anomaly detection through blind flow analysis inside a
play

Anomaly Detection Through Blind Flow Analysis Inside a Local - PowerPoint PPT Presentation

May 11, 2023 •340 likes •663 views

Anomaly Detection Through Blind Flow Analysis Inside a Local Network Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom Applications Research Alliance Doctoral Student, Faculty of Computer Science, Dalhousie University

  1. Anomaly Detection Through Blind Flow Analysis Inside a Local Network Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom Applications Research Alliance Doctoral Student, Faculty of Computer Science, Dalhousie University Vagishwari Nagaonkar, BCSc Senior Systems Engineer, Wipro Technologies Graduate Student, Faculty of Computer Science, Dalhousie University

  2. Abstract In the August of 2006, 4 months of Netflow records that were collected inside a small private network were subjected to a Blind Flow Analysis. Such an analysis is characterized by having access to the flow records from inside the network but no access to the payload data and no physical access to the hosts generating the traffic. Experiments were conducted to discover if useful behavioural clusters could be constructed with such minimal access and whether individual classes of hosts could be clustered into standard ranges including clusters indicative of compromised hosts. Early results are promising in that hosts may be clustered into User Workstations, Servers, Printers and hosts Compromised by Worms.

  3. Overview • Network Monitoring for Security In a Multi-tenant Environment network environment is problematic. • Tenants (Including individuals and corporate entities) have specific concerns with respect to privacy or corporate confidentiality. • A network analyst may be specifically forbidden from capturing the payload data. The analyst may not be granted access to specific hosts and may not even be able to receive information as to the type and nature of the host in question (i.e. is this a server, a workstation or a printer). • In this environment the analyst may be restricted to analyzing only packet header data or flow records. • The authors decided to test the ability of the analyst to form useful characterizations in such a restricted environment.

  4. Clusters by File Size • First Characterization was by Bag File Size

  5. Feb Bag Data File Size in Bytes S e r i e s 1 F e b r a r y B a g s - D p o r t s S e r i e s 2 S e r i e s 3 2 0 0 0 0 0 S e r i e s 4 Game Server S e r i e s 5 1 5 0 0 0 0 S e r i e s 6 S e r i e s 7 1 0 0 0 0 0 S e r i e s 8 S e r i e s 9 5 0 0 0 0 S e r i e s 1 0 S e r i e s 1 1 0 S e r i e s 1 2 H o s t s S e r i e s 1 3 Worm S e r i e s 1 F e b r u a r y B a g s - D I P ' s S e r i e s 2 Printer S e r i e s 3 4 5 0 S e r i e s 4 4 0 0 Host 22 S e r i e s 5 3 5 0 3 0 0 S e r i e s 6 2 5 0 S e r i e s 7 2 0 0 S e r i e s 8 1 5 0 S e r i e s 9 1 0 0 S e r i e s 1 0 5 0 S e r i e s 1 1 0 S e r i e s 1 2 H o s t s S e r i e s 1 3 S e r i e s 1 F e b r u a r y B a g s - P r o t o c o l s S e r i e s 2 S e r i e s 3 Worm 3 5 0 0 S e r i e s 4 3 0 0 0 S e r i e s 5 2 5 0 0 S e r i e s 6 2 0 0 0 Servers S e r i e s 7 1 5 0 0 S e r i e s 8 1 0 0 0 S e r i e s 9 5 0 0 S e r i e s 1 0 0 S e r i e s 1 1 1 S e r i e s 1 2 H o s t s S e r i e s 1 3

  6. Procedure • As each anomaly in the data was observed, A hypothesis was developed and the IP number of the host in question along with the hypothesis was sent to the network owner. • For the purpose of testing experimental results, the network owners were asked to confirm (on a voluntary basis) the hypothesis.

  7. Two Anomalous Cases Only Briefly Addressed • The Anomaly labeled Game Server represented a compromised host on the network that was being used to support worldwide on-line gaming. • The anomaly labeled Host 22 was believed to be a VLAN gateway, but this hypothesis has yet to be confirmed.

