RPEAGA/1 — NE/02 Organización de Aviación Civil Internacional 26/08/11 RLA/99/901 – Sistema Regional de Cooperación para la Vigilancia de la Seguridad Operacional Primera Reunión del Panel de Expertos en Aeródromos (RPEAGA/1) Lima, Perú, 12 al 16 de setiembre de 2011 Cuestión 2 del Orden del Día Definición de la estructura del conjunto LAR AGA REGLAMENTO AERONÁUTICO LATINOAMERICANO PARA AERÓDROMOS Y AYUDAS TERRESTRES RESUMEN Esta nota informativa tiene como fin presentar los avances del trabajo del Panel de Expertos AGA de los Estados miembros del Proyecto RLA/99/901 Sistema Regional de Cooperación para la Vigilancia de la Seguridad Operacional – (Actividades del Panel de Expertos en Aeródromos), en la revisión y aprobación de las estructuras propuestas y revisión de los textos del Conjunto LAR AGA propuesto por la Oficina Sudamericana de OACI, cuya estrategia tiene como fin la armonización de las regulaciones AGA en los Estados miembros del SRVSOP con el conjunto LAR AGA cuando este sea aprobado por la Junta General, facilitando la adopción de las reglamentaciones por parte de los Estados. Referencias Anexo 14, Volumen I, Julio 2009 14CFR Part 139 FAA (EUA) CAR Part III (Canada); GASR Subparts A, B, C, D, E, F, G, H, J, K y Z (Group of Aerodrome Safety Regulators); Regulation (EC) No 1108/2009 (European Parliament and Council of the European Union); CAA Part 139 (Nueva Zelandia); MOS Part 139 (Australia); Cap 393 Air Navigation: The Order and the Regulations (Inglaterra). Reglamentos nacionales vigentes de los Estados miembros del SRVSOP. Instrucciones para el trabajo de los Paneles de Expertos del SRVSOP Manual para los redactores de los LAR Reglamentaciones Aeronáuticas de los Estados Miembros del SRVSOP Objetivos Estratégicos Seguridad Operacional 1. Antecedentes a) El Sistema Regional de Cooperación para la Vigilancia de la Seguridad Operacional (SRVSOP) proporciona asistencia técnica a los Estados participantes con miras a superar problemas comunes relacionados con el cumplimiento efectivo de sus responsabilidades en términos de vigilancia de la seguridad operacional.
11
Embed
Comprehensive Understanding of Malicious Overlay … · Jody Westby, Global Cyber Risk LLC . Chris Smoak, ... Leverage large-scale domain intelligence ... and quantitative transparency
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Comprehensive Understanding of Malicious Overlay Networks
Cyber Security Division 2012 Principal Investigators’ Meeting October 10, 2012
Wenke Lee and David Dagon Georgia Institute of Technology [email protected] 404-808-5172 Roberto Perdisci, University of Georgia April Lorenzen, Dissect Cyber Paul Vixie, Internet Systems Consortium Jody Westby, Global Cyber Risk LLC Chris Smoak, GTRI Matt Jonkman, Open Information Security Foundation
Malware churn Very short shelf life Techniques: evasive packing; polymorphic malware;
generative programming Noted example: Storm botnet, June 2006 (new sample
pushed on hourly-basis)
A botnet is not merely a single binary. It is the overlay network of malicious infrastructure and supporting malware samples.
2
Malware Sample Growth
3
Malware Sample Growth
Salient points: Exponential growth Within our team,
about 50 million samples
The challenge is to analyze the clusters and collections of samples, not merely discrete samples.
4
Protocols Used in Malware
5
Protocols Used in Malware
Salient points: Trend towards http,
use of proxies, and overlay networks Port 80 provides a
large haystack in which to hide, frustrating DPI.
6
DNS Agility in Malware
7
DNS Agility in Malware
Salient points: Many associate with
one domain But this is an
artifact of malware churn – a botnet may use hundreds of malware samples Our challenge is to
identify collections and cluster related samples.
