abstracting and visualizing host behaviour abstracting
play

Abstracting and Visualizing Host Behaviour Abstracting and - PowerPoint PPT Presentation

Jan 18, 2023 •188 likes •466 views

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

  1. Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009

  2. Motivation � Research in behavioural host profiling � Dominant and new session structures/application mixes � Evolution of host profiles over time � Investigation of security incidents � Investigation of security incidents � Is this IP address a server or a client? � What services is this IP address providing? What services is this IP address providing? � Teaching � Explain how Berkeley sockets work � Show complex communication patterns 2 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  3. Idea � Common tools focus on traffic as a whole � Browsing through flow lists might be a solution - but is unattractive when lists get very long � Summarization techniques for flow lists exist, but are specialized on anomaly detection � Idea: develop your own tool 3 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  4. Host Behaviour seen in Traffic Data Traffic types yp � Application traffic (user-triggered) � Basic lookup traffic (application-triggered), e.g. DNS � Infrastructure traffic (system-triggered), e.g. DHCP Host profiling Host profiling What application mixes are prevalent? 1. Which roles are incorporated by hosts? (e.g. client, server, P2P role) 2. How do these two properties depend on each other? 3. 4 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  5. How to represent Host Traffic? Idea: use graphs � Nodes correspond to flow attributes N d d t fl tt ib t x1 � Links show flow attributes X (e.g. src IP) that appear together pp g x1, y1, z1 � Result: very dense/noisy graph y1 x1, y1, z2 x1, y2, z1 z1 z1 P Problem: bl x1, y2, z2 y2 � Which relationships are most z2 interesting to illustrate? interesting to illustrate? Y (e.g. protocol) ( g p ) Z (e.g. dst IP) 5 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  6. Transaction Visualization by k-Partite Graphs Approach: � K-partite graphs plus abstraction, e. g. x1 k1 k2 k3 X (e.g. src IP) Y (e.g. protocol) y1 z1 x1, y1, z1 y1 x1, y1, z2 x1 x1, y2, z1 z1 z1 x1, y2, z2 y2 z2 y2 z2 Z (e.g. dst IP) Abstraction: � Purge blue lines and re-arrange partitions as needed to keep most interesting edges 6 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  7. Host Application Profile (HAP) Graphlet We propose: Host traffic visualized by 5-partite graph k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP � Terminology: local/remote instead of source/destination � Optionally annotate nodes with attribute values (not shown) 7 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  8. HAP Graphlet � Visualizes BSD socket based communication in a straight forward way: forward way: � IP addresses assigned to first/last partition (k1, k5) show layer 3 connectivity � Central partitions (k2 k4) show layer 4 connectivity Central partitions (k2..k4) show layer 4 connectivity � Respects port number uniqueness (per protocol, per IP address) 8 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  9. Properties of HAP Graphlets � Near-planar structure � Shows remote IPs and ports associated with local port n mbers (flo s gro ped per application) numbers (flows grouped per application) � Host roles are appearant: � Host roles are appearant: � Server role � Client role � Peer role 9 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  10. What Graph Structures can we expect? One session per application per peer: � Client/server host roles � P2P host roles Complex sessions (applications) that use one or more connections: � To handle different tasks in parallel (e. g. control and data exchange) � To improve performance (parallel flows to same remote endpoint) 10 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  11. Server Role k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP 80 � Indicators: � K3 -> k4 out-degree d1 > 1 (multiple remote connections) K3 k4 out degree d1 1 (multiple remote connections) � K3 -> k5 (virtual) out-degree d2 > 1 (multiple clients) � Often: d1 > d2 (parallel connections) 11 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  12. Client Role k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP 80 � Indicators: � K4 <- k3 in-degree d3 > 1 K4 < k3 i d d3 > 1 � Often: d3 = 1 (work around: local port > 1024, remote port < 1024) ( p p ) 12 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  13. Peer-to-Peer Role k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP � Indicators: � Many remote peers connected, and involved port numbers all above M t t d d i l d t b ll b 1024 � Hard to confirm: needs additional data sources 13 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  14. � Ideally, HAP graphlet fits into available screen area � But … 14 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  15. Role Summarization Idea: � Compress per-role subgraphs Prequisite: � Roles can be associated with sub-graphs Roles can be associated with sub graphs Methodology: Methodology: � Decompose graphlet into role-related subgraphs � Replace such sub-graphs by summary sub-graphs � Ignore graph partitions without role assignment � Decomposition and replacement algorithm depends on role types (server/client/p2p roles) (server/client/p2p roles) 15 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  16. Server Role Summary k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP 80 80 3 2 � Replace server-role related sub-graph � Node annotations mark #connections and #clients � Node annotations mark #connections and #clients 16 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  17. Client Role Summary k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP 80 3 80 � Replace client-role related sub-graph � Node annotation marks number of connections � Node annotation marks number of connections 17 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  18. Peer-to-Peer Role Summary k1 k2 k3 k4 k5 local IP protocol local port remote port remote IP 3 � Replace P2P-role related sub-graph � Node annotation marks number of peers � Node annotation marks number of peers 18 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  19. Minimizing Information Loss Scenario 1 (server role): � One or more clients use double server connectivity through two protocols (e. g. control and data connections) l ( l d d i ) � Full summarization cannot include both connection paths k1 k1 k2 k2 k3 k3 k4 k4 k5 k5 local IP protocol local port remote port remote IP 2 2 tcp tcp 80 80 2 2 udp Approach: 80 � Do not summarize affected client(s) � Use available screen height as a constraint 19 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  20. Minimizing Information Loss Scenario 2 (server role): � One or more clients use parallel connections to server � Full summarization gives average parallelization degree only k1 k2 k3 k4 k5 local IP l l IP protocol t l l local port l t remote port t t remote IP t IP 2 2 conn./client 4 4 2 1 conn./client 2 80 Approach: � Split summary into suitable parallelization groups � Use available screen height as a constraint Use available screen height as a constraint 20 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  21. Productive and Unproductive Traffic Fact: � A considerable part of Internet traffic is unproductive (e. g. scanning, misdirected flows) i di d fl ) But: But: � We are mainly interested in productive traffic to characterize host behaviour � When scan traffic enters the picture, then we want to identify it as such 21 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  22. Scan Traffic Filtering � Mark and optionally remove scan traffic from visualization � How to distinguish scan from productive traffic? � Hypothesis: productive traffic is bidirectional productive traffic is bidirectional , e. g. involves bilateral interaction on the transport layer � Methodology: � Pair unidirectional flows in opposite direction that use identical endpoints endpoints � Look „over the fence“ (i. e. observation interval borders) when searching a buddy for a within-interval unidirectional flow 22 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

