7. 短期トレンド
Google vs Facebook
Market Share: 2010 May
Google はすべて
を
WEB 上に置いて
検索できるよう
にした。
知っている人
に訊けばいい
やというのが
Facebook の
発想
http://outoftheoverflow.com/tag/weekly-market-share-of-visits-to-facebook-com-and-google-com/
16. ① ソースコード、バイナリに加えて設定の不備を検
Detecting BGP Configuration Faults with Static Analysis
出
in this paper they propose static analysis for detecting two class of faults of
BGP routers; validity faults and path visibility faults. path visibility and route
validity - are two high level aspects of correctness. path visibiity says that BGP
will correctly propagate routes for existingm usable IP layer paths. route validity
says that if routers attempt to send data packets via these routes, then packets
will ultimately reach their intended destinations.
Detecing BGP configuration faults poses several phases of challenges. first,
defining a correctness specification for BGP is difficult. second, this high-level
correctness specification should be used to derive a set of constraints which can
be tested against the actual configuration.
they analyze network wide configurations from 17 different ASes to detect nore
than 1000 BGP configurations faults which had previously gone undetected by
operators.
17. ②MAC, DAC より新しいアクセス制御
Capsicum: practical capabilities for UNIX
capsicum is different from both MAC and DAC. Neither MAC and DAC was designed to
enforce system of a single application processing many types of information on behalf of
the user. Web browser could be good example. Current web browser must parse HTML,
scripting languages, image and video from many untrusted sources, however, it acts with
full privilege of the user, has access to all his resources. In this case, capability of web
browser should be decomposed into several OS processes. unfortunately, these system
vary by platform, but all require a significant amount of programmer's effort.
-- Usenix Security 2010
Privman: A library to make privilege separation easy
Privman (ATC 2003) is early work of privilege separation. One of the motivation of privman
could be that general developers with little security awareness at least at that time. The
contribution of privman is to facilitate a specific technique for writing secure software:
partitioning applications between trusted and untrusted. In general, Linux is monolithic
kernel and has coarse grained without any strict compartment. As well as capability based
method, Privman provides privilege separation which is a technique that isolates trusted
code, hence reducing the amount of code that needs to be carefully audited.
-- Usenix Annual Tech 2003
http://code.google.com/p/privman/
18. ③Honeypot, Darknet
DarkNOC: Dashboard for Honeypot Managemen
we present DarkNOC, a management and monitoring tool
for complex honeynets consisting of different types of
honeypots as well as other
data collection devices. DarkNOC has been actively used
to manage a honeynet consisting of multiple subnets and
hundreds of IP addresses. This paper describes the
architecture and a number of case studies demonstrating
the use of DarkNOC.
Usenix LISA 2011
19. ④Crawler, active monitoring
A Practical Attack to De-anonymize Social Network Users
social networking sites such as facebook, linkedIn have been
reporting expotential growth rates. in this paper it is shown that
information about group memberships of a user in a single OSN
is oft en sufficient to uniquely identify this user, or at least, to
significantly reduce the set of possible candidates. this is called
as de-anonymization attack. they leverage well-known web
history stealling attack for determining the group membership of
a user.
browser history stealing. history stealing is a known attack in
which a malicious website can extract the browsing history of a
visitor. in experiment, they cope with Xing which is middle scale
social netwworking with more than eight million members. their
analysis suggest that 42% of the users that use groups can be
uniquely identified, while for 90%, they can redice the candidate
set to less than 2912 persons.
SSP 2010
20. ⑤ 大量のデータから悪意を検出
DNS lookup patterns: Monitoring the initial DNS behavior of malicious domains
We explore the behavioral properties of these domains from two perspectives: (1)
the DNS infrastructure associated with the domain, as is observable from the
resource records; and (2) the DNS lookup patterns from networks who are looking
up the domains initially. Our analysis yields many findings that may ultimately be
useful for early detection of malicious domains. By monitoring the infrastructure for
these malicious domains, we find that about 55% of scam domains occur in attacks
at least one day after registration, suggesting the potential for early discovery of
malicious domains, solely based on properties of the DNS infrastructure that
resolves those domain.
Internet measurement conference 2010
BotMiner: Clustering Analysis of Network Traffic for Protocol- and StructureIndependent Botnet Detection
this paper, we present a general detection framework that is independent of botnet
C&C protocol and structure, and requires no a priori knowledge of botnets (such as
captured bot binaries and hence the botnet signatures,and C&C server
names/addresses).
