Prof. Dr.
Norbert Pohlmann
Institute for Internet Security - if(is)
University of Applied Sciences Gelsenkirchen
http://www.internet-sicherheit.de
Internet Analysis System
Internet Continuous
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Structure of the Internet
Example: Analysis „Internet Germany“
“Most important “
Autonomous Systems
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Data volume / month in Germany
Estimation (2007)
autonomous
System (AS)
PUBLIC
PEERING
30 Peta Byte (20%)
PRIVATE
PEERING
50 Peta Byte
(33%)
TRANSIT (Customer)
150 Peta Byte (100%)
AS
AS
TRANSIT (Global ISP)
40 Peta Byte (27%)
AS
AS
AS
AS
AS
AS
INTERNAL
30 Peta Byte
(20 %)
100 Peta Byte (66 %): private user
A view on data streams
exchanged between
the networks (AS)!
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Structure of the Internet
Conclusion
The Internet is more or less like a black box to the various stakeholders.
The Internet has become critical in some parts by now.
One reason is the lack of global monitoring and controlling for the
distributed infrastructure.
When using the Internet today various stakeholders just need trust, that
+
= ?
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Situation Awareness
Definition
The term Situation Awareness (SA) comes from the area of
air traffic control and military command & control.
Generic definition of the term Situation Awareness (SA) is:
Situation Awareness is “the
perception
of the elements
in the environment within a volume of time and space,
the
comprehension
of their meaning and
the
projection
of their status in the near future”.
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Situation Awareness
Added value
Situation Awareness (SA) is essential not just for the
home user to strengthen the
trust in using the Internet
, but also for
representatives of the government for Internet Governance to
make strategies
for the further development or for
enterprises planning to use the Internet as a
reliable platform
for
business.
The understanding of the environment is crucial
for process of decision making and a perfect Situation Awareness will
reflect positively in the actions
of the stakeholders.
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System
(IAS)
Global View
Summary
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Evaluation System
Internet Analysis System
Idea
Internet
IAS
Observation of the critical
infrastructure „Internet“.
Probes
are placed in strategically
selected spots of the internet
communication infrastructure to
gather the raw data, made up of
counters of header information.
Only header information is
counted, which is not
considered as data
privacy relevant.
The system gathers information
over a long period of time!
A centrally managed
Evaluation System
is used to analyze the raw data
and to display the detailed results
in an intuitive manner.
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Analysis System
Targets
Description of profiles,
patterns and
coherences, creation of
a
knowledge base
.
Outline of the
current state
of the
internet.
Detection of attacks
and of deflections.
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Analysis System
Counting of header information (1/2)
+1
+1
Number of Counters:
- Max: 870.000
- Real-
Ø
: 60.000
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Analysis System
Counting of header information (2/2)
All of this information is completely anonymous by design !
Counter
Value
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Knowledge base
TCP
ESP
IGMP
ICMP
GRE
UDP
Distribution of Transport Protocols
Profile shaping und trend development
TCP
89%
UDP
7%
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Knowledge base
SMTP Content Type
60% “text” Mails
33 % “attachments”
33%: multipart/mixed
26%: text/plain
4%: text/html
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Detection of attacks
(1/2)
SMTP Content Type
Temporarily more e-mails with attachments -> Mail-(Wurms/Virus)!
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Knowledge Base - IAS
Result:
Detection of attacks
(2/2)
PDF Spam Wave
Application/PDF
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Technology trend
Distribution of browsers (Technology Trend)
Diurnal profile
Differences between manual use
(e.g., Internet Explorer und Firefox)
and automated use (e.g., wget) are detectable.
Firefox
Others (wget, etc)
Internet Explorer
Firefox
Internet
Explorer
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Awareness (Crypto used TLS)
6 %: RSA
AES / SHA1
33%: DHE_RSA
AES / SHA1
60%:
RSA / RC4 / MD5
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Access-Connection
(1/2)
Distribution of protocols (sum)
P2P
HTTP
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Access-Connection
(2/2)
Distribution of protocols (over the time)
HTTP
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Technology trend
(Firefox vs. IE)
Firefox
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Result:
Technology trend
(TCP Dst Port 25)
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
IAS: Current State of Development
Continuous Situation Awareness
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Idea of the Global View
Overview
local view P3
local view P2
local view P1
global view
global view
global view
virtual probe
Generation of
global view
global view
local view
local view
local view
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Idea of the Global View
Relation of used protocols
Global representation of the relation of different protocols
(Example: Web communication)
11% Port 443 (TLS/SSL)
13% Port 443 (TLS/SSL)
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Anomaly detection
Detection of Malware
Dangers on the internet (e.g.: attachment ZIP)
global view
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Continuous Situation Awareness
Project idea
Object: Internet
Critical Assets
Internet
sensors
global data
statistics
partners
...
PPP
This will help to:
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Internet Situation Awareness
Related work
Sensor level:
Log-data based
Honeypot based
Netflow based
…
Analysis level:
Pattern recognition
Neural network models
Data Mining algorithm
…
System level:
Symantec - DeepSight Threat Management System
DShield.org - Internet Storm Center of the SANS
MOMENT, LOBSTER - pan-European platform
CarmentiS project of the German CERTs
ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any
Content
Structure of the Internet
Internet Situation Awareness
Internet Analysis System (IAS)
Global View
. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any