• Keine Ergebnisse gefunden

Internet Situation Awareness (II) Prof. Norbert Pohlmann

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2021

Aktie "Internet Situation Awareness (II) Prof. Norbert Pohlmann"

Copied!
30
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 30 Seite )

Volltext

(1)

Prof. Dr.

Norbert Pohlmann

Internet Continuous

Situation Awareness

(2)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(3)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(4)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Structure of the Internet

 Example: Analysis „Internet Germany“

“Most important “

Autonomous Systems

(5)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Data volume / month in Germany

 Estimation (2007)

autonomous

System (AS)

PUBLIC

PEERING

30 Peta Byte (20%)

PRIVATE

PEERING

50 Peta Byte

(33%)

TRANSIT (Customer)

AS

AS

TRANSIT (Global ISP)

40 Peta Byte (27%)

AS

AS

AS

AS

INTERNAL

30 Peta Byte

(20 %)

A view on data streams

exchanged between

the networks (AS)!

(6)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Structure of the Internet

 Conclusion

The Internet is more or less like a black box to the various stakeholders.

The Internet has become critical in some parts by now.

One reason is the lack of global monitoring and controlling for the

distributed infrastructure.

When using the Internet today various stakeholders just need trust, that

+

= ?

(7)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(8)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Situation Awareness

 Definition

The term Situation Awareness (SA) comes from the area of

air traffic control and military command & control.

Generic definition of the term Situation Awareness (SA) is:

Situation Awareness is “the

perception

of the elements

in the environment within a volume of time and space,

the

comprehension

of their meaning and

the

projection

of their status in the near future”.

(9)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Situation Awareness

 Added value

Situation Awareness (SA) is essential not just for the

home user to strengthen the

trust in using the Internet

, but also for

representatives of the government for Internet Governance to

make strategies

for the further development or for

enterprises planning to use the Internet as a

reliable platform

for

business.

The understanding of the environment is crucial

for process of decision making and a perfect Situation Awareness will

reflect positively in the actions

of the stakeholders.

(10)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System

(IAS)

Global View

Summary

(11)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Analysis System

 Idea

Internet

Observation of the critical

infrastructure

„Internet“.

Probes

are placed in strategically

selected spots of the internet

communication infrastructure to

gather the raw data, made up of

counters of header information.

Only header information is

counted, which is not

considered as data

privacy relevant.

The system gathers information

over a long period of time!

(12)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Analysis System

 Targets

Description of profiles,

patterns and

coherences, creation of

a

knowledge base

.

Outline of the

current

state

of the internet.

Detection of attacks

and of deflections.

(13)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Analysis System

 Counting of header information (1/2)

+1

+1

(14)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Analysis System

 Counting of header information (2/2)

All of this information is completely anonymous by design !

Counter

Value

(15)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Result:

Knowledge base

TCP

ESP

ICMP

UDP

Distribution of Transport Protocols

Profile shaping und trend development

TCP

89%

UDP

7%

(16)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Result:

Knowledge base

SMTP Content Type

60% “text” Mails

33 % “attachments”

33%: multipart/mixed

26%: text/plain

4%: text/html

(17)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Result:

Detection of attacks

(1/2)

SMTP Content Type

Temporarily more e-mails with attachments -> Mail-(Wurms/Virus)!

(18)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Knowledge Base - IAS

 Result:

Detection of attacks

(2/2)

PDF Spam Wave

Application/PDF

(19)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Result:

Technology trend

Distribution of browsers (Technology Trend)

Diurnal profile

Differences between manual use

(e.g., Internet Explorer und Firefox)

and automated use (e.g., wget) are detectable.

Firefox

Others (wget, etc)

Internet Explorer

Firefox

Internet

Explorer

(20)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Result:

Awareness (Crypto used TLS)

6 %: RSA

AES / SHA1

33%: DHE_RSA

AES / SHA1

60%:

RSA / RC4 / MD5

(21)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

IAS: Current State of Development

 Continuous Situation Awareness

(22)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(23)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Idea of the Global View

 Overview

local view P2

local view P1

global view

global view

global view

virtual probe

Generation of

global view

local view

local view

(24)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Idea of the Global View

 Relation of used protocols

Global representation of the relation of different protocols

(Example: Web communication)

11% Port 443 (TLS/SSL)

13% Port 443 (TLS/SSL)

(25)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Anomaly detection

 Detection of Malware

Dangers on the internet (e.g.: attachment ZIP)

global view

(26)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Situation Awareness

 Project idea

Object: Internet

Critical Assets

Internet

sensors

global data

statistics

partners

...

PPP

This will help to:

(27)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Situation Awareness

 Related work

Sensor level:

Log-data based

Honeypot based

Netflow based

Analysis level:

Pattern recognition

Neural network models

Data Mining algorithm

System level:

(28)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(29)

Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Internet Situation Awareness

 Summary

The internet is a critical infrastructure for our society.

We need a trusted infrastructure (Internet) to protect our future.

Analogical to natural disaster warning systems, like the Tsunami warning

system, we need

Situation Awareness

and a

Early Warning System

for the Internet to be able to issue countermeasures before the

actual threat strikes at us.

(30)

Prof. Dr.

Norbert Pohlmann

Thank you for your attention!

Questions?

Internet Continuous

Situation Awareness

Referenzen

Jetzt herunterladen ( PDF - 30 Seite - 2.13 MB )

ÄHNLICHE DOKUMENTE

Lagebild zur Internet-Sicherheit - Prof. Norbert Pohlmann

P ohlm ann , Ins titut für In ternet -Sic herh eit - if (is), Fac hhoc hschule G else nkirc hen Institut für Internet-Sicherheit  Studierende / Mitarbeiter Studierende:.

Herausforderung Internet-Sicherheit - Prof. Norbert Pohlmann

Norbert P ohlm ann , Ins titut für In ternet -Sic herh eit - if (is), Fac hhoc hschule G else nkirc hen 6 Motivation Situation heute!.  Ein

Firewall – State of the art von Prof. Norbert Pohlmann

Der entsprechende Sicherheitsmechanismus wirkt gering gegen den definierten Angriff, daß unbeabsichtigt kein Schaden auftreten kann. Stärke des Sicherheitsmechanismus: „niedrig“..

Internet Analysis System - Prof. Dr. Norbert Pohlmann

N orb ert P ohlm ann , Institute for In terne t Se curit y - if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any. Idea of the Global View 

Internet Continuous Situation Awareness - Prof. Pohlmann

ann , Institute for In terne t Se curit y - if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any Content. Structure of

nternet Situation Awareness -Prof. Norbert Pohlmann

N orb ert P ohlm ann , Institute for In terne t Se curit y - if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any 28 Content. Main Research Focus

European Internet Situation Awareness - Prof. Pohlmann

N orb ert P ohlm ann , Institute for In terne t Se curit y - if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any. European Internet

European Internet Situation Awareness -> The Global View?

N orb ert P ohlm ann , Institute for In terne t Se curit y - if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any Content. Main Research Focus