Attack Attribution Techniques

1
Attack Attribution Techniques for Hybrid,
Cooperative and Non-Cooperative Infrastructure
Information Assurance For The US Intelligence
Community Nashville, TN
November
18 20, 2003 K. Narayanaswamy Donald Cohen
www.cs3-inc.com
2
Attack Attribution Problem

• Level 1
• Identification of attacking machines
• Level 2
• Identification of controlling machines
• Level 3
• Identification of humans behind attack
• Level 4
• Identification of sponsor organization
• Scope of this Research Project
• Focus only on Levels 1, 2, and 3

3
Scoping the Problem

• What are the networks of interest?
• Internet or IC network -- very different
  properties in terms of cooperation possibly
  heterogeneity
• What are the attacks of interest?
• Customer guidance Confidentiality and Integrity
  are more important than Availability
• Level 3 attribution is of the greatest interest
• Level 1 2 of value only if they help Level 3
• Attribution problem varies with attack types
• Level 1 2 could be necessary for Level 3 for
  certain attack types

4
Project Research Objectives

• Taxonomize attribution methods and attacks
• What kinds of data and cooperative capabilities
  required?
• Understand data/reasoning necessary for
  attribution
• Level 1 and Level 2 Attribution
• Automated/Semi-Automated techniques that work
  with hybrid cooperative and non-cooperative
  infrastructure
• Ability to combine information from multiple
  sources
• Level 3 Attribution based on behavioral model
• Basis to construct partial profiles of attackers
  characteristics
• Ability to integrate data from different kinds of
  analysis
• Build useful usable system Attack Attribution
  Toolkit for the IC (AATIC)

5
Guiding Principles for Research

• Capable of handling flood and non-flood attacks
• Level 1 attribution must work from a single
  packet
• Level 1 techniques can also be reused at Level 2
• Techniques must work in a real network
• Non-cooperative or even hostile infrastructure
• Heterogeneity, distribution, communication delays
• Ability to combine partial data from different
  sources
• Level 2/3 attribution requires data prior to
  attack
• Monitoring in anticipation of attacks necessary
• Do not re-invent the wheel
• Cs3 provides some key technologies data fusion,
  Level 1
• Several non-Cs3 techniques are available for all
  Levels
• Integrate 3rd party tools to broaden coverage

6
Research Innovations

• Level 1 Attribution Approach
• Study impact of different cooperation
  heterogeneity
• Combining partial evidence from multiple methods
• Level 2 Attribution Approach
• Monitor and gather data in anticipation of
  attacks
• Identifying control packets by looking for
  recognized patterns/signatures for one machine to
  control another
• Re-apply Level 1 techniques on controlling
  packets
• Framework for Level 3 Attribution
• Behavior model that partially characterizes
  attacker
• Open architecture for incorporation of 3rd party
  tools

7
Critical Technologies for Project
8
Sensor Technology Requirements

• Passive extraction of content from traffic
• Operating system, server/service, user id,
  password, timing information, DNS surveillance
• General purpose parsing capabilities
• Logging and analysis at desired levels of detail
• Fully programmable packet observation/analysis
• Control of what to collect, when, and from where
• Ability to program responses to sensed situations
• As noiseless and unobtrusive as technically
  possible

9
Data Fusion with TriggerWare
Aspects of TriggerWare Architecture
10
Features of TriggerWare

• Relational abstraction with advanced triggering
  and constraint enforcement capabilities
• Uses events as a way to integrate multiple tools
• Powerful predicate calculus language (FLEA) to
  define events
• Operators to define event combinations provided
• Changes to data can be considered events too
• Possible to define new events dynamically
• Supports different APIs for event definition,
  notification (e.g., sockets and log files)
• Convenient platform for data fusion where
  criteria change on the fly

11
Determining Packet Source Addresses

• Major problem packet sources cannot be trusted
• Ingress filtering at network borders can help
• Ways to evaluate how different techniques
  perform
• Does it work with a single packet?
• Does it work without advance notice of what to
  look for?
• Does it work with existing routers?
• Does it work without additional communication?
• What are the additional constraints, if any?
• Broad Classification of Techniques
• Packet Marking Techniques including
  deterministic marking, probabilistic marking, and
  several variations of these (including Cs3s PEIP
  a deterministic technique)
• Remote Sensors to monitor and communicate source
  data
• Packet filtering based on routing data to
  determine sources, such as route-based filtering

12
Current Level 1 Attribution Approach

• TASK Given a single attack packet, deduce its
  possible true source address
• For the IC, we need attribution from a single
  packet
• Techniques that work for floods only may not be
  as valuable
• Use existing and new packet sourcing techniques
• Use of packet marking, remote sensors, and packet
  filtering techniques as available in various
  cases
• Combining data from different methods
• Most methods find links over which packets are
  forwarded and are easy to combine
• Translation from forwarding links to sources is
  closely related to route-based filtering
• Handle factors related to cooperation
• Where is cooperation available (near victim or
  attacker)?
• Communication via non-cooperative infrastructure

13
Current Level 2 Attribution Approach

• TASK Given the attack packet(s) and sources
  from Level 1, find and deduce evidence of
  computers that transitively control the attacking
  computers
• Since control happens prior to the attack, this
  requires that sensors gather data in advance
• Who is communicating with whom? How much?
• Who could be communicating with whom through
  non-obvious data paths? How much
• Signature analysis to recognize known patterns of
  either controlling or gaining control of machines
• Data fusion as necessary to understand nature of
  attack based on data from multiple sources
• Apply Level 1 techniques on control packets

