Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky
description
Transcript of Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky
![Page 1: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/1.jpg)
Academic Advisor: Dr. Yuval Elovici
Technical Advisor: Dr. Lidror Troyansky
![Page 2: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/2.jpg)
• PortAuthority Offers Businesses the Opportunity to Gain Insight Into Their Information Leak Vulnerabilities.
• 70% of Information Leaks are InternalMost organizations focus on preventing outside-in security breaches, but industry analysts argue that up to 70% of security breaches occur from the inside-out. Information leaks of private and confidential information create a growing threat to any size organization.
• Example of file sharing information leaks: http://www.ynet.co.il/articles/0,7340,L-2875208,00.htmlAir force officer in the IDF suspended over sharing confidential army documents…
![Page 3: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/3.jpg)
• P2P Networks.– Gnutella, Gnutella2, Bittorrent, eDonkey2000, Gnutella, Gnutella2, Bittorrent, eDonkey2000,
Kadmelia.Kadmelia.– P2P networks are typically used for connecting P2P networks are typically used for connecting
nodes via largely nodes via largely ad hocad hoc connections connections..– Sharing content files containing audio, video, Sharing content files containing audio, video,
data or anything in digital format is very common data or anything in digital format is very common ((including confidential informationincluding confidential information).).
– Real-time data, such as VOIP, is also passed Real-time data, such as VOIP, is also passed using P2P technology.using P2P technology.
![Page 4: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/4.jpg)
Gnutella network
Computer A:Sharing non-confidential files
Laptop B:Containing an organization
confidential file
PDA C:Searches and downloads
organizations confidential file
Router
RouterRouter
Organization FirewallP2P Inspector Gadget
Client Organization
Router
Continued…
![Page 5: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/5.jpg)
• Develop a system which will:– Be able to configure the scanning parameters. – Scan the P2P networks.– Download files suspicious as confidential.– Analyze the material using Machine Learning.– Generate reports.– Produce statistics.
![Page 6: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/6.jpg)
P2P Network
Inspector Gadget Database
File Analyzer
P2P Scanner Client
Find and download suspected filesDiscovers Confidential Files
Analyzing Information
Application Borders
![Page 7: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/7.jpg)
• Scanning and looking for suspicious target (e.g. as confidential) information in the P2P network (Gnutella).
![Page 8: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/8.jpg)
• Downloading the suspicious target (e.g. as confidential) information from the P2P network (Gnutella).
Continued…
![Page 9: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/9.jpg)
• Analyzing the scanned results (determine the value of the documents).– The system will use the Learning Machine
based on the filtering algorithm to classify the documents.
Continued…
![Page 10: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/10.jpg)
• Bayesian filtering is the process of using Bayesian statistical method to classify documents into categories.
• Bayesian filtering gained attention when it was described in the paper A Plan for Spam by Paul Graham, and has become a popular mechanism to distinguish illegitimate spam email from legitimate "ham" email.
• Bayesian filtering take advantage of Bayes' theorem, says that the probability that a document is of a certain group (confidential documents), given that it has certain words in it, is equal to the probability of finding those certain words in a document from that group (confidential documents), times the probability that any document is of that group (confidential documents), divided by the probability of finding those words in any Group:
![Page 11: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/11.jpg)
• Statistics Gathering:– The number of users which currently hold the target
information.– Using IP Geolocation and finding out the geographic
location of the leaked information.– The history of searched for, downloaded & analyzed
files.
Continued…
![Page 12: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/12.jpg)
6. Analyze downloaded files
1. Start System
2. Disconnect from Network
3. Connect to the network4. Shutdown system
5. Scan network
7.Update system parameters.
8. View statistics
User
![Page 13: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/13.jpg)
User System
1: start scan
2: Scan the network
4: end of scan
3: Download results to disk
5: start Use case 6
Continued…
Scan network - Use Case Diagram
![Page 14: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/14.jpg)
Continued…
System
1: Convert Files on disk to text format
2: Scan files using "smart" algorithm
3: Save results to statistics database
Analyze downloaded files - Use Case Diagram
![Page 15: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/15.jpg)
Continued…
![Page 16: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/16.jpg)
• Performance constraints:– The system should return a search result
for suspicious target after no more than 15 minutes.
– The system timeout for downloading should be configurable.
– The system should hold history result and statistics of not more than one year ago.
![Page 17: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/17.jpg)
• Safety and Security:– The system will not be used for any other
purpose than find information leaks in P2P networks (e.g. to find shared MP3 files).
– The system will not expose the confidential documents it downloads and the documents that were used in the Machine Learning algorithm.
Continued…
![Page 18: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/18.jpg)
– Platform constraints:• OS: Windows XP.• Database: MS SQL Server 2000.
– Programming languages (Restricted to Python, Java/J2E, C++ and C#)
Continued…
![Page 19: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/19.jpg)
• Mainly a research project.– Algorithm risk (Machine
Learning).– Is it good for confidential
documents?
• Action to be taken:– Feasibility Study.
Start
Feasibility Study
IsSuccessful?
Add more functionality
Try anotheralgorithm
End
![Page 20: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/20.jpg)
What does successful mean?
![Page 21: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/21.jpg)
• Gnutella is an old network.– May not contain confidential information.– Action to be taken:
• Test suite.• Use a different P2P network.
![Page 22: Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky](https://reader035.fdocuments.net/reader035/viewer/2022062321/56813d17550346895da6d1ec/html5/thumbnails/22.jpg)
Epilogue
אלוביץ': "חוזק האבטחה של חברה הוא •בחוליה החלשה שלה..."
כנסו בהמוניכם לאתר:•–www.cs.bgu.ac.il/~amirf/AMOS