Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Criminal Justice

Introductions, Project Overview - Cyber-TA

advertisement 
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
2005 Summary
Web Portal
slide 1
Cyber-Threat Analytics
Introduction
Phillip Porras - porras@csl.sri.com
Computer Science Laboratory, SRI International
www.cyber-ta.org
28 September 2006
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
2005 Summary
Web Portal
slide 2
Cyber-TA Overview
Collaborative Wide-Area (National-scale) Threat Detection and Mitigation
Problem Space:
• develop efficient "RICH" security content sharing infrastructures
• advance the state of the art on collaborative large-scale detection and mitigation schemes
• new threat dissemination/mitigation schemes to characterize emerging attack patterns actionable results
AND
• Protect the security postures (user privacy, policies, topologies, defenses, vulnerabilities) of
the data contributor
• Minimize (remove) the reliance on trust among contributors and repositories
Research
(Large-scale)
MALWARE Researchers
(Large-scale)
DATA PRIVACY Researchers
Operations
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
2005 Summary
Web Portal
slide 3
Grand Challenges
• How to achieve an IA Common Operating Picture with mutually
suspicious organizations, e.g., IC members, coalition partners, other
law enforcement
• How to construct national-scale realtime correlation / alert forensic
systems that scale to millions of events per day
• How to achieve privacy preserving IA data sharing (protocols,
repositories, registration, analyses) with “minimal-trust”
• How to quantify the impact of our proposed privacy preserving
countermeasures to the adversary workfactor
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Today’s Agenda
2005 Summary
Consortium Members Web Portal
Project Overview
Challenges
slide 4
2006 Consortium Members
Data Privacy Group
Prof. Vitaly Shmatikov,
Roger Dingledine,
Prof. Joan Feigenbaum,
University of Texas at Austin
Moria Laboratory
Yale University
Encrypted Computation Group
Brent Waters,
Prof. Dan Boneh,
Prof. Amit Sahai,
SRI
Stanford University
University of California at Los Angeles
Active and Passive Malware Analysis and Mitigation
Prof. Paul Barford,
University of Wisconsin
Prof. Karl Levitt,
University of California at Davis
Prof. Wenke Lee,
Georgia-Tech Institute of Technology
Prof. Peng Ning,
North Carolina State University
Prof. Dawn Song,
Carnegie Mellon University
Phil Porras / Al Valdes / Vinod Yagneswaren /
Jian Zhang / Steven Cheung / Linda Briesemeister, SRI
Threat Ops Center and Commercial Transition
Marcus Sachs,
Ray Granvold,
Livio Ricciulli,
Johannes Ulrich
28 September 2006
ARO Kickoff Meeting
Phillip Porras
SRI International
Promia Incorporated
Force-10 Networks Inc.
SANS Institute
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 5
2005 Summary
Web Portal
Today’s Agenda
9:00 - 9:40am
Cliff Wang (ARO) / Phil Porras (SRI International)
Opening Remarks, Introductions, Project Overview
9:40 - 10:05am
Apps
Products
Vitaly Shmatikov (University of Texas)
Data and Traffic Privacy
10:05 - 10:30am
Brent Waters (SRI International)
Privacy-Preserving Encryption-data analysis
10:30 - 10:45am
Break
10:45 - 11:10am
Vinod Yegneswaran (SRI International)
Threat
Ops
Center
Cyber-TA
Active monitoring systems
Data
Privacy
Plans for 2006
11:10 - 11:35am
Phil Porras (SRI International)
Massive and distributed data correlation
11:35 - 12:00pm
Wenke Lee (Georgia Tech)
Collaborative mitigation techniques
NOON - 1:00pm
Lunch
1:00 - 1:25pm
Marc Sachs (SRI International)
Threat
Mitigation
Threat
Detection
Threat operations center and demonstration capabilities
1:25 - 1:50pm
Livio Ricciulli (Force-10 Networks)
Ultra-High-Volume Infrastructure protection
1:50 - 2:15pm
Ray Granvold (Promia Inc.)
Experiences in DoD NOC security management
2:15 - 2:30pm
28 September 2006
Closing Remarks
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 6
2005 Summary
Web Portal
2005 Prototype Release
Design and field a security log repository and data collection
infrastructure that
– allows mutually suspicious coalition partners to securely
participate in alert sharing communities
– prevents leakage of contributor vulnerabilities and security
posture while reporting detailed security log content
– provides extensive contributor control over anonymity services
• resistant to “insider” repository browsing
• resistant to traffic-based fingerprinting (to a degree!)
