Distilling & Investigating

Network Activity at Scale

University of California, Santa Barbara

University of California, Berkeley

Georgia Institute of Technology

ARO/MURI Annual Review November 19, 2014

Vern Paxson

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Sensor Alerts

Data

D

ata

Data

Data

Data

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Sensor Alerts

Data

D

ata

Data

Data

Data

Enterprise Visibility Inferring Asset Aliasing

Browser Subversion Threats

VAST: Visibility Across Space & Time Enterprise-Scale Investigatory Platform

Augmenting the Local Perspective With Global Information

• Distilling network activity at scale – Browser subversion threats (UCB, UCSB, ICSI) – Enterprise visibility

• Protocol analysis (ICSI, UCB) • Inferring asset aliasing (UCB, ICSI)

– Integrating global vantage points to local perspectives

• SSL Notary (ICSI, UCB) • SumStats (ICSI)

• Investigating network activity at scale – VAST: Visibility Across Space and Time (UCB, ICSI)

Overview

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

D

ata

D

ata

Browser Subversion Threats

Compromising the browser

Extensions

Malware

● Modify requests (e.g., affiliate fraud)

● Inject page modifications (e.g., ads)

● Keylogging (for visited pages)

● Steal credentials (authenticators)

What can a malicious extension do?

Anything malicious that you can do with

JavaScript having access to the visited page,

the web requests, the browser’s cookies

Approach (Hulk)

● Install extension in Chrome inside a VM

● Visit select & specially crafted pages

● Monitor extension’s activity

● Classify behavior

HoneyPage

<html>

</html>

document.getElementById(“fb_newsfeed”)

<div id=“fb_newsfeed”></div>

Event handler fuzzing

● Extensions register to intercept network

events …

● … We oblige them!

● Pretend to visit Alexa top 1 million domains

● Point to a HoneyPage

● Takes <10 sec on average

Malicious behavior indicators

● Prevents extension uninstall

● Steals email/password from form

● Contains keylogging functionality

● Manipulates security-related HTTP headers

● Uninstalls extensions

Suspicious behavior heuristics

● Injects dynamic JavaScript

● Evals with input >128 chars long

● Produces HTTP 4xx errors

● Performs requests to non-existent domains

Results

● 47,940 extensions from Chrome Web Store

● 392 extensions from Anubis

Analysis result Count

Benign 43,490

Suspicious 4,712

Malicious 130

“SimilarSites Pro”

“SimilarSites Pro”

Enough for “watering hole” attacks …

Defenses

● Prohibit:

● Manipulating configuration pages e.g.,

chrome://extensions

● Uninstalling extensions

● Removing security-related HTTP headers

● Hooking keyboard events

● Require: ● Local inclusion of static files instead of dynamic

JavaScript inclusions

Limitations

● Dynamic analysis incomplete

● Targeted attacks (location, time)

● Multistep/conditional queries of DOM

elements in HoneyPages

● Evasions against HoneyPages

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Mission Cyber-Assets

CO

As

Mission Model Cyber-Assets

Model

Sensor Alerts

Corr

ela

tion E

ngin

e

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Impact Analysis

Create semantically-rich view of cyber-mission status

Simulation/Live Security Exercises

Predict Future Actions

Analyze and Characterize Attackers

Data

D

ata

Data

Data

Data

Observations: Netflow, Probing, Time analysis

Real World Enterprise Network

Analysis to get up-to-date view of cyber-assets

Analysis to determine dependencies between assets and missions

Data

Data

Observations: Netflow, Probing, Time analysis

Data

Data

Enterprise Visibility Inferring Asset Aliasing

General problem scope: how can remote vantage

points (network monitoring; servers) recognize

recurring instances of the same client?

IP addresses do not suffice: mobility, NAT, DHCP

With control over servers: easy

Use cookies or equivalent

Absent server-side control: hard

Challenge: can we comprehensively identify latent

trackers manifest anywhere in client traffic?

Idea: mine traces for strings unique to known

clients

Inferring Asset Aliasing

Analysis built on 8-byte strings

To date: 16 days of ICSI border traffic

31M connections; 18M outbound Internal DHCP, NAT logs 300 clients behind NAT

Interim Results:

Cookie:_tmpi=MjAxNDAxMjY_MzpDQUVTRUtyY2xuSDd5SD

VzRS1LaDB4eng2S3c6MzA;_tmid=-3256379668746322853”

GET

/pixel/2189/?sync=103&che=[cachebuster]&uuid=2492377121

373197670 HTTP/1.1

{"id":"356489051444763","type":"IMEI_NUMBER”}

Skype, Dropbox URLs; Symantec User-Agent

Game plan:

- Complete ICSI analysis

- Scale up to LBNL analysis (ext./int.)