Internet Analysis System

(1)

Prof. Dr.

Norbert Pohlmann

Institute for Internet Security - if(is)

University of Applied Sciences Gelsenkirchen

http://www.internet-sicherheit.de



Internet Continuous

(2)

ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(3)

. Dr. N orb ert P ohlm ann , Institute for In terne t Se curit y -if (is), Univ e rsity of Ap plie d Sci ence s Gelsen kirch en, G erm any

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(4)

Structure of the Internet

 Example: Analysis „Internet Germany“

“Most important “

Autonomous Systems

(5)

Data volume / month in Germany

 Estimation (2007)

autonomous

System (AS)

PUBLIC

PEERING

30 Peta Byte (20%)

PRIVATE

PEERING

50 Peta Byte

(33%)

TRANSIT (Customer)

150 Peta Byte (100%)

AS

TRANSIT (Global ISP)

40 Peta Byte (27%)

AS

INTERNAL

30 Peta Byte

(20 %)

100 Peta Byte (66 %): private user

A view on data streams

exchanged between

the networks (AS)!

(6)

Structure of the Internet

 Conclusion

The Internet is more or less like a black box to the various stakeholders.

The Internet has become critical in some parts by now.

One reason is the lack of global monitoring and controlling for the

distributed infrastructure.

When using the Internet today various stakeholders just need trust, that

+

= ?

(7)

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(8)

Internet Situation Awareness

 Definition

The term Situation Awareness (SA) comes from the area of

air traffic control and military command & control.

Generic definition of the term Situation Awareness (SA) is:

Situation Awareness is “the

perception

of the elements

in the environment within a volume of time and space,

the

comprehension

of their meaning and

the

projection

of their status in the near future”.

(9)

Internet Situation Awareness

 Added value

Situation Awareness (SA) is essential not just for the

home user to strengthen the

trust in using the Internet

, but also for

representatives of the government for Internet Governance to

make strategies

for the further development or for

enterprises planning to use the Internet as a

reliable platform

for

business.

The understanding of the environment is crucial

for process of decision making and a perfect Situation Awareness will

reflect positively in the actions

of the stakeholders.

(10)

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System

(IAS)

Global View

Summary

(11)

Evaluation System

Internet Analysis System

 Idea

Internet

IAS

Observation of the critical

infrastructure „Internet“.

Probes

are placed in strategically

selected spots of the internet

communication infrastructure to

gather the raw data, made up of

counters of header information.

Only header information is

counted, which is not

considered as data

privacy relevant.

The system gathers information

over a long period of time!

A centrally managed

Evaluation System

is used to analyze the raw data

and to display the detailed results

in an intuitive manner.

(12)

Internet Analysis System

 Targets

Description of profiles,

patterns and

coherences, creation of

a

knowledge base

.

Outline of the

current state

of the

internet.

Detection of attacks

and of deflections.

(13)

Internet Analysis System

 Counting of header information (1/2)

+1

Number of Counters:

- Max: 870.000

- Real-

Ø

: 60.000

(14)

Internet Analysis System

 Counting of header information (2/2)

All of this information is completely anonymous by design !

Counter

Value

(15)

IAS: Current State of Development

 Result:

Knowledge base

TCP

ESP

IGMP

ICMP

GRE

UDP

Distribution of Transport Protocols

Profile shaping und trend development

TCP

89%

UDP

7%

(16)

IAS: Current State of Development

 Result:

Knowledge base

SMTP Content Type

60% “text” Mails

33 % “attachments”

33%: multipart/mixed

26%: text/plain

4%: text/html

(17)

IAS: Current State of Development

 Result:

Detection of attacks

(1/2)

SMTP Content Type

Temporarily more e-mails with attachments -> Mail-(Wurms/Virus)!

(18)

Knowledge Base - IAS

 Result:

Detection of attacks

(2/2)

PDF Spam Wave

Application/PDF

(19)

IAS: Current State of Development

 Result:

Technology trend

Distribution of browsers (Technology Trend)

Diurnal profile

Differences between manual use

(e.g., Internet Explorer und Firefox)

and automated use (e.g., wget) are detectable.

Firefox

Others (wget, etc)

Internet Explorer

Firefox

Internet

Explorer

(20)

IAS: Current State of Development

 Result:

Awareness (Crypto used TLS)

6 %: RSA

AES / SHA1

33%: DHE_RSA

AES / SHA1

60%:

RSA / RC4 / MD5

(21)

IAS: Current State of Development

 Result:

Access-Connection

(1/2)

Distribution of protocols (sum)

P2P

HTTP

(22)

IAS: Current State of Development

 Result:

Access-Connection

(2/2)

Distribution of protocols (over the time)

HTTP

(23)

IAS: Current State of Development

Result:

Technology trend

(Firefox vs. IE)

Firefox

(24)

IAS: Current State of Development

Result:

Technology trend

(TCP Dst Port 25)

(25)

IAS: Current State of Development

 Continuous Situation Awareness

(26)

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(27)

Idea of the Global View

 Overview

local view P3

local view P2

local view P1

global view

virtual probe

Generation of

global view

local view

(28)

Idea of the Global View

 Relation of used protocols

Global representation of the relation of different protocols

(Example: Web communication)

11% Port 443 (TLS/SSL)

13% Port 443 (TLS/SSL)

(29)

Anomaly detection

 Detection of Malware

Dangers on the internet (e.g.: attachment ZIP)

global view

(30)

Internet Continuous Situation Awareness

 Project idea

Object: Internet

Critical Assets

Internet

sensors

global data

statistics

_partners

...

PPP

This will help to:

(31)

Internet Situation Awareness

 Related work

Sensor level:

Log-data based

Honeypot based

Netflow based

…

Analysis level:

Pattern recognition

Neural network models

Data Mining algorithm

…

System level:

Symantec - DeepSight Threat Management System

DShield.org - Internet Storm Center of the SANS

MOMENT, LOBSTER - pan-European platform

CarmentiS project of the German CERTs

(32)

Content

Structure of the Internet

Internet Situation Awareness

Internet Analysis System (IAS)

Global View

(33)

Internet Analysis System

 Summary

The internet is a critical infrastructure for our society.

We need a trusted infrastructure (Internet) to protect our future.

Analogical to natural disaster warning systems, like the Tsunami warning

system, we need

Continuous Situation Awareness

and a

Early Warning System

for the Internet to be able to issue

countermeasures before the actual threat strikes at us.

If you can‘t measure it, you can‘t manage it!

(34)

Prof. Dr.

Norbert Pohlmann

Thank you for your attention!

Questions?

Internet Analysis System



Internet Continuous