• resistant to active data fingerprinting threats
– is scalable data analysis for 1000’s of contributors and in the
presence of anonymized content
Examine collaborative malware defense strategies
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 7
2005 Summary
Web Portal
CTA Infrastructure - Release Notes
1st reference implementation and deployment of a PrivacyPreserving Threat Recon Infrastructure w/ data analysis services
– User-controllable anonymization IDS/Firewall logs, aggregator, TLS over
onion routing daemon, large-scale data repository center, web-based data
portal/query/analysis of anoynmized logs
– Primary objectives of release:
•
•
•
•
Red team data production and adversary models
Provide datasets for web portal and data analysis purposes
Examine network link, including TOR, reliability and bandwidth issues
Rapid-prototype platform to build distributed correlation systems
– Initial release targets: SRI Menlo Campus, Rosslyn Corporate Office, UC
Davis Computer Science Lab, SANS Institute Bethesda, MD
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 8
2005 Summary
Web Portal
CTA System Diagram
Sensor Z
Web Portal Query,
Data Analyzer
INFOSEC Log
CTA_Anonymizer v0.9
XML SPEC
GP ASCII Log Parser
Log Parsing Rules
Field Anonymization
Policy
Aggregation Policy
User meta-data
Plugin policies
Anonymizer Service
1-30-day Summary
Table Generator
Alert Aggregator
Meta-data Extractor
Plugin
MIXNET
Deliver Daemon
www.cyber-ta.org
(cyberta.dshield.org)
Delivery Ack
Delivery Ack
TLS Session
TLS Session
TOR Circuit
TOR Circuit
TCP/IP
28 September 2006
Internet
Cyber-TA RDBMS
Manager
ARO Kickoff Meeting
Encrypted Anonymous Log Delivery Protocol
Phillip Porras
TCP/IP
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 9
2005 Summary
Web Portal
Adversary Models – What’s in and out of scope?
IN SCOPE
• Direct Contributor Linkage From Repository
• Network Traffic Analysis Agents
Org N
Active
Fingerprinter
OUT OF SCOPE
Active fingerprinting threats
• PPFIX Dictionary Attacks
• Multi-event pattern analysis
• Rare-rule stimulation
Two-sided traffic analysis
• Traffic-based timing attacks
• Long lived connection statistical analyses
Repository Insider
Org 2
Timing
Attacks
Traffic
Eavesdropper
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 10
2005 Summary
Web Portal
Internet Portal and Analysis
CTA_Repository - Inventory View
– provides a concise summary of entire REP
content
– provides quick assessment of recent REP
dataflow volume/stats/trends (e.g., 1 day, 7
day, 30 day...)
– size of DB, # of Author_IDs (unique
contributors), sensor types, event types, IP/port
trends, data insertion rates, unique addrs
(src/dst), (raw event count vs aggregated count)
http://www.cyber-ta.org
Web portal password –
available upon request
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
slide 11
2005 Summary
Web Portal
Internet Portal and Analysis
Rates/Trends Graphs –
User controlled graph construction: Event_ID,
Signature Category, PPFix SRC, Contributor,
Ports, etc.
Statistical Summaries:
Table-based, capturing EventIDs,
Port-policy, PPFix Addrs
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-TA Kickoff Meeting
Introduction
Project Overview
Challenges
Consortium Members
Today’s Agenda
2005 Summary
slide 12
Web Portal
Web Portal – Where to get info / access ?
www.cyber-ta.org
• Today’s slides
• General project info
• Publications
• Software releases
• Live Internet monitoring
• Data set / resources
• Project news
• Consortium partner info
• Contributor registration
28 September 2006
ARO Kickoff Meeting
Phillip Porras
Cyber-TA: Secure Collaborative Threat Reconnaissance
Related documents
How can we launch project successfully?
How can we launch project successfully?
Power Point Presentation
Power Point Presentation
OrganizationParticipantInvite
OrganizationParticipantInvite
Kickoff Meeting Presentation
Kickoff Meeting Presentation
ex_buisness_expansion
ex_buisness_expansion
FAQ Summary - Erik Jonsson School of Engineering and Computer
FAQ Summary - Erik Jonsson School of Engineering and Computer
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Kickoff Meeting Agenda Guide
Kickoff Meeting Agenda Guide
Download
advertisement