name-anomaly detection in icn · 2017-05-17 · name-anomaly detection in icn information-leakage...

Name-AnomalyDetectioninICNInformation-leakageinNDN

DaishiKondo1,2,ThomasSilverston3,HidekiTode4,Tohru Asami5 andOlivierPerrin1,2

1UniversitédeLorraine,LORIA(CNRSUMR7503)2InriaNancy– GrandEst

3NationalInstituteforinformationandCommunicationTechnology4GraduateSchoolofEngineering,OsakaPrefectureUniversity

5GraduateSchoolofInformationScience&Technology,UniversityofTokyo

3rd FRA-JPNmeeting,April24-262017,Tokyo

Information-leakage

• OneofthemainsecuritythreatinInternet– ITSecurityRisksSurvey2014:ABusinessApproachtoManaginghttp://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf

• CyberEspionage– TargetedAttacks(malware,website,externalmemorydevice)

• Examples:Sony,Target– $100Mupgradingsystems– 46%dropinbenefits

[UnderstandingTargetedAttacks:TheImpactofTargetedAttacks]

2

TargetedAttacks

3

Source:ITSecurityCenterIPA:ITPromotionAgencyhttp://www.ipa.go.jp/security/english/newattack_en.html

• InfectsPCviaemails• Probesnetwork• Steals Information

CountermeasuresTrainemployees?Humanerrors

Information-Centric Networking• Internetismostlyusedtoaccesscontent

– Video:80%ofglobalconsumertrafficby2019• [CiscoVNI2015]

– TCP/IP:host-to-host communicationparadigm• Usersareinterestedwithcontentnotlocation• Information-CentricNetworking

– Named-DataNetworking(NDN)[CoNext 2009]– Host-to-content communication

• Packetaddressrefers tocontentnameandnotlocation(host)• New« Networklayer »

forFutureInternet– Dataatthecore ofthe

communication

4

67% of Internet trafficwas video traffic in 2014

Video traffic will accountfor 80% of Internet traffic

NDNOverview• Packetaddressrefers tocontentnamenotlocation

– Named-DataNetworking• Twoprimitives

– Interest,userrequestscontentbyissuinganInterestmessage

– Data,anodehavingthecontentanswerwithaDatamessage

• In-NetworkCaching• Dataatthecore ofthecommunication• New ‘NetworkLayer’forContentDelivery

5

Publisher

User2User1

RouterB

Name Forwardto/doctor RouterB/doctor/obj RouterC

Name Comingfrom-- --

RouterAafterreceivingDataFIB

PIT

CachedcopiesinCS/doctor/index.htm


Name Comingfrom/doctor/index.htm User1

RouterAafterreceivingInterestFIB

PIT

CachedcopiesinCS--



RouterBafterreceivingDataFIB

PIT



Name Comingfrom/doctor/index.htm RouterA

RouterBafterreceivingInterestFIB

PIT

CachedcopiesinCS--

FIB PIT

ContentStore

RouterA

FIB PIT

ContentStore

1

2

3

4

5

8

7

6NDN/CCN packetInterest: Request for contentData/Content Object: Data to userNDN/CCN componentFIB: Forwarding Information BasePIT: Pending Interest TableCS: Content Store

[2] http://www.doctor-project.org/outcome/deliverable/DOCTOR-D1.1.pdf

OverviewofNamed-DataNetworking(NDN)

OverviewofNamed-DataNetworking(NDN)

7

Publisher

User2User1

RouterB



RouterAafterreceivingDataFIB

PIT



Name Comingfrom/doctor/index.htm User1

RouterAafterreceivingInterestFIB

PIT

CachedcopiesinCS--



RouterBafterreceivingDataFIB

PIT



Name Comingfrom/doctor/index.htm RouterA

RouterBafterreceivingInterestFIB

PIT

CachedcopiesinCS--

FIB PIT

ContentStore

RouterA

FIB PIT

ContentStore

1

2

3

4

5

8

7

6

ICN messagesInterest: request for a contentData: Data message to user

Two kinds of packets that can leak information

ICN componentsFIB: Fwd. Info. BasePIT: Pending Interest TableCS: Content Store

http://www.doctor-project.org/outcome/deliverable/DOCTOR-D1.1.pdf

Information-leakagewithDataPackets

8

Enterprise Network

The Internet

Gatekeeper(Network Administrator)

