Inoue Daisuke-National Ict Institute

N I C T E R
and Its Spin-off Technologies

- R&D project against Cyber Attacks in Japan Daisuke INOUE
Cybersecurity Laboratory
Cybersecurity Research Institute
National Institute of Information and Communications Technology (NICT)
1
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
What is NICT?
l
The sole national research institute in the ICT field in Japan
Japan Standard Time (JST)

Leap second on Jul 1, 2015
Bio/Nano ICT
(Self-organizing bio molecule)
Optical Communication
(10 Pbps class multi-core fiber)
Brain ICT
(Brain-machine Interface)
Satellite Communication
Internet Satellite WINDS
Multi-lingual Machine Translation

(VoiceTra)
Science Cloud
Reai-time Web of Himawari-8
Ultra Realistic Communication

(Electronic Holography)
Remote Sensing
Pi-SAR2 image after 3.11
Cybersecurity
(DAEDALUS)
N I C T E R
N I C T E R and Its Spin-offs
D A E D A L U S
Livenet Monitoring
N I R V A N A
Darknet Monitoring
N I C T E R
N I R V A N A
3
N I C T E R
N I C T E R
Network Incident analysis Center
for Tactical Emergency Response
N I C T E R
Overview of the project N I C T E R

N I C T E R = Network Incident analysis Center
for Tactical Emergency Response

Target:
Comprehensive analysis of security threats on the Internet
- What happens on the Internet?
- What is the root cause?
Strategy:
Darknet monitoring
+
Malware analysis
N I C T E R Operation Room
5
N I C T E R
N I C T E R System Overview
MacS: Macro analysis System
Visualization
Virus
Darknet
Traffic
Bot
Analysis Engine
Tiles
Atlas
300,000 darknet
(dark IP addresses)
7,000 samples
can be analyzed
per day
Malware
Samples
Honeypot
Root Cause
Worm
Phenomena
Cube
N I C T E R
NemeSys:
IHS: Incident
Handling System
Network and malware

enchaining System
30 seconds
for a correlation
analysis
!
Incident
Alert
Correlation
Engine
Analysis
Work
Bench
MicS: Micro analysis System

Code Analyzer
Government
Internet Service
Providers (ISPs)
Behavior Analyzer
End Users
N I C T E R
What is Darknet?
l Darknet: Unused IP addresses space
l In theory: any packets should NOT arrive at the darknet
because they are not connected to any hosts.
l In fact: quite a few packets DO arrive!

l Packets arriving at the darknet are
Scans by malwares
Backscatter (reflection of DDoS attack)
Miss configurations
etc.
Darknet
l Darknet traffic reflects global trend in

malicious activities on the Internet.
7
N I C T E R
N I C T E R
N I C T E R
Yearly Stats of Darknet Traffic

2005
0.31 billion
16 thousands
19,066
2006
0.81 billion
100 thousands
17,231
2007
1.99 billion
100 thousands
19,118
2008
2.29 billion
120 thousands
22,710
2009
3.57 billion
120 thousands
36,190
2010
5.65 billion
120 thousands
50,128
2011
4.54 billion
120 thousands
40,654
2012
7.79 billion
190 thousands
53,085
2013
12.9 billion
210 thousands
63,655
2014
25.7 billion
240 thousands
115,323
2015
54.5 billion
280 thousands
213,523
250,000
200,000
150,000
100,000
50,000
0
2005
2006
2007
2008
2009
2010
2011
2012
Number of packets par 1 IP address per year
2013
2014
2015
N I C T E R
Number of Packets (2015)
24%
23/tcp
48%
Other Ports
445/tcp
8%
22/tcp
5%
80/tcp
3%
2%
2%
2%
2%
2%
2%
10
N I C T E R
IoT
11
N I C T E R
Practical Use of
Darknet Analysis Results

l SIGMON (Special Interest Group of Network Monitoring)
Partners: JPCERT/CC, IPA, @Police, NICT, Universities
Sharing analysis results of darknet traffic (since 2004)
l ACTIVE (Advanced Cyber Threats response InitiatiVE)

Alert and prevention activity to customers via ISPs by MIC
Providing infected IP address information (since 2014)
l ICT-ISAC Japan
ICT Information Sharing and Analysis Center

Sharing DDoS related information (since 2011)
ACTIVE (www.active.go.jp)
12
N I C T E R
Practical Use of
Malware Analysis Results

l P r o v i d i n g malicious URLs to several security venders in
daily basis
l e .g., Trend Micro uses the URLs to their URL filter service
13
Trend Micro InterScan WebManager

http://www.trendmicro.co.jp/jp/business/products/iswm/
N I C T E R
D A E D A L U S
Direct Alert Environment for
Darknet And Livenet Unified Security
Ikaros
Daedalus
14
N I C T E R
Perimeter Protection and D A E D A L U S

Perimeter Protection
D A E D A L U S
N I C T E R
complementary
15
N I C T E R
Goal and Mechanism of D A E D A L U S
Goal:
Utilize the darknet monitoring results
for securing the livenet.
Mechanism:
if (N I C T E R receives packets
from a cooperative organization)
alert;
16
N I C T E R
D A E D A L U S - V I Z
17
N I C T E R
D A E D A L U S for Local Gov.