14
Level 3 Attribution Challenges

• TASK Identify human characteristics of
  attackers using all the available data
• Very different measurables at different points of
  the network (near the victim or nearer the
  attacker)
• More data is likely to be available at/near the
  victim
• Data near the attacker could be of more
  importance to the task of Level 3 attribution!
• Inherent complexities of Level 3 Attribution
• Major questions of feasibility, efficiency,
  coverage
• Patchwork of data sources techniques including
• Biometrics data (e.g., typing speed)
• Language/style of expression in chat, email
• Encryption makes content hard to deduce

15
Current Level 3 Attribution Approach

• Build a behavioral model for attackers human
  characteristics
• Model will build up a composite picture of the
  attacker using equivalence classes of known or
  deduced attributes
• Level 1/2 attribution data could prove useful for
  Level 3 by narrowing possibilities or guidance on
  data to monitor
• Sources of data for the behavioral model
• Biometrics data such as keystroke timing, email
  analysis, search engine data, analysis of
  traffic
• Cs3-generated data will be integrated with 3rd
  party tools
• Programmable sensor technology will gather
  additional data as needed dynamically
• Dynamic correlation and analysis done using the
  FLEA specification language through TriggerWare
• Human assumed to be in the loop for Level 3
  attribution

16
Project Plan -- 18 Months

• Analysis of Existing Attribution Techniques
• Months 1-4
• Level 1 Attribution Techniques Devised
• Months 1-6
• Level 2 Attribution Techniques Devised
• Months 3-9
• Level 3 Attribution Techniques Devised
• Months 4-12
• Prototype AATIC Implemented
• Months 1-16
• Demonstration in IC Scenario
• Months 12-16

17
Project Team

• Cs3 Inc.
• Prime Contractor
• Prior RD experience with Darpa and NSF
• SBIR company that has successfully transitioned
  RD into products
• TriggerWare technology for dynamic event
  correlation and data fusion
• Path-Enhanced IP (PEIP) deterministic packet
  marking technique
• Security Posture
• Experience in working with computer
  crimes/forensics
• Expertise particularly in Level 3 attribution
  techniques

18
Current Status

• Study of Level 1, 2, and 3 attribution
  techniques
• Hundreds of papers gathered and being evaluated
• What kinds of cooperation do the techniques
  require?
• Understand ideas, tools, and how usable they are
• Sensor/TriggerWare integration elucidated
• Using Network Intelligence Tool (NIT) as a sample
  sensor
• TriggerWare uses NIT to gather low level events
• TriggerWare draws conclusions from these events,
  and triggers appropriate activations of new NIT
  scripts
• Integration demonstrated on a port scanning
  example
• Designing experiments for baseline data
• University of Nebraska, Omahas NSA Center for
  Excellence
• Understand basis for behavioral model of human
  attackers
• Foundation to test prototypes in lab environment

19
Project Milestones

• Reports on Level 1, 2, 3 Attack Attribution (Q2)
• Including issues of hybrid cooperative
  capabilities, presence of non-cooperative
  infrastructure, etc.
• Techniques for Level 1 (Q3)
• Combining variety of packet source determination
  techniques
• Techniques for Level 2 (Q3/4)
• Level 2 will build on Level 1, with additional
  signature analysis and data fusion as required
• Behavioral Model for Level 3 Attribution (Q3/4)
• Partial characterization of human attributes of
  the attacker based upon various sources of data
• Attack Attribution Toolkit (AATIC) (Q4/6)
• Prototype system using Cs3 and non-Cs3
  technologies

20
Technology Transfer

• University/Research relationships
• Team will submit papers to refereed
  conferences/journals
• University of Omaha, NSA Center of Excellence
• Facilitate real usage within the IC
• In Q3 we will identify and refine realistic IC
  scenario
• Need assistance/guidance to identify useful
  scenarios
• Prototype AATIC will be usable by IC
• Transfer to other arms of the Government
• Use in DoD, law enforcement, civilian agencies
  and government infrastructure in general
• Team members have penetration within these
  communities
• Commercial technology transfer
• Create a version of AATIC suitable for companies
• Integration into IDS and other products

21
Attack Attribution for Hybrid CooperativeAnd
Non-Cooperative Infrastructure
Don Cohen K. Narayanaswamy
Goals

• Level 1 attribution from a single packet
• Attribution techniques for real networks
• Handle heterogeneity, patchy availability of
  cooperation
• Combining information from different places,
  communication over non-cooperative infrastructure
• Ability to dynamically change behavior -- new
  sensors/actuators, criteria, analysis, etc.
• Build a prototype that embodies above ideas

Novel Ideas
Milestones

• Level 1 Attribution Approach
• Combining partial evidence from multiple methods
  handling non-cooperation and heterogeneity
• Level 2 Attribution Approach
• Builds on Level 1 by applying signature analysis
  on communication data gathered in advance of
  attacks to identify control packets
• Framework for Level 3 Attribution based upon a
  behavior model that partially characterizes human
  attributes of the attacker(s)
• Prototype with open architecture to integrate 3rd
  party tools that analyze different aspects

• Reports on Level 1, 2, 3 Attack Attribution
  (with emphasis on cooperation/non-cooperation)
• Scheduled for Q2
• Techniques for Level 1 Attack Atribution
• Scheduled for Q3
• Techniques for Level 2 Attack Attribution
• Scheduled for Q3/4
• Behavioral Model for Level 3 Attribution
• Scheduled for Q3/4
• Attack Attribution Toolkit (AATIC)
• Scheduled for Q4/6