File preview
WINE: Data-Intensive Experiments in Security
PI: Tudor Dumitraș, Symantec Research Labs
tudor_dumitras@symantec.com http://www.symantec.com/about/profile/universityresearch/sharing.jsp
Experimenting with Big Data Ideas
• Big Data is hard to analyze and move around • 1 MB on single host or LAN: 0.1–3 ms • 1 MB across datacenter: 10 ms • 1 MB across Internet: 9,000 ms • The quality of information is uncertain • Field data collected on millions of hosts worldwide • Big Data experiments are hard to reproduce • The data must be representative • Security arms race => need updated, Internetscale data on cyber threats Archive
WINE LabBook Researcher SQL, MapReduce R, Weka of curated data sets from prior experiments
Representative sampling
End-host data,
…
updated continuously
WINE
Parallel DB
Creating Internet-Scale Models Using WINE
• WINE data set example: what executable files do people download? Binary Reputation Submissions • Machine ID • Timestamp (client-side & server-side) • Hash (MD5 &SHA2) • Download URL
Files (histogram) 107 URLs (histogram) 10000 106 1000 100 10 1 102 103 104 105 106 0.5 2.0 5.0 20.0 100.0 500.0
104
102
100
Hosts where the file is present
URL lifetime [hours]
Analyzing Field Data Using WINE [LEET 2012]
Intrusion-Detection Telemetry
Intrusion vectors 10 10 10 10 10
2.5
Anti-Virus Telemetry
Targets of opportunity! Distinct viruses 10
3
System-Stability Telemetry
Monthly crash rate 12% 10% 8% 6% 4% 2% 0% Windows 2000 SP4 Windows 2000 SP3 XP SP2 XP SP3 XP SP1 XP XP SP2 64-bit Vista 6 Vista SP1 64-bit Vista SP1 Vista SP2 64-bit Vista SP2 Windows 7 64-bit Windows 7 Windows 7 SP1 64-bit Windows 7 SP1
2
1.5
10
2
Decre
1
asing
hazard
0.5
10
1
rate!
10
1
10
2
10
3
10
4
10
5
10
0
10
1
10
2
10
3
10
4
10
5
0
1
2
3
4
5
OS deployment [number of hosts]
OS deployment [number of hosts]
Time under observation [months]
Measuring the Length of Zero-Day Attacks Using WINE [CCS 2012]
AV Telemetry WINE Data Sets OSVDB Binary Reputation
T0 Exploit Disclosure Patch
CVE-2010-1241 CVE-2010-0028 CVE-2011-0618 CVE-2010-2862
105
CVE-2009-0561 CVE-2008-0015 CVE-2009-0084 CVE-2009-0658
Malware variants
CVE-2009-4324 CVE-2009-0658 CVE-2009-0084 CVE-2010-1241 CVE-2010-0480 CVE-2009-0561 CVE-2009-3126 CVE-2009-2501 CVE-2008-0015
Vulnerabilities 3
104 103 102
Vulnerability timeline Creation
CVE-2009-3126 CVE-2011-1331 CVE-2008-4250 CVE-2010-2568 CVE-2009-4324 CVE-2009-1134 CVE-2010-0480 CVE-2008-2249 CVE-2009-2501 CVE-2010-2883
2
1
101
CVE-2009-1134
0
100 -100 -50 t0 50 Time [weeks] 100 150
-30 -24 -18 -12 -6 Disclosure Zero-Day Attack Length [months]
Interested in meeting the PIs? Attach post-it note below!
PI: Tudor Dumitraș, Symantec Research Labs
tudor_dumitras@symantec.com http://www.symantec.com/about/profile/universityresearch/sharing.jsp
Experimenting with Big Data Ideas
• Big Data is hard to analyze and move around • 1 MB on single host or LAN: 0.1–3 ms • 1 MB across datacenter: 10 ms • 1 MB across Internet: 9,000 ms • The quality of information is uncertain • Field data collected on millions of hosts worldwide • Big Data experiments are hard to reproduce • The data must be representative • Security arms race => need updated, Internetscale data on cyber threats Archive
WINE LabBook Researcher SQL, MapReduce R, Weka of curated data sets from prior experiments
Representative sampling
End-host data,
…
updated continuously
WINE
Parallel DB
Creating Internet-Scale Models Using WINE
• WINE data set example: what executable files do people download? Binary Reputation Submissions • Machine ID • Timestamp (client-side & server-side) • Hash (MD5 &SHA2) • Download URL
Files (histogram) 107 URLs (histogram) 10000 106 1000 100 10 1 102 103 104 105 106 0.5 2.0 5.0 20.0 100.0 500.0
104
102
100
Hosts where the file is present
URL lifetime [hours]
Analyzing Field Data Using WINE [LEET 2012]
Intrusion-Detection Telemetry
Intrusion vectors 10 10 10 10 10
2.5
Anti-Virus Telemetry
Targets of opportunity! Distinct viruses 10
3
System-Stability Telemetry
Monthly crash rate 12% 10% 8% 6% 4% 2% 0% Windows 2000 SP4 Windows 2000 SP3 XP SP2 XP SP3 XP SP1 XP XP SP2 64-bit Vista 6 Vista SP1 64-bit Vista SP1 Vista SP2 64-bit Vista SP2 Windows 7 64-bit Windows 7 Windows 7 SP1 64-bit Windows 7 SP1
2
1.5
10
2
Decre
1
asing
hazard
0.5
10
1
rate!
10
1
10
2
10
3
10
4
10
5
10
0
10
1
10
2
10
3
10
4
10
5
0
1
2
3
4
5
OS deployment [number of hosts]
OS deployment [number of hosts]
Time under observation [months]
Measuring the Length of Zero-Day Attacks Using WINE [CCS 2012]
AV Telemetry WINE Data Sets OSVDB Binary Reputation
T0 Exploit Disclosure Patch
CVE-2010-1241 CVE-2010-0028 CVE-2011-0618 CVE-2010-2862
105
CVE-2009-0561 CVE-2008-0015 CVE-2009-0084 CVE-2009-0658
Malware variants
CVE-2009-4324 CVE-2009-0658 CVE-2009-0084 CVE-2010-1241 CVE-2010-0480 CVE-2009-0561 CVE-2009-3126 CVE-2009-2501 CVE-2008-0015
Vulnerabilities 3
104 103 102
Vulnerability timeline Creation
CVE-2009-3126 CVE-2011-1331 CVE-2008-4250 CVE-2010-2568 CVE-2009-4324 CVE-2009-1134 CVE-2010-0480 CVE-2008-2249 CVE-2009-2501 CVE-2010-2883
2
1
101
CVE-2009-1134
0
100 -100 -50 t0 50 Time [weeks] 100 150
-30 -24 -18 -12 -6 Disclosure Zero-Day Attack Length [months]
Interested in meeting the PIs? Attach post-it note below!