Embed Size (px)
Citation preview
Dr. Jesús Luna
ConFab IV
Towards Cloud-based Intelligence Services: an IP Reputation system to detect financial drones
Confab IV, July-2010
Confab IV, July-2010
Agenda
• Motivation.• The Intelligence Cloud in a Glimpse.• Blacklist-based IP Reputation Service.• Quality of an IP Blacklist.• Example.• Implementation.• Conclusions and Future Works.
Confab IV, July-2010
Motivation
• Data (and Intelligence!) sharing is a must to mitigate financial cybercrime.
• Unfortunately, useful data is dispersed (IP blacklists), unformatted (whois responses) or is not easy to find (ccTLD Registrars).
• The Cloud looks like a promising enabler, but ironically the bad guys are adopting it easier than us! (See DarkClouds).
• Is the Cloud useful to deploy Intelligence Services in order to fight financial cybercrime?
Confab IV, July-2010
The Intelligence Cloud in a glimpse
• Being developed as part of a joint project (anti-phishing/botnets) with one of the biggest saving banks in Spain (+10M online banking users).
Private Cloud
CSIRT
Antifraud system
WhoisCcTLD
SiteAvailability
IPReputation
Bank premises
Confab IV, July-2010
The Blacklist-based IP Reputation Service
• Traditional detection mechanisms (i.e. behavioral traffic analysis) are not effective against financial botnets, mainly due to their stealthy nature.
• Most financial institutions use a-posteriori approaches, i.e. behavior analysis of transaction logs.
• Clear need of real-time detection mechanisms.• Proposed approach:
Quality of an IP Blacklist
• Hypothesis: An aggregated set of IP blacklists might be used to compute the reputation (botnet membership) of incoming connections.
• We have contributed with a novel a framework that computes a quantitative score or reputation for a particular IP blacklist.
• Applied the framework to a set of 5 different IP blacklists, comparing them versus 2 sets of known Zeus' infected IPs (aprox. 35.000 records among drones and C&C)
• The experiment ran uninterruptedly during February 2010, retrieving the blacklists in an hourly-basis (aprox. 110 Gb of data equivalent to 537.000.000 of IPs).
Example
• Taking only into account the Completeness parameter, if a particular IP hits versus lists A,B and D then its reputation is:
1*6,39 + 1*61,95 + 1*26,05 = 94,39 out of 104,18
Implementation
Each node stores up to 4 million IPs in RAM
Private Cloud deployment or ?
Conclusions and Future Works
• Cloud-based Intelligence services might trigger data sharing to fight financial cybercrime.
• Data mashups are a useful technique for these Cloud services (have you seen Maltego(TM)?).
• IP reputation metrics are being further investigated.• Ongoing collaborations with interested parties, i.e. APWG
and some well-know blacklists providers.• Like to approach projects like CoMiFin.• Begin deployments in public/hybrid Clouds (under
evaluation).