Usenix security 2008
21. ⑥Scalability のため関数型言語系を採
用
Chimera: NSA's SQL support for stateful IDS
[1] sidehijacking is a term used to describe the attack
where a hacker steals a session token from an
unencrypted HTTP cooie and them impersonates the
legitimate user.
[2] about malicious domains, they focus on a subnet of the
DNS answer and TTL based features such as number of
distinct IP addresses per domain and number of domains
which share the sme IP address.
[3] DNS tunnels: DNS protocol is designed to resolve
information about domain names. however, it can also be
used for covert communication by storing ata in the
requsted domain name.
Usenix Security 2012
22. ⑦Android の動的解析
TaintDroid: an information-flow tracking system for
realtime privacy monitoring on smartphones
TaintDroid provides realtime analysis by leveraging
Android’s virtualized execution environment.
TaintDroid incurs only 14% performance overhead on a
CPU-bound micro-benchmark and imposes negligible
overhead on interactive third-party applications. Using
TaintDroid to monitor the behavior of 30 popular thirdparty Android applications, we found 68 instances of
potential misuse of users’ private information across
20 applications.
OSDI 2010
http://appanalysis.org/
23. ⑧Android の静的解析とデコンパイラ
A study of android application security
Android phone identifiers. they analyzed 21 million lines of 1100 which is
recovered of their decompiler from popular android applications. they have
design and implement a Dalik decompiler ded which has recovered 21 millions
LOC retrieved from the top 1100 free aplications. the choice to decompile the
Java source rather than operate on the DEX opcodes directly was grounded in
two reasons. first, they wanted to leverage exsiting tools for code analysis.
second, they required access to source sode to identify false-positives resulting
in from automated code analysis.
analysis specification is based on three aspects.
1) control flow analysis: control flow analysis imposes constraints on the
sequences of actions executed by an input program P, classifying some of them
as errors.
2) structual analysis: structual analysis allows for declarative pattern matching
on the abstract syntax of the input source code.
3) semantic ananlysis: semantic analysis allows the specifiction of a limted set of
constraints on the values used by the input program.
28. APT ( 標的型攻撃)と
ソーシャルエンジニアリング
③ マルウェア感染
SNS
SNS
Service
Service
① 事前調査
攻撃者
従業員
従業員
② 1次攻撃
① 事前調査と
② 1次攻撃に
ソーシャルエンジニアリングを
使うことが多い。
④ 重要情報
の調査と発見
従業員
従業員
⑤ 攻撃者による
データ収集と外部への
流出
45. 区画化と関門
退館退室
④ 持ち出し
管理
⑤ 退場確認
入室入館
① 申請許
可
② 持込管
理
③ 入場受
B 事務室
付
C 応接室
A サーバ室
C 受付
B 会議室
C: 公開区画
A: アクセス制限区画(特定メンバのみ入室可能) B: 業務区画(社員
、派遣社員入室可能) C: 一般区画(訪問者、外来者の入室可能)
46. アクセス制御の種類
● アクセス制御には、任意アクセス制御( DAC )、強制
アクセス制御( MAC )、ロールベースのアクセス制御
( RBAC )の 3 種類がある。
① 任意アクセス制御( DAC )は、オブジェクトの所有者
がアクセス権限を設定する
② 強制アクセス制御( MAC )は、あらかじめ設定された
レベル分けによって、強制的に読み取りや書き込みな
どの権限が制限される
③ ロールベースのアクセス制御( RBAC )は、ロール(
役割)によって実行できる操作が制限される
73. Current situation of cloud computing
cloud computing is becoming pervasive
• Gartner predicts that by 2015, 40 percent of the security
controls used within enterprise data will be virtualized, up from
less than 5 percent in 2010.
global cloud computing services revenue is
expected to hit $148.8 billion come 2014
a dramatic 16.6 percent rise compared to 2009
cloud services revenue, which was $58.6 billion.
