1 / 12

Cyber-Threat Analytics Introduction

Cyber-TA Kickoff Meeting. Today’s Agenda 2005 Summary Web Portal. Introduction. Project Overview Challenges Consortium Members. Cyber-Threat Analytics Introduction. Phillip Porras - porras@csl.sri.com Computer Science Laboratory, SRI International www.cyber-ta.org 28 September 2006.

toby
Download Presentation

Cyber-Threat Analytics Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Cyber-Threat Analytics Introduction Phillip Porras - porras@csl.sri.com Computer Science Laboratory, SRI International www.cyber-ta.org 28 September 2006

  2. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Cyber-TA Overview • Collaborative Wide-Area (National-scale) Threat Detection and Mitigation • Problem Space: • develop efficient "RICH" security content sharing infrastructures • advance the state of the art on collaborative large-scale detection and mitigation schemes • new threat dissemination/mitigation schemes to characterize emerging attack patterns - actionable results • AND • Protect the security postures (user privacy, policies, topologies, defenses, vulnerabilities) of the data contributor • Minimize (remove) the reliance on trust among contributors and repositories Research (Large-scale) (Large-scale) MALWARE Researchers DATA PRIVACY Researchers Operations

  3. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Grand Challenges • How to achieve an IA Common Operating Picture with mutually suspicious organizations, e.g., IC members, coalition partners, other law enforcement • How to construct national-scale realtime correlation / alert forensic systems that scale to millions of events per day • How to achieve privacy preserving IA data sharing (protocols, repositories, registration, analyses) with “minimal-trust” • How to quantify the impact of our proposed privacy preserving countermeasures to the adversary workfactor

  4. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members 2006 Consortium Members Data Privacy Group Prof. Vitaly Shmatikov, University of Texas at Austin Roger Dingledine, Moria Laboratory Prof. Joan Feigenbaum, Yale University Encrypted Computation Group Brent Waters, SRI Prof. Dan Boneh, Stanford University Prof. Amit Sahai, University of California at Los Angeles Active and Passive Malware Analysis and Mitigation Prof. Paul Barford, University of Wisconsin Prof. Karl Levitt, University of California at Davis Prof. Wenke Lee, Georgia-Tech Institute of Technology Prof. Peng Ning, North Carolina State University Prof. Dawn Song, Carnegie Mellon University Phil Porras / Al Valdes / Vinod Yagneswaren / Jian Zhang / Steven Cheung / Linda Briesemeister, SRI Threat Ops Center and Commercial Transition Marcus Sachs, SRI International Ray Granvold, Promia Incorporated Livio Ricciulli, Force-10 Networks Inc. Johannes Ulrich SANS Institute

  5. Today’s Agenda 2005 Summary Web Portal Apps Products Threat Ops Center Data Privacy Cyber-TA Plans for 2006 Threat Detection Threat Mitigation Cyber-TA Kickoff Meeting Introduction Project Overview Challenges Consortium Members Today’s Agenda 9:00  - 9:40am     Cliff Wang (ARO) / Phil Porras (SRI International)Opening Remarks, Introductions, Project Overview 9:40  - 10:05am Vitaly Shmatikov (University of Texas)Data and Traffic Privacy 10:05 - 10:30am   Brent Waters (SRI International)Privacy-Preserving Encryption-data analysis 10:30 - 10:45am    Break 10:45 - 11:10am    Vinod Yegneswaran (SRI International)Active monitoring systems 11:10 - 11:35am   Phil Porras  (SRI International)Massive and distributed data correlation 11:35 - 12:00pm  Wenke Lee (Georgia Tech)Collaborative mitigation techniquesNOON  - 1:00pm Lunch 1:00  - 1:25pm   Marc Sachs (SRI International)Threat operations center and demonstration capabilities 1:25  - 1:50pm Livio Ricciulli (Force-10 Networks)Ultra-High-Volume Infrastructure protection 1:50  - 2:15pm Ray Granvold (Promia Inc.)Experiences in DoD NOC security management 2:15  - 2:30pm Closing Remarks

  6. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members 2005 Prototype Release Design and field a security log repository and data collection infrastructure that • allows mutually suspicious coalition partners to securely participate in alert sharing communities • prevents leakage of contributor vulnerabilities and security posture while reporting detailed security log content • provides extensive contributor control over anonymity services • resistant to “insider” repository browsing • resistant to traffic-based fingerprinting (to a degree!) • resistant to active data fingerprinting threats • is scalable data analysis for 1000’s of contributors and in the presence of anonymized content Examine collaborative malware defense strategies

  7. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members CTA Infrastructure - Release Notes 1st reference implementation and deployment of a Privacy-Preserving Threat Recon Infrastructure w/ data analysis services • User-controllable anonymization IDS/Firewall logs, aggregator, TLS over onion routing daemon, large-scale data repository center, web-based data portal/query/analysis of anoynmized logs • Primary objectives of release: • Red team data production and adversary models • Provide datasets for web portal and data analysis  purposes • Examine network link, including TOR, reliability and bandwidth issues • Rapid-prototype platform to build distributed correlation systems • Initial release targets: SRI Menlo Campus, Rosslyn Corporate Office, UC Davis Computer Science Lab, SANS Institute Bethesda, MD

  8. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members CTA System Diagram Web Portal Query, Data Analyzer INFOSEC Log Sensor Z CTA_Anonymizer v0.9 XML SPEC Log Parsing Rules Field Anonymization Policy Aggregation Policy User meta-data Plugin policies GP ASCII Log Parser Anonymizer Service 1-30-day Summary Table Generator Alert Aggregator Meta-data Extractor Plugin www.cyber-ta.org (cyberta.dshield.org) Cyber-TA RDBMS Manager MIXNET Deliver Daemon Delivery Ack Delivery Ack Internet TLS Session TLS Session TOR Circuit TOR Circuit TCP/IP Encrypted Anonymous Log Delivery Protocol TCP/IP

  9. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Adversary Models – What’s in and out of scope? • IN SCOPE • Direct Contributor Linkage From Repository • Network Traffic Analysis Agents • OUT OF SCOPE • Active fingerprinting threats • PPFIX Dictionary Attacks • Multi-event pattern analysis • Rare-rule stimulation • Two-sided traffic analysis • Traffic-based timing attacks • Long lived connection statistical analyses Active Fingerprinter Org N Repository Insider Timing Attacks Org 2 Traffic Eavesdropper

  10. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Internet Portal and Analysis CTA_Repository - Inventory View • provides a concise summary of entire REP content • provides quick assessment of recent REP dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...) • size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count) http://www.cyber-ta.org Web portal password – available upon request

  11. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Internet Portal and Analysis Rates/Trends Graphs – User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc. Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs

  12. Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Web Portal – Where to get info / access ? • www.cyber-ta.org • Today’s slides • General project info • Publications • Software releases • Live Internet monitoring • Data set / resources • Project news • Consortium partner info • Contributor registration

More Related