Download Huawei Cybersecurity Intelligence System

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Zero-configuration networking wikipedia , lookup

IEEE 1355 wikipedia , lookup

Network tap wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
Huawei Cybersecurity Intelligence System
Advanced Persistent Threats (APTs) are a kind of cyber attack and invasion, orchestrated by hackers targeting
enterprises. An APT usually targets enterprises for motives such as data theft or financial gain. APTs are
designed to gain access to an enterprise network, extract data, and continuously monitor the targeted
computer system without being detected. In recent years, APT attacks have been a topic of much debate in
the industry. The unique attack methods of APTs have made traditional security protection tools ineffective.
A typical APT attack executes a continuous process, including resource reconnaissance, external penetration,
command and control, internal transmission, and data forwarding. Once an enterprise is compromised,
hackers can move laterally within the enterprise network and perform data harvesting and transferal. This
can result in considerable financial and information losses for the enterprise.
Huawei's Cybersecurity Intelligence System (CIS) defends against APT attacks by utilizing technologies such
as big data analytics and machine learning. To guard key information assets, the CIS accurately identifies and
defends against APT attacks. It can restore the kill chain of an APT by extracting key information from mass
data, assessing risks in multiple dimensions, and correlating isolated anomalies based on big data analytics.
Product Appearances
Solution Highlights
Comprehensive detection: Detection of events based on APT kill chains, correlating and combining threats
Network-wide collaboration: Collaborating with security devices and endpoints to handle detected threats
and sharing reputation in the cloud
Network visualization: Real-time awareness of security posture, enabling search and source tracing of PBlevel data within seconds
Solution Architecture
Cloud
services
Global threat intelligence center
Visualization
Detection
and
analysis
Threat
detection
Attack path visualization
Threat report
Security posture awareness
System management
Unknown
files
Data
processing
APT detection cloud service
C&C
anomalies
Covert
channels
Traffic
anomalies
Mail
anomalies
Data pre-processing
Distributed storage
Distributed indexing
Smart search
Traffic metadata
Sysog\Netflow logs
Web
anormalies
File information
Data
collection
Traffic collector
Log collector
Huawei sandbox
Huawei next-generation devices
Data Collection:
The CIS provides services such as quick search, threat detection, and threat visualization by formatting-based
pre-processing, storing different types of data in distributed mode, and creating indexes for key formatted
data. This is made possible through flow probes collecting metadata from network-wide traffic, log collectors
collecting logs from network security devices, and Huawei sandboxes sending files.
CIS:
The CIS conducts analysis based on a range of data sources: traffic metadata for C&C, covert tunnel, and mail
detection; logs for log correlation analysis; and netflow for traffic anomaly analysis. File information is also
referenced during mail and covert tunnel detection to help locate anomalies. The CIS performs all-around
assessment on isolated anomaly events by cross-referencing related information about time, space, and IP
addresses. In this way, the CIS restores a kill chain to help detect advanced threats.
The CIS visualization layer displays kill chains, network security posture, and threat reports to show how the
APT attack process comprises resource reconnaissance, external penetration, command and control, internal
transmission, and data forwarding. The CIS then provides information such as network threat posture, attack
paths, and high-risk assets. In this way, the CIS helps control network-wide threats in a timely manner.
Cloud-based Services:
After detecting advanced threats, the CIS can upload their information to the global threat intelligence center
for information sharing on the whole network in real time. The Huawei APT detection cloud service enables
customers without a local CIS to upload unknown files to the Cloud for detection.
In addition, Huawei network security devices can block the advanced threats reported by the CIS in real time.
Key Components
Data
collection
Visualization
Data
processing
Flow probe
Extracts traffic metadata through mirroring or optical splitting and sends
the metadata information to the CIS. The CIS then restores the traffic to
files and submits them to a sandbox for file inspection.
Log collector
Collects syslogs and netflow data from key network devices and thirdparty SIEM systems to perform data collection and normalization.
