1 / 10

Agenda

Towards Cloud-based Intelligence Services: an IP Reputation system to detect financial drones. Agenda. Motivation. The Intelligence Cloud in a Glimpse. Blacklist-based IP Reputation Service. Quality of an IP Blacklist. Example. Implementation. Conclusions and Future Works.

kert
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Cloud-based Intelligence Services: an IP Reputation system to detect financial drones Confab IV, July-2010

  2. Agenda • Motivation. • The Intelligence Cloud in a Glimpse. • Blacklist-based IP Reputation Service. • Quality of an IP Blacklist. • Example. • Implementation. • Conclusions and Future Works. Confab IV, July-2010

  3. Motivation • Data (and Intelligence!) sharing is a must to mitigate financial cybercrime. • Unfortunately, useful data is dispersed (IP blacklists), unformatted (whois responses) or is not easy to find (ccTLD Registrars). • The Cloud looks like a promising enabler, but ironically the bad guys are adopting it easier than us! (See DarkClouds). • Is the Cloud useful to deploy Intelligence Servicesin order to fight financial cybercrime? Confab IV, July-2010

  4. The Intelligence Cloud in a glimpse • Being developed as part of a joint project (anti-phishing/botnets) with one of the biggest saving banks in Spain (+10M online banking users). Bank premises WhoisCcTLD Antifraud system Private Cloud SiteAvailability IPReputation CSIRT Confab IV, July-2010

  5. The Blacklist-based IP Reputation Service • Traditional detection mechanisms (i.e. behavioral traffic analysis) are not effective against financial botnets, mainly due to their stealthy nature. • Most financial institutions use a-posteriori approaches, i.e. behavior analysis of transaction logs. • Clear need of real-time detection mechanisms. • Proposed approach: Confab IV, July-2010

  6. Quality of an IP Blacklist • Hypothesis: An aggregated set of IP blacklists might be used to compute the reputation (botnet membership) of incoming connections. • We have contributed with a novel a framework that computes a quantitative score or reputation for a particular IP blacklist. • Applied the framework to a set of 5 different IP blacklists, comparing them versus 2 sets of known Zeus' infected IPs (aprox. 35.000 records among drones and C&C) • The experiment ran uninterruptedly during February 2010, retrieving the blacklists in an hourly-basis (aprox. 110 Gb of data equivalent to 537.000.000 of IPs).

  7. Example • Taking only into account the Completeness parameter, if a particular IP hits versus lists A,B and D then its reputation is: 1*6,39 + 1*61,95 + 1*26,05 = 94,39 out of 104,18

  8. Implementation Private Cloud deployment or ? Each node stores up to 4 million IPs in RAM

  9. Conclusions and Future Works • Cloud-based Intelligence services might trigger data sharing to fight financial cybercrime. • Data mashups are a useful technique for these Cloud services (have you seen Maltego(TM)?). • IP reputation metrics are being further investigated. • Ongoing collaborations with interested parties, i.e. APWG and some well-know blacklists providers. • Like to approach projects like CoMiFin. • Begin deployments in public/hybrid Clouds (under evaluation).

  10. Gràcies Gracias Thankyou Dr. Jesús Luna SeniorResearcher jluna@bdigital.org

More Related