  23. Evaluation of Filtering Approach � We inspected two dark IP ranges maintained by our ISP for scan traffic monitoring (over ~2400 h) � Captured at least traffic observed by network telescopes � Our advantage: we can do it over all address ranges � Limitations: � NTP: in symmetric mode NTP source sends periodically NTP: in symmetric mode NTP source sends periodically unacknowledged messages to peers subscribed (RFC 958) � Multicast Source Discovery Protocol (MSDP) : works unidirectional � Discard protocol (tcp port 9) Di d l ( 9) � Situations of multi-connected applications which run over different interfaces (and one connection is unidirectional) ( ) 23 Eduard Glatz TIK-CSG / eglatz@tik.ee.ethz.ch

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Abstracting Carly Ellenberg, CTR, BSEd GATRA Educational Conference 2019 Cordele, Georgia

Abstracting Carly Ellenberg, CTR, BSEd GATRA Educational Conference 2019 Cordele, Georgia

Concurrent Abstracting Carly Ellenberg, CTR, BSEd GATRA Educational Conference 2019 Cordele, Georgia November 5, 2019 Objectives Define concurrent abstracting Discuss the benefits of concurrent abstracting Overcoming

511 views • 27 slides
Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With Lambda Topics: Anonymous functions Syntax &amp; semantics Example: Transforming strings Abstracting: Map Abstracting: Foldr Abstracting: Foldl

