Advancing academic research on collaborative internet security

Note: I’m using two types of citation in this blog: hyperlinks refer to more introductory material, while numbers between straight brackets ([]) link to in-depth technical documentation, such as academic papers

Example: proactive protection against DDoS attacks

Figure 1 shows an example of measurement-based collaborative security in which a group of nationally critical service providers (e.g. ISPs, IXPs, hosting providers, government agencies, and scrubbing centres) capture and share information on DDoS sources in the form of “DDoS fingerprints”. Group members generate fingerprints from the PCAPs of the DDoS traffic they handle and share the prints within the group. In the example in Figure 1, service provider SP2 suffers a DDoS attack A and shares its fingerprint with the other members of the group (SP1 and SP3) who add traffic filtering rules for A to their infrastructures (R1 and R3).

The advantage of sharing DDoS fingerprints is that it helps service providers to more quickly derive packet filter rules for DDoS attacks that haven’t hit them yet, which is work that usually takes place under intense pressure. For example, if SP1 were to be the next target of DDoS attack A without having A’s fingerprint, then SP1’s operations teams would have to inspect the incoming DDoS traffic, write a packet filtering rule (R1) for the different types of equipment in their network, and push it into their network while, at the same time, the availability of SP1’s services might start to degrade. Having A’s fingerprint gives them more time to implement R1, which increases the probability that it will effectively mitigate the attack.  

Figure 1. Example: handling DDoS attacks collaboratively

While the sharing of DDoS fingerprints gives service providers such as SP1 a proactive edge, they also need to have facilities in place to handle attack traffic if they do get hit by a DDoS attack (e.g. service provider SP2). Collaborative security for DDoS attacks through the sharing of DDoS fingerprints is thus complementary to scrubbing services such as those provided by the NAWAS or commercial equivalents, rather than a replacement for such services.

Better security decisions

The example provided in Figure 1 illustrates that collaborative security is a way for the members of a group to obtain better and more timely security information, which enables them to make better security-related decisions [1] and ultimately increase the security and resilience of their services. That is important because our daily lives increasingly depend on the availability of online services (e.g. for electronic payments, energy supply, emergency communications and the IoT devices in our homes [13]), and their disruption may lead to large societal or financial damage.

Collaborative security is also important because individual security (service providers relying on just their own information and security facilities) is increasingly insufficient [1]. For example, attacks change more quickly (e.g. because of quickly mutating malware strands [7]), because attacks emerge more quickly (e.g. the number of Mirai-infected devices doubled in only 75 minutes [3]), and because it takes time to provide fixes for zero-day exploits. In addition, the internet is intrinsically a collaboration of more than sixty thousand autonomously operated networks without a central authority, which means that the only way for service providers to secure the system as a whole is to collaborate.

Increased infrastructure protection

The goal of our work is to enable groups of service providers to better protect their infrastructures by sharing their measurements of a particular incident with the group, analysing them collaboratively, and jointly deriving mitigation strategies. We focus on automated tools to support this process as well as on large-scale internet incidents, such as IoT-powered DDoS attacks, IoT malware spreads [7], ransomware attacks and routing hijacks.

One of our key inspirations is the concept of an internet “knowledge plane” [2], which is an automatic and intelligent internet-scale distributed system that reconfigures the internet’s data plane based on multi-site measurements (observation points) of a particular incident, for instance for security purposes. A recent example of multi-site threat analysis is the work of Antonakakis et al. [3], who carried out a “postmortem” analysis of the DDoS attacks that the Mirai botnet launched from around 600K compromised IoT devices on DNS provider Dyn and that crippled several Dyn customers (e.g. Twitter, GitHub and PayPal) in October 2016. The authors combined eight different data sources (e.g. telnet honeypots, passive DNS traces, and DDoS traces) distributed across ten different sites. They for instance discovered that Mirai infections were concentrated in a limited number of autonomous systems (the top ten accounted for 44% of Mirai infections) and identified the types of DDoS attacks that Mirai generated (e.g. volumetric and TCP state exhaustion), which is information that helps service providers write their traffic filtering rules. The authors also found that the botnet used thirty-three clusters of command and control centres, which is helpful for attribution and prosecution purposes.

The starting point of our work consists of several existing and emerging security collaborations and systems, which demonstrate the feasibility and necessity for collaborative security today. Examples include the DDoS radar (sharing of DDoS signatures amongst critical service providers in the Netherlands), AbuseHUB (automatic botnet data sharing amongst thirteen Dutch ISPs and hosting providers), and SIDN’s collaboration with the Dutch Fraud Helpdesk (automatic sharing of phishing-related information on .nl domain names).