Security
sandbox
Restores the traffic mirrored from switches or traditional security devices
into files and inspects the files transferred on the network in a virtual
environment to detect unknown malicious files. Detection results in
the form of logs and the original files are sent to the CIS to serve as
penetration intelligence of an APT attack.
Visualization
node
Visualizes and displays data such as threat posture, kill chains, advanced
threat reports, configuration management, and smart search.
Cluster controller
Manages the cluster status of the detection and storage node and data
dispatcher, and schedules resources for them.
Data dispatcher
Pre-processes the data reported by flow probes and collectors and
forwards the data.
Detection and
storage node
Controls unified data storage and distributed data indexing, and also
detects threats based on distributed data processing and analysis.
Key Values
Comprehensive detection: Detection of events based on APT kill chains, correlating and combining threats
Utilizing information provided by the big data platform, the CIS uses machine learning to check traffic in each
attack phase on an APT kill chain, including penetration, stagnation, privilege acquisition, reconnaissance,
and data transfer to detect file, mail, C&C, traffic, log, web, and covert tunnel anomalies based on detection
models. The CIS then correlates the anomalies to detect advanced threats.
Attack
Behavior
SysLog
Steal an account
to obtain the
internal privilege.
Sandboxdetected
information
Reconnaissance
Collect data.
Traffic
metadata
Data transfer
Send data
outside the
internal network
Intelligence
Data
transfer
Privilege
acquisition
Netflow
Privilege
acquisition Reconnaissance
Call back a C&C
server to obtain
a task.
Stagnation
Stagnation
penetration
Penetration
Click a mail
attachment and
infect a virus.
Kill Chain Correlation
Threat Determination
Single-Point
Anomaly Detection
Mail anomaly
Recipient
anomaly
File
IP
High-risk
attachment
Unknown C&C
IP
reputation
Endpoint external
connection CC
Account anomaly
Scanning
Brute-force
cracking
Baseline anomaly
Asset
collection
Covert tunnel
Covert
tunnel
Traffic
anomaly
Detection based on APT kill chains
DNS
Attack source
Restores unknown files from HTTP, SMTP, POP3, IMAP, and FTP traffic. Then, the sandbox
can inspect the restored files to detect threats and send detection results in logs to the
CIS. The CIS performs mail and web anomaly detection based on file inspection results.
File anomaly
detection log
File penetration kill chain
Detects malicious or suspicious files in mail attachments and insecure URLs in mail
bodies through SMTP, POP3, and IMAP traffic analysis conducted at the egress of the
Internet based on sandbox file inspection results.
Mail anomaly
detection
Mail anomaly detection
Detects communication between infected internal hosts and external C&C hosts.
The CIS analyzes DNS traffic at the Internet egress to detect abnormal connections
initiated from the internal network to the outside.
C&C anomaly
detection
C&C anomaly detection
Traffic baseline
anomaly
detection
Detects abnormal traffic exchanged between the internal network and the Internet, as
well as those between internal networks. This function checks network access behavior
based on the online-learned whitelist or user-defined traffic anomaly detection policies
to identify unauthorized access, access frequency anomalies, and access path anomalies.
Log correlation
Extracts signatures from logs, builds log events in a unified format, and conducts
cross-referencing and event flow logic analysis in accordance with predefined rules.
Detects covert tunnels through which infected hosts in the internal network send
Covert tunnel
data to the Internet. Covert tunnel anomaly detection detects the transmission of
detection
unauthorized data by compromised hosts using normal protocols and tunnels. The
detection methods include Ping Tunnel, DNS Tunnel, and file anti-evasion detection.
The threats detected by the CIS can be categorized as either advanced or common threats.
An advanced threat can initiate attacks in multiple attack phases, while a common threat
initiates a single-point attack in a single attack phase.
The system can display the attack path and impact scope in multiple dimensions, including
threats, mails, and files. The attack path display in the threat dimension effectively
demonstrates the multiple stages of an advanced threat, including external penetration,
C&C, internal transmission, and data theft, and clearly shows external attack sources or C&C
servers in different regions and compromised or affected hosts on the enterprise network.