502 views • 27 slides
Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With Lambda Topics: Anonymous functions Syntax &amp; semantics Example: Transforming strings Abstracting: Map Abstracting: Foldr Abstracting: Foldl

1.11k views • 81 slides
Hera-JVM: Abstracting Processor Heterogeneity Behind a Virtual Machine Ross McIlroy and Joe

Hera-JVM: Abstracting Processor Heterogeneity Behind a Virtual Machine Ross McIlroy and Joe

Hera-JVM: Abstracting Processor Heterogeneity Behind a Virtual Machine Ross McIlroy and Joe Sventek University of Glasgow Department of Computing Science Carnegie Trust for the Universities of Scotland Heterogeneous Multi-Core Architectures

662 views • 40 slides
Abstracting concepts from text documents by using a taxonomy E. Chernyak 1,4 , O. Chugunova 1 , J.

Abstracting concepts from text documents by using a taxonomy E. Chernyak 1,4 , O. Chugunova 1 , J.

Abstracting concepts from text documents by using a taxonomy E. Chernyak 1,4 , O. Chugunova 1 , J. Askarova 1 , S. Nascimento 2 , B. Mirkin 1,3 1 Division of Applied Mathematics and Informatics, NRU-HSE, Moscow, Russia 2 Department of Informatics,

517 views • 13 slides
Using the Amsterdam Hypermedia Model for Abstracting Presentation Behavior Article August 1995

Using the Amsterdam Hypermedia Model for Abstracting Presentation Behavior Article August 1995

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/2772722 Using the Amsterdam Hypermedia Model for Abstracting Presentation Behavior Article August 1995 Source: CiteSeer CITATIONS

414 views • 6 slides
The Nuggetizer: Abstracting Away Higher-Orderness for Program Verification Paritosh Shroff

The Nuggetizer: Abstracting Away Higher-Orderness for Program Verification Paritosh Shroff

The Nuggetizer: Abstracting Away Higher-Orderness for Program Verification Paritosh Shroff Department of Computer Science Johns Hopkins University Joint work with Christian Skalka (University of Vermont) and Scott F. Smith (Johns Hopkins

583 views • 47 slides
CSCI 350 Ch. 11 File Systems Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2

CSCI 350 Ch. 11 File Systems Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2

1 CSCI 350 Ch. 11 File Systems Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2 Abstracting Persistent Storage Thread = Abstraction of the processor Address translation =&gt; Abstraction of memory What about abstracting

845 views • 35 slides
CSCI 350 Ch. 8 Address Translation Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2

CSCI 350 Ch. 8 Address Translation Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2

1 CSCI 350 Ch. 8 Address Translation Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2 Abstracting Memory Thread = Abstraction of the processor What about abstracting memory? &quot;All problems in computer science can be

713 views • 55 slides
ABSTRACTING THE IDEA OF Professor Ken Birman HARDWARE (SIMD) PARALLELISM CS4414 Lecture 8

ABSTRACTING THE IDEA OF Professor Ken Birman HARDWARE (SIMD) PARALLELISM CS4414 Lecture 8

ABSTRACTING THE IDEA OF Professor Ken Birman HARDWARE (SIMD) PARALLELISM CS4414 Lecture 8 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Understanding the parallelism inherent in There is a disadvantage to this, too. If we an application

989 views • 53 slides
Bo o t Ca mp 2014 3/ 6/ 14 NAACCR 2013 2014 Webinar Series Abstracting &amp; Coding Boot Camp

Bo o t Ca mp 2014 3/ 6/ 14 NAACCR 2013 2014 Webinar Series Abstracting &amp; Coding Boot Camp

Bo o t Ca mp 2014 3/ 6/ 14 NAACCR 2013 2014 Webinar Series Abstracting &amp; Coding Boot Camp March 6, 2014 Q&amp;A Please submit all questions concerning webinar content through the Q&amp;A panel. Reminder: If you have participants

532 views • 18 slides
Abstracting and Coding Boot Camp NAACCR 20182019 WEBINAR SERIES 1 Q&amp;A Please submit all