  8. Game Server Behaviour Game Server Profile from Bags for Bytes, Destination IP’s and Destination Ports • Outbound Byte Transfers per month: 45 Billion Bytes. • Destination IP’s per month: 2 million external hosts • Large numbers of flow records of small byte size coupled with less number of records with very large Byte size. Accessed to virtually every destination Port

  9. Games Server Record Size Number Of Records Byte Size of Record

  10. Game Server Dport Distribution Bytes Destination Ports

  11. Protocol Bag File Size Host 60 80 Hosts for one Month (Feb)

  12. Protocol Bag File Size Host 60 Behaviour Sequential access to entire /24. Sequential access to /24’s within specific /16’s (Microsoft). Small uniform byte volumes sent to every port using every protocol to every machine. Host was a user workstation and the user complained that their machine was slow and the cpu seems to be busy even when they are doing nothing. Hard drive was restored from earlier backup. Performance improved.

  13. Protocol Bag File Size Host 60 Behaviour Sequential access to entire /24. Sequential access to /24’s within specific /16’s (Microsoft). Small uniform byte volumes sent to every port using every protocol to every machine. Where did it come from? Host was a user workstation and the user complained that their machine was slow and the cpu seems to be busy even when they are doing nothing. Hard drive was restored from earlier backup. Performance improved.

  14. Protocol Bag File Size Host 60 Behaviour Sequential access to entire /24. Sequential access to /24’s within specific /16’s (Microsoft). Small uniform byte volumes sent to every port using every protocol to every machine. Where did it come from? Host was a user workstation and the user complained that their machine was slow and DIP Bag for Game Server the cpu seems to be busy even when they 1,434,898 External Hosts are doing nothing. Host 57 233,952 Host 60 3,891,482 Hard drive was restored from earlier Host 34 1,021,287 backup. Performance improved.

  15. Some Identified Anomalies Network Servers Worms Network Printer Vlan Activity Unknown Baseline Workstation Behaviour Host ID Destination Port Bag File Sizes

  16. Eight Workstation Hosts Byte Bag Behaviour Host ID Outbound Bytes Recorded in February 44 5,261,662 47 10,521,361 48 2,122,423 50 2,935,836 51 2,493,552,524 52 8,251,245 56 15,126,755 60 7,869,147 Byte Bag Characteristics First Component of Local Workstation BWB Rule: Byte Bag for Month will be Less than 20 million bytes First Component of Local Workstation Worm Rule: Byte Bag for Month may be greater than 20 million bytes.

  17. Eight Workstation Hosts Destination IP Bag Behaviour Host ID February Destination IP's Internal External 44 5 17 47 4 12 48 4 5 50 4 4 51 3 467 52 5 6 56 4 3 60 5 351

  18. Eight Workstation Hosts Destination IP Bag Behaviour Internal and External DIPS for February 1000 Internal DIP's 100 Number of External DIP's DIP's 10 44 47 48 50 51 Host ID 52 1 56 60 Destination IP Bag Characteristics Second Component of Local Workstation BWB Rule: Internal DIP’s less than 10 per month and External DIP’s less than 20 per month. Second Component of Local Workstation Worm Rule: External IP’s contacted will greater than 20 per month.

  19. Eight Workstation Hosts Data Derived From Protocol Bag Number and Percentage Allocation of Protocols for February 300 250 200 150 Number 100 %ICMP %TCP 50 %UDP 0 %OTHER 44 47 48 50 51 52 %OTHER 56 %TCP Number

  20. Eight Workstation Hosts Data Derived From Protocol Bag Number and Percentage Allocation of Protocols for February - Without Host 60 100 90 80 70 60 50 Number 40 30 %ICMP 20 %TCP 10 %UDP 0 %OTHER 44 47 48 50 51 52 %OTHER 56 %TCP Number

