120 likes | 290 Views
Cyber-TA Kickoff Meeting. Today’s Agenda 2005 Summary Web Portal. Introduction. Project Overview Challenges Consortium Members. Cyber-Threat Analytics Introduction. Phillip Porras - porras@csl.sri.com Computer Science Laboratory, SRI International www.cyber-ta.org 28 September 2006.
E N D
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Cyber-Threat Analytics Introduction Phillip Porras - porras@csl.sri.com Computer Science Laboratory, SRI International www.cyber-ta.org 28 September 2006
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Cyber-TA Overview • Collaborative Wide-Area (National-scale) Threat Detection and Mitigation • Problem Space: • develop efficient "RICH" security content sharing infrastructures • advance the state of the art on collaborative large-scale detection and mitigation schemes • new threat dissemination/mitigation schemes to characterize emerging attack patterns - actionable results • AND • Protect the security postures (user privacy, policies, topologies, defenses, vulnerabilities) of the data contributor • Minimize (remove) the reliance on trust among contributors and repositories Research (Large-scale) (Large-scale) MALWARE Researchers DATA PRIVACY Researchers Operations
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Grand Challenges • How to achieve an IA Common Operating Picture with mutually suspicious organizations, e.g., IC members, coalition partners, other law enforcement • How to construct national-scale realtime correlation / alert forensic systems that scale to millions of events per day • How to achieve privacy preserving IA data sharing (protocols, repositories, registration, analyses) with “minimal-trust” • How to quantify the impact of our proposed privacy preserving countermeasures to the adversary workfactor
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members 2006 Consortium Members Data Privacy Group Prof. Vitaly Shmatikov, University of Texas at Austin Roger Dingledine, Moria Laboratory Prof. Joan Feigenbaum, Yale University Encrypted Computation Group Brent Waters, SRI Prof. Dan Boneh, Stanford University Prof. Amit Sahai, University of California at Los Angeles Active and Passive Malware Analysis and Mitigation Prof. Paul Barford, University of Wisconsin Prof. Karl Levitt, University of California at Davis Prof. Wenke Lee, Georgia-Tech Institute of Technology Prof. Peng Ning, North Carolina State University Prof. Dawn Song, Carnegie Mellon University Phil Porras / Al Valdes / Vinod Yagneswaren / Jian Zhang / Steven Cheung / Linda Briesemeister, SRI Threat Ops Center and Commercial Transition Marcus Sachs, SRI International Ray Granvold, Promia Incorporated Livio Ricciulli, Force-10 Networks Inc. Johannes Ulrich SANS Institute
Today’s Agenda 2005 Summary Web Portal Apps Products Threat Ops Center Data Privacy Cyber-TA Plans for 2006 Threat Detection Threat Mitigation Cyber-TA Kickoff Meeting Introduction Project Overview Challenges Consortium Members Today’s Agenda 9:00 - 9:40am Cliff Wang (ARO) / Phil Porras (SRI International)Opening Remarks, Introductions, Project Overview 9:40 - 10:05am Vitaly Shmatikov (University of Texas)Data and Traffic Privacy 10:05 - 10:30am Brent Waters (SRI International)Privacy-Preserving Encryption-data analysis 10:30 - 10:45am Break 10:45 - 11:10am Vinod Yegneswaran (SRI International)Active monitoring systems 11:10 - 11:35am Phil Porras (SRI International)Massive and distributed data correlation 11:35 - 12:00pm Wenke Lee (Georgia Tech)Collaborative mitigation techniquesNOON - 1:00pm Lunch 1:00 - 1:25pm Marc Sachs (SRI International)Threat operations center and demonstration capabilities 1:25 - 1:50pm Livio Ricciulli (Force-10 Networks)Ultra-High-Volume Infrastructure protection 1:50 - 2:15pm Ray Granvold (Promia Inc.)Experiences in DoD NOC security management 2:15 - 2:30pm Closing Remarks
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members 2005 Prototype Release Design and field a security log repository and data collection infrastructure that • allows mutually suspicious coalition partners to securely participate in alert sharing communities • prevents leakage of contributor vulnerabilities and security posture while reporting detailed security log content • provides extensive contributor control over anonymity services • resistant to “insider” repository browsing • resistant to traffic-based fingerprinting (to a degree!) • resistant to active data fingerprinting threats • is scalable data analysis for 1000’s of contributors and in the presence of anonymized content Examine collaborative malware defense strategies
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members CTA Infrastructure - Release Notes 1st reference implementation and deployment of a Privacy-Preserving Threat Recon Infrastructure w/ data analysis services • User-controllable anonymization IDS/Firewall logs, aggregator, TLS over onion routing daemon, large-scale data repository center, web-based data portal/query/analysis of anoynmized logs • Primary objectives of release: • Red team data production and adversary models • Provide datasets for web portal and data analysis purposes • Examine network link, including TOR, reliability and bandwidth issues • Rapid-prototype platform to build distributed correlation systems • Initial release targets: SRI Menlo Campus, Rosslyn Corporate Office, UC Davis Computer Science Lab, SANS Institute Bethesda, MD
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members CTA System Diagram Web Portal Query, Data Analyzer INFOSEC Log Sensor Z CTA_Anonymizer v0.9 XML SPEC Log Parsing Rules Field Anonymization Policy Aggregation Policy User meta-data Plugin policies GP ASCII Log Parser Anonymizer Service 1-30-day Summary Table Generator Alert Aggregator Meta-data Extractor Plugin www.cyber-ta.org (cyberta.dshield.org) Cyber-TA RDBMS Manager MIXNET Deliver Daemon Delivery Ack Delivery Ack Internet TLS Session TLS Session TOR Circuit TOR Circuit TCP/IP Encrypted Anonymous Log Delivery Protocol TCP/IP
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Adversary Models – What’s in and out of scope? • IN SCOPE • Direct Contributor Linkage From Repository • Network Traffic Analysis Agents • OUT OF SCOPE • Active fingerprinting threats • PPFIX Dictionary Attacks • Multi-event pattern analysis • Rare-rule stimulation • Two-sided traffic analysis • Traffic-based timing attacks • Long lived connection statistical analyses Active Fingerprinter Org N Repository Insider Timing Attacks Org 2 Traffic Eavesdropper
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Internet Portal and Analysis CTA_Repository - Inventory View • provides a concise summary of entire REP content • provides quick assessment of recent REP dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...) • size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count) http://www.cyber-ta.org Web portal password – available upon request
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Internet Portal and Analysis Rates/Trends Graphs – User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc. Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs
Cyber-TA Kickoff Meeting Today’s Agenda 2005 Summary Web Portal Introduction Project Overview Challenges Consortium Members Web Portal – Where to get info / access ? • www.cyber-ta.org • Today’s slides • General project info • Publications • Software releases • Live Internet monitoring • Data set / resources • Project news • Consortium partner info • Contributor registration