Abstracting and Coding Boot Camp NAACCR 20182019 WEBINAR SERIES 1 Q&amp;A Please submit all

Boot Camp 2019 3/7/19 Abstracting and Coding Boot Camp NAACCR 20182019 WEBINAR SERIES 1 Q&amp;A Please submit all questions concerning the webinar content through the Q&amp;A panel. If you have participants watching this webinar at your

380 views • 19 slides
Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20162017

Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20162017

NAACC R 2015- 2016 Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20162017 Webinar Series Presented by: Angela Martin amartin@naaccr.org Jim Hofferkamp jhofferkamp@naaccr.org Q&amp;A Please submit all

678 views • 35 slides
Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20152016

Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20152016

2/23/2017 NAACC R 2015- 2016 Abstracting and Coding Boot Camp: Webinar Series Cancer Case Scenarios NAACCR 20152016 Webinar Series Presented by: Angela Martin amartin@naaccr.org Jim Hofferkamp jhofferkamp@naaccr.org Q&amp;A Please

679 views • 18 slides
Boot Camp 2015 3/5/15 Abstracting &amp; Coding Boot Camp: Cancer Case Scenarios 2014-2015

Boot Camp 2015 3/5/15 Abstracting &amp; Coding Boot Camp: Cancer Case Scenarios 2014-2015

Boot Camp 2015 3/5/15 Abstracting &amp; Coding Boot Camp: Cancer Case Scenarios 2014-2015 NAACCR Webinar Series March 5, 2015 Q&amp;A Please submit all questions concerning webinar content through the Q&amp;A panel. Reminder: If you

556 views • 12 slides
CMSC320 Introduction to Data One thing we might want to What data is available? What is the

CMSC320 Introduction to Data One thing we might want to What data is available? What is the

An Illustrative Analysis Business First Data Science in Society Abstracting the analysis Abstracting the analysis Data Science in Society: Data Journalism Data Science in Society: Machine Learning Data Science in Society: Machine Learning

921 views • 69 slides
Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center

Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center

Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center EMEA, Hewlett-Packard 1 HP to separate into two new industry-leading public companies Hewlett Packard Enterprise HP Inc. Lea eadin ing p per

896 views • 27 slides
Five years of pdfT EX lessons learned Martin Schrder EXt 2008, 20 th August24 th August

Five years of pdfT EX lessons learned Martin Schrder EXt 2008, 20 th August24 th August

Introduction Administratives Socials Public relations Five years of pdfT EX lessons learned Martin Schrder EXt 2008, 20 th August24 th August 2008, Bohinj ConT = B Y : 1 / 14 Introduction Administratives Socials

145 views • 14 slides
SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS Applying Due Care Via Common Sense Approach April 2017 100% 46% Ponemon 2014 SSH Security Vulnerability of 2000 Global do not Organizations Report

307 views • 29 slides
Adaptive Data Structures for IP Lookups Ioannis Ioannidis, Ananth Grama, and Mikhail Atallah

Adaptive Data Structures for IP Lookups Ioannis Ioannidis, Ananth Grama, and Mikhail Atallah

Adaptive Data Structures for IP Lookups Ioannis Ioannidis, Ananth Grama, and Mikhail Atallah Department of Computer Sciences, Purdue University, W. Lafayette, IN 47907. { ioannis, ayg, mja } @cs.purdue.edu and without losing any of the

125 views • 10 slides
Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology

Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology

Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology sdiyora@student.ethz.ch October 16, 2014 Salimova Diyora (ETHZ) Introduction to the GNU GMP Library October 16, 2014 1 / 14 Overview Presentation,

371 views • 14 slides
PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core team: https://www.postgresql.org/community/contributors/ Large Users: https://www.postgresql.org/about/users/ Case Studies:

517 views • 7 slides
A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen

INSTITUT FR INSTITUT FR NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE Universitt Stuttgart Universitt Stuttgart UND DATENVERARBEITUNG UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J.

794 views • 26 slides
Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May

Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May

Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May 2013 1 / 34 What is rawsocket Raw sockets allow new IPv4 protocols to be implemented in user space. A raw socket receives or sends the raw

285 views • 27 slides

More recommend