CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition - PowerPoint PPT Presentation
Title:
CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition
Description:
... 00:05:03.171193 Source IP: 63.76.192.107 Source Port: 23882 Target IP: 160.91.64.211 Target Port: 6970 Length: 1285 Parsed Log Entry Filter: misc-000264 ... – PowerPoint PPT presentation
Number of Views:87
Avg rating:3.0/5.0
Title: CIPHER Counterintelligence Penetration Hazard Evaluation and Recognition
1
CIPHERCounterintelligence Penetration Hazard
Evaluation and Recognition
- Thomas E. Potok, Ph.D.
- Applied Software Engineering Research Group
Leader - Computational Sciences and Engineering Division
- Oak Ridge National Laboratory
- Research Team
- Mark Elmore, Joel Reed, Jim Treadwell
2
Oak Ridge National Laboratory
- Established in 1943 for the World War II
Manhattan Project. - ORNL today pioneers the development of new energy
sources, technologies, and materials - The advancement of knowledge in
- Biological, Chemical,
- Computational, Engineering,
- Environmental, Physical, and Social Sciences.
- Budget 870 million, 80 Department of Energy,
20 work for others. - 3800 employees, 1500 scientists and engineers
3
Background
- SNORT network intrusion detection software is
placed outside of the ORNL firewall - Packets entering or leaving ORNL that contain
information that trips a SNORT rule will result
in log entry being created - Roughly 1 million log entries are created per day
4
Four Actual SNORT Records
ftp-000172 IDS152 - PING BSD
07/20-000502.815218 090699DB03E -gt
036C4253FC type0x800 len0x62 213.61.6.2 -gt
128.219.153.31 ICMP TTL46 TOS0x0 ID19485
ID8831 Seq9639 ECHO misc-000264
IDS247 - MISC - Large UDP Packet
07/20-000502.822267 090699DB03E -gt
036C4253FC type0x800 len0x4F8 63.76.192.107
23882 -gt 160.91.64.2116970 UDP TTL119 TOS0x0
ID41256 Len 1238 ftp-000172 IDS152 -
PING BSD 07/20-000502.832993
090699DB03E -gt 036C4253FC type0x800
len0x62 212.62.17.145 -gt 128.219.153.31 ICMP
TTL50 TOS0x0 ID2867 ID18484 Seq12610
ECHO ftp-000172 IDS152 - PING BSD
07/20-000502.865830 090699DB03E -gt
036C4253FC type0x800 len0x62 211.13.227.66
-gt 128.219.153.31 ICMP TTL54 TOS0x0 ID50798
ID7904 Seq22732 ECHO
5
Step 1 Create Software to Process the Raw Data
From Raw Log Entry misc-000264 IDS247 -
MISC - Large UDP Packet 07/20-000503.171193
090699DB03E -gt 036C4253FC type0x800
len0x527 63.76.192.10723882 -gt
160.91.64.2116970 UDP TTL119 TOS0x0 ID60713
Len 1285
To Parsed Log Entry Filter misc-000264 IDS247
- MISC - Large UDP Packet Date 07/20 TOD 000
503.171193 Source IP 63.76.192.107 Source
Port 23882 Target IP 160.91.64.211 Target
Port 6970 Length 1285
6
Step 2 Create Software to Organized the
Information by Source IP
- Source IP 192.112.36.5 attacked the following
ORNL IPs - 07/20 0001 160.91.77.79 66 misc-000224 IDS118 -
MISC-Traceroute ICMP - 07/20 0001 160.91.77.79 66 misc-000224 IDS118 -
MISC-Traceroute ICMP - 07/20 0036 160.91.192.107 66 misc-000224 IDS118
- MISC-Traceroute ICMP - 07/20 0036 160.91.192.107 66 misc-000224 IDS118
- MISC-Traceroute ICMP
7
Step 3 Create software to relate Lab Assets to
IP addresses
Parsed Log Entry Filter misc-000264 IDS247 -
MISC - Large UDP Packet Date 07/20 TOD 0005
03.171193 Source IP 63.76.192.107 User John
Doe Research Area Nuclear Physics Source
Port 23882 Target IP 160.91.64.211 Target
Name smith.aol.com Target Port 6970 Length 128
5
NetReg Database 63.76.192.107 John Doe BN 123456
2
CME Database Johnathon Doe BN 123456 Nuclear
Physics
3
DNS Database 63.76.192.107 John Doe BN 123456
1
8
Finding lab assets not easy
- Based on our Collaborative Management Environment
(CME) Project - One common picture of Laboratory Research Funding
for DOE - Funded at 2.4M over 4 years
- Dr. Ernest Moniz, Under Secretary of Energy,
approves - CME based Portfolio Management Environment (PME)
- Producing approximately 39 million annual
productivity gains for DOE
9
CME System
10
Step 4 Create Software to Find Attacks Against
Lab Assets
- Philosophy Look at activity against valuable lab
assets, not at packet statistics - Find SNORT log entries against funded researchers
- Significantly reduces data from 1M records to
approximately 15,000 - 788 unique source addresses
11
Step 5 Create changes to the original VIPAR tool
- Adapt for usage with SNORT records
- Allow records to be searchable, including IP
address - Create folders based on SNORT filters
- Can instantly find all the PING, or traceroutes
12
Results All Attacks
- SNORT log entries from 788 source IPs
- Failed login errors highlighted
13
Suspicious Patterns
- Search over curious PI name
- 45 Entries from
- Czech Republic, Austria, Hungary, Latvia, France,
Chile, and Canada. - Both PIs work in the same nanoscience area
14
Potential Attack
15
CIPHER Value
- This analysis can not be done without CIPHER!
- Ability to quickly summarize data
- Organized around SNORT filters
- Can quickly find suspicious patterns
- Search over records
- Find similar patterns
16
Potential Next Steps
- Create interface for tools to work with broader
collections of data - Connect CIPHER directly to reduced data
- Expand to work on multiple days
- Add IP watch list capability
- Add data from other sources
- Trip reports
- Sensitive technologies
- Sensitive countries
Recommended
CrystalGraphics Presentations