Research challenges

Our overall research challenge is to develop, pilot and evaluate distributed systems that enable groups of service providers to easily set up and maintain security collaborations to handle various types of large-scale events (e.g., DDoS attacks and malware spreads) that jeopardise the security and stability of their services.

Figure 2 provides a high-level overview of the functions that we envision, using Figure 1 as an example: measurement sites (MS) under the control of the service providers in the group, a Joint Threat Analysis (JTA) function and a Joint Strategy Generation function (JSG). The JTA combines multiple measurements from different sites and uses them to derive higher-level information about an incident, similar to Antonakakis’ offline analysis of the Mirai botnet but automated. The JSG uses the joint threat analysis to derive abstract mitigation strategies which service providers adapt to their particular infrastructures, for instance by mapping strategies to Snort filtering rules or configuration commands for specific types of routing equipment to handle DDoS attacks. Figure 2 shows three measurement sites (MS1 to MS3) as an example. The JTA and JSG may be centralised, decentralised, or a combination the two, depending on the needs of the service provider group for example.

Figure 2. Collaborative security functions

Specific challenges that we’ll be working on in terms of Figure 2 include:

• Multi-site measurements:

  how can an event such as a DDoS attack or a malware spread be automatically measured from multiple heterogenous sites (e.g. MS1 to MS3) so as to characterise it comprehensively? Multi-site measurements require standardised ways of describing measurements and the methodologies used at different sites to obtain them (e.g. using TAXII, IODEF [5], or DOTS [15]). Such work relies heavily on SIDN Labs’ and the UT’s existing experience with large-scale measurements, such as in connection with DDoS attacks [10], domain name abuse [9] and DNSSEC key roll overs.

• Joint threat evaluation:

  how can service provider groups be enabled to analyse measurements from multiple sites in a scalable way and make higher-level assertions about a particular event? Joint threat evaluation also involves the development of policy mechanisms that enable measurement sites to protect the privacy of users and define how group members can use their measurements. In addition, it requires group authentication and authorisation mechanisms that enable the secure exchange of measurements and assertions (e.g. using the Service Provider Group concept [8]). Finally, joint threat evaluation is important for understanding the evolution of threats. Joint threat evaluation is also a topic of the recently published Dutch National Cybersecurity Research Agenda.

• Joint strategy generation:

  how can abstract mitigation strategies be derived, which group members can adapt to their particular infrastructures? Examples include the generation of generic rules for upstream traffic filtering or dynamically shifting DNS traffic across anycast sites during attacks, and limiting outgoing traffic from compromised IoT devices in edge networks. Another issue with distributed mitigation is how to use joint threat analyses for attribution, such as collecting the fingerprints of DDoS attacks (cf.

  Figure 1) over time to assist in attributing attacks to specific actors for prosecution purposes.

• Evaluation:

  how can the contribution of collaborative security to a more secure and resilient internet infrastructure be measured empirically? That will require pilot studies at higher levels on the

  Technology Readiness scale (TRLs 5 to 7, roughly) for specific types of threats (e.g. DDoS attacks or malware spreads) and specific types of joint threat evaluation and strategy generation.

• Deployment:

  how can service providers be enabled to easily deploy collaborative security systems? That will involve the development of “cookbooks” to help service providers set up service provider groups and cover topics such as guidelines for technical systems,

  when to use which sharing protocols and formats [5], organisational and process blueprints, best practices from other industries and countries (e.g. from the Dutch banking industry [11]), the strategic considerations that influence when a service provider shares what security information [6], and alignment with (industry) codes of conduct such as for fighting botnets [14] or DINL’s

  proposal for an industry-wide anti-abuse policy for the Netherlands.

We will also investigate how collaborative security will work in “future internet” scenarios, such as in a manynet setting [4] or in non-TCP/IP-based internets (e.g. based on SCION [12]).

The results of the work will of course be made public to help the operational and scientific communities advance collaborative security, for instance with open-source software, open data, open protocol standards and scientific papers.

Applied and academic research

I intend to address the topic of collaborative security from two different angles. First of all through applied research in my role as head of SIDN Labs and, second, through academic research in my new role as part-time associate professor at the University of Twente (one day a week). My work at the university also involves developing new co-funded research projects, giving courses (e.g. Security Services for the IoT), mentoring students and contributing to academic papers and conferences. I will be working in the Design and Analysis of Communications Systems (DACS) group led by Prof. Aiko Pras.