Kill chain
correlation
APT kill chain correlation
Network-wide collaboration: Collaborating with security devices and endpoints to handle detected threats
and sharing reputation in the cloud
Collaborating with
After detecting threat information, the CIS can interwork with Huawei NGFWs within
security devices
minutes to block attacking traffic.
Collaborating
The CIS can synchronize detection results with third-party endpoints, so that the
endpoints
endpoints detect and get rid of threats.
The global threat intelligence center provides the reputation query service based on the
threat information detected and uploaded by the CIS. In addition, the CIS can automatically
Sharing on the
or manually access the cloud reputation center to query IP address, domain, and file
cloud
reputation information based on customer requirements and performs advanced analysis
based on such reputation information. The CIS provides a web page for you to query
intelligence on the cloud for further investigation and analysis based on detected threats.
Network visualization: Real-time awareness of security posture, enabling search and source tracing of
PB-level data within seconds
1. Threat map: Clearly displays threats facing the enterprise network from all over the globe and the latest
detected threat events on the threat map. This helps the O&M personnel to detect threats in a timely
manner and predict network security trends.
2. Key region-focused stage mode: Displays CIS security posture. A province, city, district, or county can be specified on
a stage and the rest part of the world around the stage to show attack posture aiming at the region on the stage.
Global security posture awareness
3. Smart search: Conducts quick searches of events and traffic metadata using keywords, condition expressions,
and time ranges to rapidly locate the threat and context data of interest to security O&M personnel. In
addition, personnel can view detailed data trend statistics and search results, with 1 billion records being
processed within 5 seconds.
4. Event investigation: Investigates events based on the kill chain and correlates traffic metadata with different
attack stages. The metadata-related PCAP files are available for download under the traffic metadata search
result list. Because these operations are performed on the same interface, security O&M personnel can
efficiently collect and analyze information.
Threat schedule
Other functions:
1. Hierarchical big data platform architecture, module-based function combination, and open interfaces: Facilitate
southbound threat log interconnection and northbound interconnection with third-party comprehensive
security management systems.
Application Scenarios
1. Information Security for Finance and Large Enterprises
Global threat intelligence center
Key Requirements
APT detection cloud service
1. Detect threats.
2. Block APT attacks.
3. Display security posture.
Internet
Branch 1
Branch 2
Key Deployment Points:
Flow probe + Collector
Flow probe + Collector
1. D eploy flow probes at the Internet border
and branch border, and configure policies
as required. Flow probes can be optionally
deployed at the intranet border.
2. D
eploy the sandbox and CIS in the management
area.
3. Deploy security devices, such as NGFWs and
NGIPSs, at network borders.
Flow probe
4. D
eploy endpoint and server probes in the office
Flow probe
Log collector
and core area.
Sandbox
Log collector
5. U
se security devices, such as firewalls, to detect
known threats. Use the flow probes, sandbox,
and CIS to detect unknown threats. The CIS
CIS
E
E
E
E
Core area
Management area
E
E
interworks with firewalls to block APT attacks
and displays network-wide security posture.
Office
2. Security Posture Awareness
Global threat
intelligence center
Security posture
awareness
CIS
NAT source
tracing log
Diversion
Injection
Mirrored traffic
Cleaning
device
Traffic attack
detecting device
(traffic detection)
NAT source
tracing system
APT
sandbox
File
inspection
Interworking
AntiDDoS
AntiDDoS
Detection
log
Security log
Interworking
Mirrored traffic
DNS reply traffic
Detection
log
IDS
Application known
threat detecting device
(sample detection)
DPI
system
Carrier network
Solution Features:
1. K
nown threat detection
1) Checks traffic to detect DDoS attacks and
identify zombie hosts.
2) C hecks traffic to detect application-layer
intrusion and identify network intrusion attack
behavior.
3) Inspects files to detect malware and identify
the transmission of malicious files.
2. Unknown and advanced threat detection
1) Checks traffic to detect unknown attacks and
identify unknown infected hosts and zombie
hosts.