D A E D A L U S has started to provide alerts
to local governments in Japan (free of charge).
From Nov. 1, 2013.
Started with 47 local governments.
47
Organizations
(Nov, 2 0 1 3 )
601
Response
Manual
Organizations
(Sep, 2 0 1 6 )
18
N I C T E R
D A E D A L U S for ASEAN
JASPER: security partnership between Japan and
ASEAN initiated by the Ministry of Internal Affairs and
Communications (MIC) since 2013.
JASPER
Japan-ASEAN Security Partnership
PRACTICE
Proactive Response Against Cyber-attacks
Through International Collaborative Exchange
D A E D A L U S
Direct Alert Environment for
Darknet And Livenet Unied Security
19
N I C T E R
D A E D A L U S for Enterprise
l SiteVisor: Commercial alert service (clwit, inc.)
l SiteVisor Professional: Incident response service (dit Co., Ltd.)
l NS HARUKA: Commercial alert service (NS Solutions Corps.)
Clwit
SiteVisor
dit
SiteVisor Professional
NS Solutions
NS HARUKA
20
N I C T E R
N I R V A N A
NICTER Real-network Visual ANAlyzer KAI
21
N I C T E R
Advanced Persistent Threat

l P e r s i stent cyberattack targeting a certain
organization
l Intrude into the organization by sophisticated e-mail with malware
l
Hiding out and penetrating the organizations internal
network l
Finally, valuable information will be stolen
and sent to outside
survey
intrusion
hiding out
establishing
bridgehead
searching
penetration
occupation
stealing
pullout
22
N I C T E R
APT Countermeasure
N I R V A N A
N I R V A N A (livenet monitoring) + Security
Several detection engines for livenet traffic

Alert aggregation from many security appliances
Meta analysis for many kinds of events/alerts

Cooool Visualization
23
N I C T E R
N I R V A N A
Network View (/0: Whole Internet)
24
N I C T E R
N I R V A N A
for
Enterprise
l WADJET: Commercial security solution (dit Co., Ltd.)
l NS MIHARU: Commercial security solution (NS Solutions Corps.)
NS Solutions Corps.
NS MIHARU
25
N I C T E R
Conclusion
l NICT is conducting...
Cutting edge R&D on
Cybersecurity
Large-scale monitoring and
analysis based on our
neutrality
International/domestic
information sharing with
government, academia and
industry
Tech transfer to industry
Anti-Malware Engineering Workshop
SECCON CTF Finals
CYDER: Cyber Exercise
Human resource development

in Cybersecurity field
26
Hardening Project
N IInternational
CDarknetTSharing
Eof R
Data

Inoue Daisuke-National Ict Institute

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Inoue Daisuke-National Ict Institute

Caricato da

Copyright:

Formati disponibili

N I C T E R

and Its Spin-off Technologies

The sole national research institute in the ICT field in Japan

Japan Standard Time (JST)

Multi-lingual Machine Translation

Ultra Realistic Communication

N I C T E R and Its Spin-offs

Overview of the project N I C T E R

for Tactical Emergency Response

Network and malware

MicS: Micro analysis System

l In fact: quite a few packets DO arrive!

l Darknet traffic reflects global trend in

Yearly Stats of Darknet Traffic

Number of packets par 1 IP address per year

Number of Packets (2015)

Darknet Analysis Results

l ACTIVE (Advanced Cyber Threats response InitiatiVE)

ICT Information Sharing and Analysis Center

Malware Analysis Results

Trend Micro InterScan WebManager

Perimeter Protection and D A E D A L U S

Goal and Mechanism of D A E D A L U S

D A E D A L U S for Local Gov.

Advanced Persistent Threat

Several detection engines for livenet traffic

Meta analysis for many kinds of events/alerts

Network View (/0: Whole Internet)

Anti-Malware Engineering Workshop

SECCON CTF Finals

CYDER: Cyber Exercise

Human resource development

Network Incident analysis Center for Tactical Emergency Response

Potrebbero piacerti anche