Attacker

Malware

Normal Agent

Employee A

Comp1/Pub/Info1

Comp1/Priv/Info1

Firewall

1) Gatekeeper has white list ofpublic contents

2) Every new content is checkedby gatekeeper to register it intowhite list

3) Any content cannot be accessedunless it is listed in white list

Rules to Publish Content

Gatekeeper can prevent information leakagethrough Data packet (reply messages)

§ DatapacketincludesØData,contentname,etc.

§ CharacteristicofDatapacketØDatapacketcannotbesentifnotareplyfromInterestpacket

9

Information-LeakagethroughDataPacket

Only Interest packets can leak information from network

Information-leakagewithInterest

Enterprise Network

Outside Network

Malware

C&C Server

Firewall

Bot

Interest Packet

Data Packet

Interest/Data Packet

Preparation for Attack1. C&C server

(Control malware via bots)2. Bot3. Malware

Interest Name can be used to leak information through Targeted Attacks (request messages)

Summary:Information-leakagethroughNDNpackets

11

• Interest/Data packetsare“Request/Reply”- Contentname,etc.

• Data packetscanbefiltered out outbyadmin.- White/Blacklistsof(un)authorizedcontentnames

• CustomerList,BankingInfo,etc.

• Interestpacketsaresentoutthenetworktoexternalpublishersasrequests(“free”names)- MalwarescanuseInterest toleakInformationthroughTargetedAttacks(steganography-embedded)

RiskAnalysisofInformation-LeakagethroughInterestPacketsinNDN

• Performing information-leakage with names in NDN Interest packets

• Preventinformation-leakageinNDN(Interest)– MajorthreatintheInternet– Named-DataNetworking:architectureforFutureInternet

• Proposal– Interest(Packet)filteringbasedonanomalousnames

• firewall• Methodology

– StudyNamesintheInternetwithURLs• Assumption

– NDNNameswillbebasedonURLs• EasytotranslatecurrentURLNamesintoNDNnames

AttackModelandCountermeasure§ Attackmodel

ØMalwarebuildsanomalousnamestoleakinformationØsteganography-embedded

§ Countermeasures1. Name-basedfiltersusingNamestatistics2. Name-basedfilterusingone-classSVM

§ Assumption§ NDNnameswillbeextensionofURLsinthecurrentInternet

13

URLs Dataset

• WebCrawlingof7mainorganizations– Amazon,Ask,Stackoverflow,BBC,CNN,Google,Yahoo

• 1millionURLsforeachorganization/(Organization)/(Directory 1)/…/(Directory n)/(File)?(Query)#(Fragment)

<path><net_loc> <query> <fragment>

Directory Part File Part

URLs Parameters(RFC1808)Lengthof<PATH> Numberof‘/’in<path>

Lengthof<QUERY> Similarityofcharactersin<PATH>

Lengthof<FRAGMENT> Similarityofcharactersin<QUERY>

LengthofDirectory Similarity ofcharactersin<FRAGMENT>

LengthofFile

CharacterFrequenciesinURLs

19/5/16

URLs <PATH>

URLs <QUERY>

URLs <FRAGMENT>

URLsStatistics

100 162 23

21 57 5

0.95 0.95 0.95

0.950.950.95

Legitimate names: 95th percentile

URLsStatistics§ URLattributesandcomputedpercentiles

§ similarityofaveragedfrequenciesofalphabetsinPathandQuerycomparedtotypicalEnglishtext[6]

ØHighsimilaritywithtypicalEnglishtext=>UsingWordNet[7]forsteganography

17

[6] Frequency analysis, https://en.wikipedia.org/wiki/Frequency_analysis

[7] G. A. Miller, “WordNet: A Lexical Database for English," Commun. ACM, vol. 38, no. 11, pp. 39–41, Nov. 1995.