2) Inspects files to detect unknown malicious
files and identify the transmission of unknown
malicious files.
3) C hecks traffic and files to detect APT
penetration and covert tunnels.
3. Attack source tracing and forensics
1) T he big data platform stores protocol
metadata, based on which advanced threats
are investigated and analyzed.
2) Packets are captured from suspicious traffic,
facilitating event confirmation, investigation,
and analysis.
4. N
etwork-wide security posture awareness
Detects botnets, Trojan horses, worms, C&C,
advanced threat attacks on the entire network
as well as infected hosts in the internal network.
Product Specifications
Model
CIS
Functions
Traffic collection
Log collection
Parses HTTP, DNS, and mail protocols, restores HTTP files and mail attachments,
and captures packets based on packet capture rules.
Collects syslogs from the ArcSight and FireHunter, and netflow logs from Huawei
routers, Huawei switches, and flow probes.
C&C anomaly detection
Detects DGA and Fast-Flux domain names.
Event correlation
Provides predefined rules for logs and allows users to define correlation rules and
analysis
sub-rules.
Traffic baseline anomaly
Allows users to configure traffic control rules and supports vertical and horizontal
detection
scanning.
Traffic anomaly
Detects unauthorized access, threshold-exceeding traffic rates, and threshold-
detection
exceeding access frequency.
Mail anomaly detection
Analyzes mail sending servers, senders, and recipients, allows users to define the
mail whitelist and blacklist, and detects mail attachments.
Covert tunnel detection
Detects Ping Tunnel, DNS Tunnel, and file evasion.
Reputation
Supports local IP reputation query, DNS reputation generation, and file reputation
management
query.
Displays attack transmission paths, including attacks from the Internet to the
Attack path visualization
intranet, transmission within the intranet, and C&C connections from the
intranet to the Internet.
Network-wide threat
posture
Smart search
Blacklist and whitelist
management
Analyzes threats, malicious and suspicious mails, malicious and suspicious files,
targeted hosts, and malicious domain names; and displays correlated events and
traffic anomaly events.
Searches for data and drills search results.
Manages the mail, URL, IP address, and domain name blacklists and whitelists.
Node Server Specifications
Node
Server Type
Server Configuration
CPU: 2 x 10-core 2.3 G
Memory: 64 GB
Flow probe
(high-spec)
RH2288H V3
System disk: 2 x 300 GB SAS
(RAID1 supported)
Data disk: 6 x 1 TB SATA
(RAID6 supported)
Flow probe
(low-spec)
RH2288H V3
Description
Collects traffic on the entire
network and reports traffic
metadata and netflow data to
the CIS. Its performance is 10
Gbit/s.
CPU: 1 x 10-core 2.3 G
Collects traffic on the entire
Memory: 32 GB
network and reports traffic
System disk: 2 x 1 TB SATA
metadata and netflow data to
(RAID1 supported)
the CIS. Its performance is 0.5
Data disk: 1 TB SATA
Gbit/s.
CPU: 2 x 10-core 2.3 G
Collector
RH2288H V3
Memory: 64 GB
Collects and normalizes logs.
System disk: 2 x 300 GB SAS
Its performance is 7000 EPS
(RAID1 supported)
for syslogs or 120,000 EPS for
Data disk: 6 x 1 TB SATA
netflow logs.
