and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin - - PowerPoint PPT Presentation

and devices in a network
SMART_READER_LITE
LIVE PREVIEW

and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin - - PowerPoint PPT Presentation

Dec 22, 2023 268 likes •442 views

Situational Awareness: Detecting Critical Dependencies and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin Latovika lastovicka@ics.muni.cz 1 Situational Awareness The knowledge and understanding of the current situation. 2 3

slide-1
SLIDE 1

Situational Awareness: Detecting Critical Dependencies and Devices in a Network

1

Martin Laštovička lastovicka@ics.muni.cz

AIMS CONFERENCE

  • 13. 7. 2017
slide-2
SLIDE 2

Situational Awareness

2

The knowledge and understanding of the current situation.

slide-3
SLIDE 3

3

slide-4
SLIDE 4

4

slide-5
SLIDE 5

Motivation ▪ Automatic building of situational awareness ▪ Ever-evolving threat landscape and network threats ▪ Threat impact estimation with respect to current situation

5

slide-6
SLIDE 6

Research Questions

  • 1. How can device and its services be identified in a

complex network using passive network monitoring?

  • 2. How can device dependencies be detected in a

network?

  • 3. How can device importance be estimated from the

perspective of reaction to cyber threats?

6

slide-7
SLIDE 7

RQ1: Device and Service Identification

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

How?

▪ TCP stack ▪ Specific domains

▪ HTTP hostname ▪ HTTPS SNI

▪ User-agent ▪ Service identifier ▪ Port ▪ Traffic characteristics

9

slide-10
SLIDE 10

Methods ▪ Extended flows – IPFIX ▪ More information from L3, L4, L7 headers ▪ How to update? ▪ Machine learning ▪ Autonomous characteristics identification ▪ How to scale?

10

slide-11
SLIDE 11

RQ2: Detection of Device Dependencies

11

slide-12
SLIDE 12

How? ▪ Client-server communication ▪ Traffic characteristics

12

slide-13
SLIDE 13

RQ3: Importance Estimation

13

slide-14
SLIDE 14

How? ▪ Device identification ▪ Provided services ▪ Traffic statistics ▪ Number of dependencies ▪ Attack statistics

14

slide-15
SLIDE 15

Methods ▪ Graph algorithms ▪ Graph centrality ▪ Clique detection ▪ Analysis of attackers activities ▪ Type of attack ▪ Duration, repetition, number of targets

15

slide-16
SLIDE 16

Preliminary Results

▪ OS recognition in real network ▪ Experiments with flow based passive identification ▪ Encrypted traffic – ocsp protocol ▪ Graph-based data model ▪ Machines and relations ▪ Computations over data ▪ Attack targets analysis ▪ Generic attacks (scans) on workstations/dynamic ranges ▪ DoS, brute force attacks on servers

16

slide-17
SLIDE 17

Discussion

17 Brno Ph.D. Talent Scholarship Holder – Funded by the Brno City Municipality

Martin Laštovička lastovicka@ics.muni.cz