74. Current situation of cloud computing
Security is top concerned issue
Five security issues
1) Security about virtual machine
environment
2) Security about data center
3) Legal issues about data
in foreign server
4) SLA service level agreement
5) Security about management
and operation
Virtual machine attack
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. “Hey, You, Get Off of My Cloud! Exploring Information
Leakage in Third-Party Compute Clouds.” In S. Jha and A. Keromytis, eds.CCS 2009,
75. Classification of cloud computing security
guidelines, standards and alliances
The right to retain ownership, use and control one‘s own data
ユーザーが保有するデータの管理と利用に関する所有権保持の権
The right to service-level agreements that address liabilities, remediation and business outcomes
負担、改善、業務上の成果の取り組みに関するサービスレベル契約の権利
The right to notification and choice about changes that affect the service consumers‘ business processes
利用者のビジネスプロセスに影響がある変化について、告知を受け選択する権利
The right to understand the technical limitations or requirements of the service up front
事前に技術的な制約や要件を理解する権利
The right to understand the legal requirements of jurisdictions in which the provider operates
事業者が則る法的管轄を理解する権利
The right to know what security processes the provider follows
事業者が行うセキュリティプロセスを知る権利
The responsibility to understand and adhere to software license requirements
適切なソフトウェアライセンスの要件を理解する義務
Gartner Global IT Council for Cloud Services Outlines Rights and Responsibilities for Cloud Computing
Services
76. Outline: insider threat and data leakage
Information leakage is one of the most serious damages
caused by insider threat. In this talk, I will introduce some
key issues about ex-post countermeasures of information
leakage
①First, "Data lives forever" problem is introduced. Once sensitive
information is leaked over Internet, we have no effective
countermeasures to nullify it. Some topics such as advanced secret
sharing and right to be forgotten will be noted.
②Second, I will talk briefly about "Data sovereignty" to provide a
logical
and technical basis for tracking spread information. PDP (provable
data
possession) could be one of solutions.
Finally, I will present some actual cases about these problems.
77. Insider Threats and Information leakage
LostTape 14%
Incidents by Breach Type
Stolen document
14%
Attacks from outside by hacking
is motivated for botNet, FaaS etc.
Data Leakage is one of the main
purpose of insider attack. Besides,
this kind of threat causes
retroactive disclosure.
Disposal
Document 14%
Social Engineering
And APT is sometimes
So hard to be prevented
Technically.
2012/11 http://www.datalossdb.org
Data lives forever:Once sensitive data is released to network,
it circulates forever.
Information leak: retroactive disclosure
Sensitive data could retrieved and retroactivated as offense.
78. Can retroactivation as offense be mitigated ?
Is ex-post countermeasure possible ?
Is it unstoppable
even if we adopt
domain seizure in
Amazon EC2 ?
2012/08
Dropbox
Confirms User
Email Leaks –
Adds Additional
Protection
DLP can protect sensitive
data sent from SNS ?
Top threats to enterprise security
IDC’s survey
2010
Trojans, Virtuses, other malware
54
78
Spyware
48
74
Hackers
41
67
Employees exposing information
52
66
Equipment misconfiguration
41
61
Application Vulnerabilities
44
59
Spam
Is it possible to prevent
Uploading sensitive files
?
2008
39
58
Data stolen by trusted party
38
53
Insider sabotage
34
49
79. Japan’s case: information leakage
via P2P networks
2008/03/22
National Bank of
Japan leaks
Confidential insider
information
2009/04/02: Tokyo
Rinkai Hospital –
a list of 598
inpatients
information
2005/06
Documents of
nuclear power
plant of Mitsubishi
was leaked.
2009/01/08: National InformationTechnology Promotion Agency - a
database of Ministry of Internal
Affiars and National Patent Office
2010/10/30 Metropolitan
Police Department taking
charge of international
terrorism splits a
confidential list over P2P
networks
80. Data Sovereignty in Cloud computing era
Data Sovereignty :the coupling of stored data authenticity
and geographical location in the cloud
A Position Paper on Data
Sovereignty: The Importance of
Geolocating Data in the Cloud
Zachary N. J. Peterson, Mark
Gondree, and Robert Beverly.
USENIX HotCloud 2011
However, as Cloud computing environment has
become international, securing data sovereignty
is harder and harder.
Technology of geolocation could be
cheated. PDP (Provable Data Possession)
could be one of the solutions
for this problem.
Giuseppe Ateniese, Randal C.
Burns, Reza Curtmola, Joseph
Herring, Lea Kissner, Zachary
N. J. Peterson, Dawn Xiaodong
Song: Provable data
possession at untrusted stores.
ACM CCS 2007
81. "Data lives forever" problem
• Wiki Leaks
WikiLeaks is an international organization that publishes submissions of
otherwise unavailable documents from anonymous sources and leaks.