(RAID6 supported)
CPU: 2 x 12-core 2.3 G
CIS big data backend
service node
RH2288H V3
Memory: 256 GB
Data pre-processing,
System disk: 2 x 600 GB SAS
distributed storage, distributed
(RAID1 supported)
indexing, and threat detection
Data disk: 23 x 1.2 TB SAS
and analysis
(RAID6 supported)
CPU: 2 x 12-core 2.3 G
Visualization
management node
RH2288H V3
Memory: 256 GB
Kill chain display, report
System disk: 2 x 600 GB SAS
generation, security posture
(RAID1 supported)
awareness, and system
Data disk: 23 x 1.2 TB SAS
management
(RAID6 supported)
Dimensions, Power Supply, and Operating Environment
Dimensions
(H x W x D)
Probe server: 43 mm x 436 mm x 708 mm (1 U)
Backend service server, visualization management/probe server: 86.1 mm x 447
mm x 748 mm (2 U)
Net weight with full configuration
Weight
Probe server: 20 kg
Backend service server, visualized management/probe server: 30 kg
Packaging material: 5 kg
AC power supply
DC power supply
Maximum power
consumption
AC power input: 100 V to 240 V
Compatible with 240 V HVDC input: 192 V to 288 V
-75 V to -36 V; rated -48 V
Probe server: 364 W
Backend service server: 638 W
Visualization management/probe server: 426 W
Working temperature: 5°C to 45°C (41 F to 113 F)
Ambient temperature
Storage temperature: -40°C to +65°C (-40 F to +149 F)
Temperature change: < 20°C (36 F) every hour
Long-term storage temperature: 21°C to 27°C (69.8 F to 80.6 F)
Working humidity: 8% RH to 90% RH (non-condensing)
Ambient humidity
Storage humidity: 5% RH to 95% RH (non-condensing)
Humidity change: < 20% RH every hour
Long-term storage humidity: 30% RH to 69% RH (non-condensing)
Ordering Information
External Model
Software
CISSOFTWARE-CD
CIS Software
CIS-PLATFORM
CIS big data basic platform
CIS-FAD
Traffic anomaly detection
CIS-CA
Correlation analysis
CIS-CCAD
C&C anomaly detection
CIS-HTD
Covert tunnel anomaly detection
CIS-MAD
Mail anomaly detection
CIS-ALV
Attack path visualization
CISEXPLIC
Capacity expansion license
Server
SEC-SERVER-AC-03
Security product server AC configuration
03 (2 x 750 W AC, Rail)
CIS service node servers, including
the cluster controller, data dispatcher,
detection and storage node servers
CIS visualization node and collector
with the capability to process 7000 EPS
SEC-SERVER-AC-04
Security product server AC configuration
or 120,000 FPS logs, or a probe server
04 (2 x 750 W AC, Rail)
with the capability to process 10 Gbit/
s mixed traffic, or a flow probe with the
capability to process 1 Gbit/s DNS traffic
Low-end node, which is a probe server
SEC-SERVER-AC-05
Security product server AC configuration
that can process 0.5 Gbit/s traffic or a
05 (2 x 460 W AC, Rail)
flow probe that can process 0.05 Gbit/s
DNS traffic.
Auxiliary Configuration
G0MYSQL04
System Software,System Application Software,Light Application Data Management
Software Package(5.6 E), 1 Year Standard Product Services, Paper License
CIS-LNX-CD
Linux Preinstall Software
SC1GSUSE1101
Novell SuSE LINUX Enterprise Server 11,1 Year 7x24 Service
About This Publication
This publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures,
logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.
Copyright©2017 Huawei Technologies Co., Ltd. All rights reserved.
Related documents
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
CIS Schroder Recovery Pension
CIS Schroder Recovery Pension
International comparison of the GDP and purchasing
International comparison of the GDP and purchasing
International comparison of the GDP and purchasing
International comparison of the GDP and purchasing
Abstract - CSEPACK
Abstract - CSEPACK
Green - Security Management
Green - Security Management
CIS 105 Survey of Computer Information Systems
CIS 105 Survey of Computer Information Systems
CIS 1055 Computers and Applications Laboratory Syllabus – Fall
CIS 1055 Computers and Applications Laboratory Syllabus – Fall
Threats, Vulnerabilities, and Attacks
Threats, Vulnerabilities, and Attacks
Feb 2013-Rpt
Feb 2013-Rpt
activity7
activity7
Confidence Intervals
Confidence Intervals
J. Am. Chem. Soc. 2009, 131, 7962
J. Am. Chem. Soc. 2009, 131, 7962
Computer Information Science
Computer Information Science