Force Afempt
• More complicated Assistances by Chat Bot Event Detail:
Nov xx 01:10:xx ,2018/11/xx 01:10:xx,0000,THREAT,vulnerability,1,
• Assistances of Forensics by Datasets Analysis 2018/11/xx 192.0.2.xxx, 10.0.0.yyy, 192.0.2.xxx,
allow,,,web-browsing,…..,trust,untrust,
….,tcp,alert, "wp-login.php",WordPress Login Brute Force Afempt(40044),
educaWonal-insWtuWons,criWcal,client-to-server,…..
EUNITY Project Workshop in Japan
Apr. 26, 2019 21NORMALIZATION OF INCIDENT RESPONSE FLOWS
• Making Labeled Datasets of Incident Response Flow
• Need Normalized and Labeled Datasets for Machine Learning
• Using Natural Language Processing for Analysis
• Assistance of the FIRST DICISION of Security Operators [1] 石井将大, 森健人, 松浦知史, 金勇, 北口善明, 友石正彦:“東工大CERTにおけるインシ
デント対応の分析とその自動化に関する考察”, 研究報告 インターネットと運用技術
(IOT), 2018
• Helping them for Analysis Datasets and
• Making a kind of Chat Bot for Assistance
トリアージ ハンドリング
EUNITY Project Workshop in Japan Apr. 26, 2019 22DEMONSTRATION IN INTEROP TOKYO 2018
• We had a demonstraWon in IT event, called Interop Tokyo 2018
• Three days events
• 140,000 people were join
• We measured the Real-Time Network Traffic in the venue
• DetecWng Malicious Behaviors using Machine Learning
• Afack from outside and inside
• Accessing malicious sites
EUNITY Project Workshop in Japan Apr. 26, 2019 23EUNITY Project Workshop in Japan Apr. 26, 2019 24
THANK YOU THIS WORK WAS SUPPORTED BY JST CREST GRANT NUMBER JPMJCR1783, JAPAN. EUNITY Project Workshop in Japan Apr. 26, 2019 25
You can also read