On July 25, 2010, WikiLeaks released to The Guardian, The New York
Times, and Der Spiegel over 92,000 documentsrelated to the war in
Afghanistan between 2004 and the end of 2009.
• “Right to forget and delete”
European Commission sets out strategy to strengthen EU data protection
rules Nov 2010. “Controlling your information, having access to your data,
being able to modify or delete it – these are essential rights that have to be
guaranteed in today's digital world. “
82. P2P security VANISH: self destructing data
Roxana Geambasu, Tadayoshi Kohno, Amit Levy, Henry M. Levy. Vanish: Increasing Data Privacy with SelfDestructing Data. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009.
Technology: Secret sharing protocol and DHT
In vanish system, shared file is disappeared from network in a fixed interval.
Bob sends {C,L} to Alice. VANISH is implemented for Vuse DHT.
{C,L}
Data, timeout
Data, timeout
KN
K2
RANDOM INDEXES (L)
C=Ek(data)
K1
RANDOM INDEXES (L)
data=Dk(C)
83. P2P security UNVANISH: reconstructing data
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs
Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J. Alex Halderman,
Christopher J. Rossbach, Brent Waters, and Emmett Witchel, Network and IT Security
Conference: NDSS 2010
UNVANISH mounts sybil nodes into DHT to replicate Ek hash to reconstruct data.
{C,L}
UNVANISH
Data, timeout
Data, timeout
KN
K2
RANDOM INDEXES (L)
C=Ek(data)
K1
RANDOM INDEXES (L)
data=Dk(C)
87. Socware, SocialBot の検出
1 MyPageKeeper:Efficient and scalable socware detection in online social networks
mypagekeeper is a facebook application desinged for detecting malicious post in
facebook. once a facebook user installs mypagekeeper, it periodically crawls posts from
the user's wall and news feeds. mypagekeeper is tested from the perspective of over
12K users who have installed myPageKeeper and their roughly 2.4 million friends. by this
dataset, myPagekeepr turned out to be accurate (97% of posts flagged by it are indeed
socware and it incorrectly flags only 0.005% of benign costs) and efficient (it requires 46
ms on averatge to classify a post).
Security'12 Proceedings of the 21st USENIX conference on Security symposium
2 An analysis of socware cascades in online social networks
online social networks have become a popular new vector for distributing malware and
spam, which is called as socware. unlike email spam, which is sent by spammers directly
to intended victims, socware cascades through OSNs as compromised users spread it to
their friends.
WWW '13 Proceedings of the 22nd international conference on World Wide Web
93. Introduction
BACKGROUND: The rapid increasing of security incidents imposes a great burden on Internet users
and system administrators. In this paper we discuss a parallel analysis for lightweight network incident
detection using nonlinear adaptive systems.
DEPLOYMENT: We run AID (anomaly intrusion detection) and
MID (misuse intrusion detection) systems in parallel.
Two detectors generate binary output misuse = {YES/NO} and $anomaly = {YES/NO}.
Then, we can determine whether we need to perform network or security operation.
ALGORITHMS: We apply clustering algorithm for AID and classification algorithm for MID.
The nonlinear adaptive system is trained for running MID and AID in parallel.
Proposed parallel system is more lightweight and simple to operate
even if the number of incident patterns is increased.
RESULT: Experimental results in the case where false positive is frequently caused show that our
method is functional with a recognition rate of attacks no less than 10%, while finding the anomaly
status. Also, performance evaluation show that proposed system can work with reasonable CPU
utilization compared with conventional serial search based system.
NPC 07
94. IDS (Intrusion Detection System)
NPC 07
IDS is an alarm and logger
IDS (Intrusion detection system) is kind of
alarm deployed on computer system and
network to detect activity called misuse,
that is something unauthorized action
such
as leaking or compromising.
Increasing the number of attacks
Recent increasing of the number of
attacks against computer systems is rapid
enough to pare off the effectiveness of
human response.
Current requirement for IDS
More effective, automated and intelligent
detection method is researched in many
fields to take some measures for the
unseen incidents. Generally, researches
are objective to construct a system
treating attacks with automatic response.
95. Background: Increase of IDS signatures
NPC 07
It is supposed that a large number of service and
system will be connected to the internet. And the
number of exposed security holes, flaws and
vulnerabilities is increasing rapidly still now.
