Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

nicter : A Large-Scale

nicter : A Large-Scale Network Incident Analysis System Masashi ETO National Institute of Information and Communications Technology eto@nict.go.jp Junji NAKAZATO National Institute of Information and Communications Technology nakazato@nict.go.jp Abstract Case Studies for Understanding Threat Landscape We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. By correlating the network threats with analysis results of malware, the nicter identifies the root causes (malwares) of the detected network threats. Through a long-term operation of the nicter for more than five years, we have achieved some key findings that would help us to understand the intentions of attackers and the comprehensive threat landscape of the Internet. With a focus on a well-knwon malware, i.e., W32.Downadup, this paper provides some practical case studies with considerations and consequently we could obtain a threat landscape that more than 60% of attacking hosts observed in our darknet could be infected by W32.Downadup. As an evaluation, we confirmed that the result of the correlation analysis was correct in a rate of 86.18%. Keywords network monitoring, malware analysis, correlation analysis 1. Introduction The recent outbreak of the W32.Downadup worm shows that the worm problem remains relevant and requires further Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. BADGERS 2011 April 10-13, 2011, Salzburg, Austria. Copyright c○ 2011 ACM [to be supplied]. . . $10.00 Daisuke INOUE National Institute of Information and Communications Technology dai@nict.go.jp Kazuhiro OHTAKA National Institute of Information and Communications Technology ohtaka@nict.go.jp 35 Jungsuk SONG National Institute of Information and Communications Technology song@nict.go.jp Koji NAKAO National Institute of Information and Communications Technology ko-nakao@nict.go.jp analysis. As countermeasures against malwares especially related to zero-day attacks, practical solutions should be effectively developed in an urgent manner. In order to fight against threats especially induced by malwares, we have been developing and researching Network Incident Analysis Center for Tactical Emergency Response (nicter) [1–3]. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. The nicter realizes a practical implementation of Macro-Micro Correlation Analysis, in which the global observations in a macroscopic view and malware analysis in a microscopic view are correlated to bind the observed attacks (mainly scans) with their possible root causes, namely malwares based on the fundamental propagation steps of malwares such as scan → exploit code → malware download. This paper presents how the nicter collects and stores numerous amount of data such as network traffic, malware samples and even analysis results, in order to provide them to the various analysis engines. With some practical case studies on practical data, the experimental results are presented, that indicate that there are still many remaining hosts infected by W32.Downadup. 2. Related Work Various commercial, academic, or government-backed projects are ongoing to research and develop the countermeasure technologies [4–6] against malicious activities observed in the global Internet. Many of these projects are concentrating on events analysis providing statistical data, such as rapid increase of accesses on certain port numbers, by using network events monitoring. Particularly, it is getting popular and easier to monitor a dark address space, which is a set of globally an-

nounced unused IP addresses [4, 7, 8]. One can set up honeypots [9–12] on these addresses to masquerade as vulnerable hosts in order to monitor and record the malicious activities or listen quietly (black hole monitoring) to the incoming packets, which often contain great amount of malware scans, DDoS backscatter, etc. This paper calls these global observations over the Internet in a macroscopic view ‘Macro Analysis’. That is, Macro Analysis can be applied to efficiently grasp the macroscopic behaviors (such as global scans) which are the first stage of malware activities over the Internet. However, since it is based on ‘events (scans) observations’ in the macroscopic level and is performed without any explicit information regarding the attacker’s behavior, its results often leave certain level of uncertainty on the attack caused by the malware. On the other hand, apart from the macroscopic view, analyzing an actual malware executable has been another challenge. Reverse engineering techniques are applied to disassemble a malware executable in order for the analyst to understand its structure [13, 14]. Also, sandbox analysis, in which a malware code is actually executed in closed (or access-controlled) experimental environment, is capable to observe its behavior [14–16]. We call these direct malware analyses in a microscopic view ‘Micro Analysis’. Micro Analysis reveals detailed structures and behaviors of malwares although it does not provide any information on their activities in real networks simply because it is performed in the closed experimental environment. Even though the above Macro Analysis and Micro Analysis have been studied and deployed in various analysis systems, the knowledge obtained from these activities has not been effectively and efficiently linked, which is making the identification of the root causes of security incidents more difficult. Therefore, it is important to achieve the link be- Figure 1. Overview of nicter 36 tween Macro and Micro Analysis in real time, that will provide a strong countermeasure against threats such as an outbreak of new malware, a stealthy activity of botnet and a new type of attack on unknown vulnerability, etc. 3. Overview of nicter The nicter is composed of four main systems as depicted in Fig. 1 namely; the Macro analysis System (MacS), the Micro analysis System (MicS), the Network and malware enchaining System (NemeSys), and the Incident Handling System (IHS). The MacS uses distributed sensors to monitor darknets deployed in several universities and corporations. A darknet is a set of globally announced unused IP addresses and using it is a good way to monitor network attacks such as malware’s scans. Since there is no legitimate host using these addresses, and we can consider all incoming traffic as a consequence of some kind of malicious activities (or that of a misconfiguration.) All incoming traffic is input to analysis engines to detect incident candidates such as detection of new scan patterns or sudden increase of scans. We call the monitoring method that quietly monitors incoming packets of a darknet black hole monitoring. Meanwhile, the MicS captures malwares in the wild by utilizing various types of captures such as honeypots, dummy email accounts, and a web crawler. Captured malware executables are fed into a malware behavior analyzer and a malware code analyzer to extract their characteristics and behaviors. Analysis results are stored in a database called Malware kNOwledge Pool (MNOP). The NemeSys enchains the phenomena, i.e., incident candidates, and their root causes, i.e., malwares. Once it has been given an attacking host observed in the MacS, the correlation analyzer in the NemeSys outputs a list of malwares that have similar network behavior (i.e., scans) with

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International