8
Example: TDSS
Example Botnet: TDSS Millions of victims Components: rootkit; p2p; DGA; secondary drops
reside in RAM-only Created by affiliate program ($20 to $200 for every
1,000 installations) Called “indestructible” by AV researchers
9
Example: TDSS
Salient points: A cloud of DNS
services and related malware Hundreds of colos;
thousands of domains
Incorporate other “botnets”, e.g., fake AV and clickfraud malware campaigns We must describe
the network platform of related binaries and network resources, not just a slice of the botnet 10
Federated Malware Analysis System
Will use GT's MNIF (Malware Network Intelligence Gathering and Analysis Framework) DURIP funded 2011 Designed to share intelligence with DETER
Participants bring one or more of: Localized storage: I can't run malware, but I can store
analysis VM Execution: I can execute/analyze malware, but
lack storage/IPs Transit/Filter/Egress: I only have IP addresses to
offer; assuming there are sane policy controls on exit traffic
11
FMAS Overview
12
FMAS Design Criteria
Process 100K+ samples/day, via distributed analysis system Three classes of messaging between federated hosts Management Messages: start/stop VMs, forcing firewall
representing partial learning from remote nodes. E.g., feature and vector observations, to be used in machine learning. Likely, only analysis nodes subscribe
Conclusive Findings Messages: Announcing facts about samples (availability, AV scans, DNS analysis, clustering output, etc.)
13
FMAS Policy Layer
Most industrial malware analysis runs samples in honeypots
Existential risks Possible harm to 3rd parties Provides robust messaging/support for botnet (e.g.
3322.org takeover omitted 60-misc malicious domains, which then resolved via MS-operated DNS servers.)
Taints data/analysis (e.g., if PII is obtained from analysis and shared in network)
Global Cyber Risk (GCR) will perform extensive policy analysis
14
GCR Analysis
Legal, policy and ethical analysis of proposed framework, noting data sources, handling, and FMAS interactions with other individuals and networks.
Operator Agreements Draft MOUs for participants in FMAS Tailored to role (storage, execution, transit) Legal policies for malware analysis Policy analysis of passive DNS collection
15
DNS Analysis
Construction of Passive DNS mirror Existing DNSDB mirror proving too critical to security
companies, LEO, and analysts; research-oriented mirror required
Includes vetting of operator agreements, data collection, identification of policy issues in above-the-recursive data collection, etc.
whois, bulk whois for gTLDs and ccTLDs) Create indexed datasets for high-speed and
mobile access
17
Clustering Analysis
Identify semantic equivalence between malware samples using system- and network-level analysis.
Goals Identify optimal flexible execution schedule, to
speculatively halt analysis of similar/redundant samples Selectively group samples using static/low-cost attributes
to execute only a few group representatives, without loss of C&C information
Identification of key domain, static, and URL-based features
To be exported as a “malware channel” of broadcast information
18
Scaling Malware Execution
Analyze “bootstrap” malware dataset Run each sample for a relatively long time (e.g., few hours) Group samples that behave similarly into malware families (clustering) Extract family behavior profiles for each malware family
bootstrap phase
19
When Should We Stop?
Running new samples (post-bootstrap phase) Frequently vet network/system behavior against family behavior profiles If a profile matches a known family:
do malware in the family exhibit new behaviors if run for longer? Stop/continue execution accordingly
20
post-bootstrap phase
Feature Extraction and Similarity Metrics Extract features from network behavior profiles Domain-related features
Set of domain names queried Name, location and reputation of authoritative name servers
IP-related features Set of contacted IPs Location and reputation of BGP prefixes and AS
Features for HTTP-base malware URL structure
path similarity, variable names, etc.
Other HTTP request header characteristics E.g., anomalies in header compositions, compared to normal
browser-generated headers 21
FMAS Status
Identified sources for malware at about 100,000 samples/day No financial arrangement for samples
Started work on NS reputation (esp. mobile analysis framework) Android: Search for “Early2Rise”
Several team members are directly involved in network operations and policy work Malware samples, spam, DNS, and other real-world
data Directly adopt technologies developed and
publish/broadcast data (e.g., SIE at ISC) and guidelines
Damballa a Georgia Tech spin-off, on-going collaboration, established tech transfer relationship
When appropriate: malware samples to PREDICT, and malware analysis system part of DETER
23
• Federated Malware Analysis System: Large-scale malware execution; scalability and quantitative transparency assessment; innovative egress filtering; next-gen baremetal framework • Malware Repository: Vetted mirroring of binary and metadata with transparent, in-depth policies • Malware Clustering: Based on host- and network- based properties • Real-time Data Analysis: Visualization and query of synthesis of data
• Legal and policy framework for malware exchange • Large-scale federated malware exchange and execution system • Policy and technical framework for passive DNS collection • Next-gen malware and domain correlation algorithms • Real-time threat data