On the other hand, the signatures of current
intrusion detection system is increasing and its
managing is becoming so complicated that
administrators is required to spend much time to
learn how to handle rules and maintain databases.
Current IDS checks all internal and external
packets and logs part of them according to
signature rule set.
With the complexity of managing signatures, there
is matter of concern that increase in the number of
signatures unnecessary impose the great burden
to the system and worse, the improper setting of
signature rule set drop the packets of coming
attacks.
96. Anomaly and misuse detection
profiles and signatures
NPC 07
BACKGROUND
Almost traditional IDS applies signature-based detection methods. Dataset of signatures is afforded manually by
experts. Recently, manually black-list based cannot catch up with the rapid increase of network security incidents
and
attacks. Therefore, the extension and alternatives of matching based detection has been researched.
Intrusion detection techniques are generally classified into two categories: anomaly detection and misuse detection.
MISUSE DETECTION
Misuse detection is performed by looking for the behavior of a known exploit scenario, which is usually described
by a specific sequence or data. Current signature based methods is classified in misuse detection but lacks
the scalability to extract features from attacks observed to detect even derivatives of conventional incidents by itself.
Misuse learning algorithms on labeled data generally cannot detect new intrusion as it is. In addition, processing
labeled data in order to find variation is usually so expensive.
ANOMALY DETECTION
On the other hand, anomaly detection is performed
by the inspection for the state that deviates from the baseline or normal state defined before.
Profiling algorithms for AID on unlabeled data is frequently causing false positive because the audit data
can be very large. And the output of this method is inclined to depend much on the numbers and features of data to
train.
CHARACTERIZATION OF TWO METHODS
AID takes advantage in sensitivity. MID takes advantage in singularity.
Sensitivity = TP / TP + FN
Singularity = TN / TN + FP
TRUE POSITIVE
FALSE
POSITIVE
FALSE
NEGATIVE
TRUE NEGATIVE
97. Data-mining and IDS
Clustering for AID / Classification for MID
NPC 07
[1] Clustering for AID
Outputs the distance from normal (usual) status.
Algorithms: Statistics / Clustering (Machine learning)
Dataset: profile (representation of normal)
Anomaly detection uses clustering algorithms because the behavior to
find is unlabeled, with no external information sources.
[2] Classification for MID
Outputs the similarity from misuse cases.
Algorithms: Statistics / Classification (Machine learning)
Dataset: signature (representation of attack)
Misuse detection adapts classification algorithm because the activity to
analyze requires that detector know how classes are defined.
98. Clustering and classification:
The tradeoff about the accuracy and range of detection
NPC 07
There are two major data mining techniques applied for
intrusion detection, clustering or classification.
Clustering is the automated, unsupervised process that
allows one to group together data into similar
characteristics. Classification is the method to learn to
assign data to predefined classes.
The tradeoff about the accuracy and range of detection
exists between clustering and classification.
Classification deal with predefined data, so it affords
detection of weaker signal and figure out accurate
recognition. But in some cases, it may be biased by
incorrect data to train and it is not able to detect new
type of attacks in the sense that the attack does not
belong to any category defined before.
Clustering is not distorted by previous knowledge, but
therefore needs stronger signal to discover. At the same
time it can deal with unlabeled attacks because the
training doesn't specify what the detection system is
trying to find while clustering go too far to perceive the
activity that is not included incident affair.
99. Experiment
DoS attack or network trouble?
NPC 07
In experiment, we test the case
Where false positive is occurred
Frequently.
Burst traffic of specific packet
Occurred by Network trouble
Is often misrecognized as DoS
Attack.
In this case,
Output of AID = YES
Output of MID = NO
Among anomaly burst traffic,
State caused by attack or
Malicious behavior is included.
In this case
Output of AID = YES
Output of MID = YES
100. Android マルウェアの検出と解析
動的解析:実際に動作させて観測する。
Taint Droid: An Information-Flow Tracking System for Realtime
Privacy Monitoring on Smartphones
William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox,
Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. In
Proc. of the USENIX Symposium on Operating Systems
Design and Implementation (OSDI), October 2010 in
Vancouver
静的解析:デコンパイルやソースコードの検査をする。
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Pages 21-21
William Enck
101. Android マルウェアの検出と解析
Dalvik VM interpreter
Taint Droid: An Information-Flow
Tracking System for Realtime Privacy
Monitoring on Smartphones