Feedback

If you’re interested in the topic and you’d like to collaborate on collaborative security :-), then please don’t hesitate to drop me an e-mail or give me a call.

Acknowledgements

Giovane Moura (SIDN Labs), Moritz Müller (SIDN Labs), Jair Santanna (University of Twente), Aiko Pras (University of Twente) and Marco Doeland (Dutch Payments Association) provided feedback that helped me improve this blog.

Further reading

1. Meng, Y. Liu, J. Zhang, A. Pokluda, R. Boutaba, “Collaborative Security: A Survey and Taxonomy”, ACM Computing Surveys, Vol. 48, Issue 1, September 2015, http://www.ntu.edu.sg/home/yangliu/csur.pdf

2. D. Clark, C. Partridge, J.C. Ramming, and J.T. Wroclawski, “A Knowledge Plane for the Internet”, SIGCOMM’03, August 25–29, 2003, Karlsruhe, Germany

3. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z., Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai Botnet”, 26th USENIX Security Symposium, 2017, https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

4. Ammar, “Ex uno pluria: The Service-Infrastructure Cycle, Ossification, and the Fragmentation of the Internet”, ACM SIGCOMM Computer Communication Review, Vol. 48, Issue 1, January 2018, https://ccronline.sigcomm.org/2018/ccr-january-2018/ex-uno-pluria-the-service-infrastructure-cycle-ossification-and-the-fragmentation-of-the-internet/

5. Kampanakis, “Security Automation and Threat Information-Sharing Options”, IEEE Security and Privacy, Vol. 12, Issue No. 05, Sep-Oct 2014, pp 42-51

6. Laube and R. Böhme, “Strategic Aspects of Cyber Risk Information Sharing”, ACM Computing Surveys, Vol. 50, Issue 5, 2017

7. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and Other Botnets”, IEEE Computer, July 2017

8. Gommans, J. Vollbrecht, B. Gommans - de Bruijn, C. de Laat, “The Service Provider Group Framework; A framework for arranging trust and power to facilitate authorization of network services”, Future Generation Computer Systems, Vol.45, pp 176-192, Mar 2015, http://www.delaat.net/pubs/2015-j-2.pdf

9. Korczynski, M. Wullink, S. Tajalizadehkhoob, G.C.M. Moura, A. Noroozian, D. Bagley, C. Hesselman, “Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs”, ACM Asia Conference on Computer and Communications Security (AsiaCCS 2018) Incheon, Korea, June 2018, https://www.sidnlabs.nl/downloads/papers-reports/asiaccs2018-submitted.pdf

10. Moura, R. de O. Schmidt, J. Heidemann, W. de Vries, M. Muller, L. Wei, and C. Hesselman, “Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event”, ACM Internet Measurement Conference (IMC 2016), Nov 2016, https://www.sidnlabs.nl/downloads/papers-reports/imc2016.pdf

11. Doeland, “Collaboration and the sharing of information help reduce payment transactions fraud”, Journal of Payments Strategy & Systems, Vol. 11, No. 1 2017, pp. 81–85, https://www.betaalvereniging.nl/wp-content/uploads/Artikel_Journal-of-payments-strategy-by-M-Doeland_11_1.pdf

12. Barrera, L. Chuat, A. Perrig, R.M. Reischuk, P. Szalachowski, “The Scion Internet Architecture”, Communications of the ACM, June 2017, Vol. 60 No. 6, Pages 56-65, https://cacm.acm.org/magazines/2017/6/217735-the-scion-internet-architecture/abstract

13. Apthorpe, D. Reisman, N. Feamster, “A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic”, Workshop on Data and Algorithmic Transparency (DAT '16), New York University Law School, November 2016, https://arxiv.org/abs/1705.06805

14. K. E Silva, “How industry can help us fight against botnets: Notes on regulating private-sector intervention”, International Review of Law, Computers & Technology, 31(1), 2016, https://www.tandfonline.com/doi/abs/10.1080/13600869.2017.1275274

15. Dobbins, D. Migault, S. Fouant, R. Moskowitz, N. Teague, L. Xia, and K. Nishizuka, “Use cases for DDoS Open Threat Signaling”, Internet Draft, draft-ietf-dots-use-cases-16, July 2018, https://www.ietf.org/id/draft-ietf-dots-use-cases-16.txt