URLsSimilarity

Legitimate names exceed average similarity

NamesFilteringHeuristics§ FilterbasedonmeasuredURLparameters

§ Length(Path,Query,Fragment,Direction,File),#/§ 95th percentile

§ 33%anomalousURLs(67%arelegitimatenames)§ FilterwithSimilaritymeasure

§ Previousextendedfilter§ Characterfrequenciesw.r.t.averagefrequenciesinURLsdataset(Path,Query,Fragment)

§ 15%anomalousURLs(85%legitimatenames)

Attacker20

§ LeakeddataØ 3.4MBZipfilecompressing3Pdffilesfrom

latestITU-Trecommendations[9]§ Thresholdforeachattributeinanomalous

§ Dictionarycodingwith65,536dictionarywordsfromWordNet[7]Ø Tablewitheachdictionarywordand4

hexadecimaldigitstoeachword(onewordisequalto2Bytes)

[9] ITU-T, http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx

Flow to create anomalous names with dictionary coding(i.e., steganography) in “com” domain

comnetorginfojpfruk

Attacker exploits one-class SVMto extract legitimate URLs

E.g.,ndn://attacker.com/info-leak/apple

ndn://attacker.com/info-leak/apple?

ndn://attacker.com/info-leak/apple?key1=banana

ndn://attacker.com/info-leak/apple?key1=bananandn://attacker.com/info-leak/……

Name-BasedFilterUsingOne-ClassSVM

§ One-classSVM[4]isunsupervisedmethodtoperformanomalydetectionØAdaptedifnotmanysamples

§ RegardingNDNarchitecture,therearecurrentlynotanomaloustrafficnornamesavailableØExtractingURLpropertiesascharacteristicsoflegitimatenamesandapplyingthemforone-classSVMfilter

21

[4] B. Scholkopf, et al., “Estimating the Support of a High-Dimensional Distribution,” Neural Comput., vol. 13, no. 7, pp. 1443–1471, Jul. 2001.

Filter using one-class SVM inspects namesdropped by filter using search engine

information

PerformanceEvaluation§ Performancemetric

ØPer-packetthroughputofinformation-leakage(Bytes/Interest_packet)

§ EachTLDdatasetisseparatedintotwosetstocreatename-basedfilterusingone-classSVMØTrainingsetforeachTLD:800,000URLsØTestingsetforeachTLD:200,000URLs

§ AssumptionØDefendingknowsattackmethod(i.e.,steganography-embedded Interestpackets)butnotitsparameters

ØAttackerknowscountermeasurebutnotitsparametersØThiscaseisofbenefittoattacker

22

PerformanceEvaluation

By using filter, malware has to send 264 times (2.06 KB/ 7.79B) more Interest packets

to the attacker than without using filter

• WithoutSVMfilter• Attackerbuildsnamesandleakinformation(steganography)• 2.06Kbytes/Interest_packets

• WithSVMfilter(tunedparameters)• 7.79Bytes/Interest_packets

ProjectANRDoctor(2014-2017)http://www.doctor-project.org/

• Deploymentofnewnetworkfunctionsandprotocols(e.g.:NDN)inavirtualizednetworkingenvironment(e.g.:NFV)

– Monitoring,managingandsecuring(usingSDNforreconfiguration)

• Partners:Orange,Thlaes,Montimage,UTT,LORIA/CNRS(900k€)

24

Conclusion• Information-leakageismainInternetSecuritythreat

– TargetedAttacks

• NDNasFutureInternetarchitecture– Preventleakageinformationfromnames(InterestPackets)

• Steganography-embeddedattacksinNames

• NDNNamesfilteringheuristics– BasedonURLsstatistics– Upto15%ofanomalousURLs– FirewallforNDN

• SVM-basedfilteringheuristics– Chokethroughputofinformation-leakage– Upto264moreInterestpacketstoleakthesameamountofinformation

• DesigningNamingSchemeforNamed-DataNetworking(NDN)– PrivacyinNDN

ThankYou

• Questions?

[email protected]

name-anomaly detection in icn · 2017-05-17 · name-anomaly detection in icn information-leakage...

Documents