Top Banner
Tracing IoT devices for anomaly detection purposes Robin Gassais December 7, 2017 École Polytechnique de Montréal DORSAL lab
18

Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

Dec 26, 2019

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

Tracing IoT devices for anomaly

detection purposes

Robin Gassais

December 7, 2017

École Polytechnique de Montréal

DORSAL lab

Page 2: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Agenda

Context

IoT – Smart Home

Approach

Tracing multiple systems

Analyzing multiple traces

Use-case

Mirai botnet

Future Work

Context Approach Use-case Future work

2

Page 3: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Context Approach Use-case Future workheterogeneous

3

Page 4: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context

Embedded Linux based systems

Limited resources

20 billions of smart devices in 2020

Heterogeneous market

Context Approach Use-case Future workheterogeneous

3

Page 5: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

ARM virtual machine

Central device to collect and analyse

the traces

Safe communication : SSH

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

4

Page 6: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

Virtual Bridge - Qemu

Lttng - relayd Lttng - sessiond Lttng - sessiond

5

Page 7: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Tracing multiple systems

5

SNAPSHOT

Page 8: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

?6

Page 9: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

Source : Slideshare - Security Monitoring with eBPF - Alex Maestretti, Brandan Gregg

7

Page 10: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Approach

What to monitor?

How to monitor anomalies?

Context Approach Use-case Future workheterogeneous

Analyzing multiple traces

8

Page 11: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Biggest DDoS attack ever seen : 3 Tbps, 500 000 devices

IP surveillance camera, video recorder, router

Twitter, Ebay, Netflix, Github, Paypal down via Dyn DNS

Context Approach Use-case Future workheterogeneous

What’s Mirai?

9

Page 12: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

ownHACKER C&C

Victim’s server

infect obey

connect

connect

10

Page 13: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

attack

order

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

What’s Mirai?

Internet

HACKER C&C

Victim’s server

connect

connect

connect

11

Page 14: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Experiment

C&C

Network monitoring

Debian Jessie

192.168.1.186

Router

DNS

Ubiquity nanostation M2

| OpenWRT

Rpi2

Vulnerable device

Yocto | Busybox |

Telnetd

192.168.1.226

Lttng - relayd Lttng - deamon

12

Page 15: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

Context Approach Use-case Future workheterogeneous

Results

13

Mirai

Telnet -> upload file -> chmod on it : 14,9 s

Using all the kernel tracepoints – live mode

Now

Chmod on a new created directory: 1,33 s

execve, faccessat, chmod – snapshot mode (send 1s)

Chmod on a new created directory: 0,98 s

faccessat, chmod – snapshot mode (send 0,7s)

No Network, not physical devices

Page 16: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Use-case

METTRE RESULTATS

Context Approach Use-case Future workheterogeneous

Results

14

Page 17: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Future work

Detection rules? Machine learning?

Physical objects

Tradeoff between snapshot frequency,

nomber of tracepoints to monitor and

performance of the device

Context Approach Use-case Future workheterogeneous

15

Page 18: Tracing IoT devices for anomaly detection purposes©sentation... · Mirai Telnet -> upload file -> chmod on it : 14,9 s Using all the kernel tracepoints –live mode Now Chmod on

POLYTECHNIQUE MONTREAL – PRM December 2017 – Robin Gassais, Michel Dagenais

Context Approach Use-case Future work

Thank you!

Questions? Suggestions? Solutions?

[email protected]

16


Related Documents
UNIXcommandUNIX command VieditorVi editor 사용법bandi.chungbuk.ac.kr/~ysk/unix.pdf · unix 관련명령어 chmod : 파일이나디렉토리의권한을변경할때사용 – 사용법)chmod)

UNIXcommandUNIX command VieditorVi editor...

Category: Documents
15,o t 15,75 t 14,9 m2 5,3 m LüP 6,60 m 6920 kg

15,o t 15,75 t 14,9 m2 5,3 m LüP 6,60 m 6920 kg

Category: Documents
Real time debugging: using non-intrusive tracepoints to debug live systems

Real time debugging: using non-intrusive tracepoints to...

Category: Documents
Chmod, Umask, Stat, Fileperms, And File Permissions

Chmod, Umask, Stat, Fileperms, And File Permissions

Category: Documents
Mercu Buana University · Web viewCara mengetahuinya bisa dari perintah ls -l atau dari chmod. Linux mempunyai banyak GUI (Graphical User Interface) Window yang berbeda. Diantaranya

Mercu Buana University · Web viewCara mengetahuinya bisa.....

Category: Documents
Oracle Financial Services Asset Liability Management ......of this guide can be accessed from . ... administrator. • Give Execute permission to the file using the command: chmod

Oracle Financial Services Asset Liability Management...

Category: Documents
WAP TO DEMONSTRATE FORK SYSTEMCALLmycnis.weebly.com/uploads/4/1/8/7/4187501/os_record.doc  · Web view$ chmod ugo +r Gives read, permissions only to user ,group and others $ chmod

WAP TO DEMONSTRATE FORK...

Category: Documents
Basic cryptography and SSH remote logins · Puttingitalltogether,cont. $ scp .ssh/id_rsa.pub remote.host:tmp.key remote$ cat tmp.key >> .ssh/authorized_keys remote$ chmod go-rwx .ssh

Basic cryptography and SSH remote logins ·...

Category: Documents
AFUJ - jean-claude.crevoisier.netjean-claude.crevoisier.net/Installation_Joomla_1-7.pdfgénéral CHMOD 777, consultez votre hébergeur) . Par mesure de sécurité, appliquez-lui par

AFUJ -...

Category: Documents
Linux Basics - Technische Universität München · Debian? Red Hat? Fedora? Gentoo? Arch Linux? cat my movie collection jgrep Hackers chmod 777 * ./con gure && make && make install

Linux Basics - Technische Universität München · Debian?....

Category: Documents
Birgeler Urwald 14,9 km Legende / Legenda · Legende / Legenda Birgeler Urwald 14,9 km Startpunkt / Startpunt Kirche Kerk Wall Wal Camping Camping Kapelle Kapel Aussicht Uitzicht

Birgeler Urwald 14,9 km Legende / Legenda · Legende /...

Category: Documents
Heikki Vauhkonen 2008 Tulikivi Corporation. Sales69,682,1-14,9 Operating profit1,08,2-88,3 Percentage of sales1,410,0 Profit before income tax0,27,8-97,9.

Heikki Vauhkonen 2008 Tulikivi Corporation....

Category: Documents