1 / 16

CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition

CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition. Thomas E. Potok, Ph.D. Applied Software Engineering Research Group Leader Computational Sciences and Engineering Division Oak Ridge National Laboratory Research Team Mark Elmore, Joel Reed, Jim Treadwell.

gage-barnes
Download Presentation

CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIPHERCounterintelligence Penetration Hazard Evaluation and Recognition Thomas E. Potok, Ph.D. Applied Software Engineering Research Group Leader Computational Sciences and Engineering Division Oak Ridge National Laboratory Research Team Mark Elmore, Joel Reed, Jim Treadwell

  2. Oak Ridge National Laboratory • Established in 1943 for the World War II Manhattan Project. • ORNL today pioneers the development of new energy sources, technologies, and materials • The advancement of knowledge in • Biological, Chemical, • Computational, Engineering, • Environmental, Physical, and Social Sciences.  • Budget: $870 million, 80% Department of Energy, 20% work for others. • 3800 employees, 1500 scientists and engineers

  3. Background • SNORT network intrusion detection software is placed outside of the ORNL firewall • Packets entering or leaving ORNL that contain information that trips a SNORT rule will result in log entry being created • Roughly 1 million log entries are created per day

  4. Four Actual SNORT Records [**] ftp-000172 IDS152 - PING BSD [**] 07/20-00:05:02.815218 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62 213.61.6.2 -> 128.219.153.31 ICMP TTL:46 TOS:0x0 ID:19485 ID:8831 Seq:9639 ECHO [**] misc-000264 IDS247 - MISC - Large UDP Packet [**] 07/20-00:05:02.822267 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x4F8 63.76.192.107:23882 -> 160.91.64.211:6970 UDP TTL:119 TOS:0x0 ID:41256 Len: 1238 [**] ftp-000172 IDS152 - PING BSD [**] 07/20-00:05:02.832993 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62 212.62.17.145 -> 128.219.153.31 ICMP TTL:50 TOS:0x0 ID:2867 ID:18484 Seq:12610 ECHO [**] ftp-000172 IDS152 - PING BSD [**] 07/20-00:05:02.865830 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62 211.13.227.66 -> 128.219.153.31 ICMP TTL:54 TOS:0x0 ID:50798 ID:7904 Seq:22732 ECHO …

  5. Step 1: Create Software to Process the Raw Data From: Raw Log Entry [**] misc-000264 IDS247 - MISC - Large UDP Packet [**] 07/20-00:05:03.171193 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x527 63.76.192.107:23882 -> 160.91.64.211:6970 UDP TTL:119 TOS:0x0 ID:60713 Len: 1285 To: Parsed Log Entry Filter: misc-000264 IDS247 - MISC - Large UDP Packet Date: 07/20 TOD: 00:05:03.171193 Source IP: 63.76.192.107 Source Port: 23882 Target IP: 160.91.64.211 Target Port: 6970 Length: 1285

  6. Step 2: Create Software to Organized the Information by Source IP • Source IP: 192.112.36.5 attacked the following ORNL IPs • 07/20 00:01 160.91.77.79 66 misc-000224 IDS118 - MISC-Traceroute ICMP • 07/20 00:01 160.91.77.79 66 misc-000224 IDS118 - MISC-Traceroute ICMP • 07/20 00:36 160.91.192.107 66 misc-000224 IDS118 - MISC-Traceroute ICMP • 07/20 00:36 160.91.192.107 66 misc-000224 IDS118 - MISC-Traceroute ICMP

  7. Step 3: Create software to relate Lab Assets to IP addresses Parsed Log Entry Filter: misc-000264 IDS247 - MISC - Large UDP Packet Date: 07/20 TOD: 00:05:03.171193 Source IP: 63.76.192.107 User John Doe Research Area Nuclear Physics Source Port: 23882 Target IP: 160.91.64.211 Target Name: smith.aol.com Target Port: 6970 Length: 1285 NetReg Database 63.76.192.107 John Doe BN 123456 2 CME Database Johnathon Doe BN 123456 Nuclear Physics 3 DNS Database 63.76.192.107 John Doe BN 123456 1

  8. Finding lab assets not easy • Based on our Collaborative Management Environment (CME) Project • One common picture of Laboratory Research Funding for DOE • Funded at $2.4M over 4 years • Dr. Ernest Moniz, Under Secretary of Energy, approves • CME based Portfolio Management Environment (PME) • Producing approximately $39 million annual productivity gains for DOE

  9. CME System

  10. Step 4: Create Software to Find Attacks Against Lab Assets • Philosophy: Look at activity against valuable lab assets, not at packet statistics • Find SNORT log entries against funded researchers • Significantly reduces data from 1M records to approximately 15,000 • 788 unique source addresses

  11. Step 5: Create changes to the original VIPAR tool • Adapt for usage with SNORT records • Allow records to be searchable, including IP address • Create folders based on SNORT filters • Can instantly find all the PING, or traceroutes

  12. SNORT log entries from 788 source IPs Failed login errors highlighted Results: All Attacks

  13. Suspicious Patterns • Search over curious PI name • 45 Entries from: • Czech Republic, Austria, Hungary, Latvia, France, Chile, and Canada. • Both PI’s work in the same nanoscience area

  14. Hidden Hidden Potential Attack

  15. CIPHER Value • This analysis can not be done without CIPHER! • Ability to quickly summarize data • Organized around SNORT filters • Can quickly find suspicious patterns • Search over records • Find similar patterns

  16. Potential Next Steps • Create interface for tools to work with broader collections of data • Connect CIPHER directly to reduced data • Expand to work on multiple days • Add IP watch list capability • Add data from other sources • Trip reports • Sensitive technologies • Sensitive countries

More Related