  21. Eight Workstation Hosts Data Derived From Protocol Bag Relative Protocol Use Third Component of Local Workstation BWB Rule: Protocol Distribution will be as to TCP > 70%, UDP < 30% and ICMP <2% and Number of Protocols will be less than 5. Third Component of Local Workstation Worm Rule: Number of Protocols will be greater than 5. (did not observer any greater than 4)

  22. Eight Workstation Hosts Data Derived From Destination Port Bag DPORTs for February 1200.000 1000.000 # <1024 %<1024 800.000 %Total Bytes 600.000 # 1024-5000 400.000 %1024-5000 200.000 %Total Bytes # >5000 0.000 44 %>5000 47 48 50 %Total Bytes 51 52 Host ID 56 60

  23. Eight Workstation Hosts Data Derived From Destination Port Bag DPORTs Without Host 60 for February 350.000 300.000 # <1024 250.000 %<1024 200.000 %Total Bytes 150.000 # 1024-5000 100.000 %1024-5000 %Total Bytes 50.000 # >5000 0.000 44 %>5000 47 48 50 %Total Bytes 51 Host ID 52 56

  24. Eight Workstation Hosts Data Derived From Destination Port Bag Relative Destination Port Use Fourth Component of Local Workstation BWB Rule: NA -> Data Appeared to overlap so was deemed Not Applicable Port # Range # of Ports Accessed %of Ports Access %of Total Bytes [BWB] [WORM] [BWB] [WORM] [BWB] [WORM] <1024 [< 7] [> 7] [20-50%][<20% || >50%] NA NA 1024-5000 [< 10] [>10] [>30%] [<30%] [>90%] [<90%] >5000 [< 5] [> 5] [<20%] [>90%] [<9%] [>9%]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University of Arizona 1 IEEE GLOBECOM 2014 December

507 views • 22 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series &lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Information Technology Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu Rukshan Bandaragoda Kai Ming Ting David Albrecht Fei Tony Liu Jonathan R. Wells Outline Overview of anomaly detection

657 views • 41 slides
ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks Researchers: Wenyu Ren , Klara Nahrstedt, Tim Yardley Motivation Supervisory Control And Data Acquisition (SCADA) Problem with

1.12k views • 22 slides
Interim Results 2010 Presentation Date: 27.08.2010 Caution statement This presentation may

Interim Results 2010 Presentation Date: 27.08.2010 Caution statement This presentation may

Interim Results 2010 Presentation Date: 27.08.2010 Caution statement This presentation may contain forward looking statements, which are subject to risk and uncertainty. A variety of factors could cause our actual results to differ materially

451 views • 30 slides
District Administration Building Renovation of 615 Classen Request for Tax Increment Financing

District Administration Building Renovation of 615 Classen Request for Tax Increment Financing

District Administration Building Renovation of 615 Classen Request for Tax Increment Financing 615 Classen Timeline March 31, 2014 Purchased building for $2,331,994, MAPS Sales Tax April 11, 2014 ADG Building Feasibility &amp;

792 views • 8 slides
Motorized Height-Adjustable Workstation The Motorized Workstation was ergonomically designed to

Motorized Height-Adjustable Workstation The Motorized Workstation was ergonomically designed to

Motorized Height-Adjustable Workstation The Motorized Workstation was ergonomically designed to handle almost any requirement. Fabricated with heavy gauge furniture grade tube steel. Powder-coat finish in a variety of color to

66 views • 3 slides
EDP Innovation So Paulo Lisboa Madrid EDP GROUP OVERVIEW RENEWABLES WORLD LEADER EDP

EDP Innovation So Paulo Lisboa Madrid EDP GROUP OVERVIEW RENEWABLES WORLD LEADER EDP

EDP Innovation So Paulo Lisboa Madrid EDP GROUP OVERVIEW RENEWABLES WORLD LEADER EDP CONSOLIDATED 2017 Clients: ~12Mn Market Cap: ~ 10Bn EBITDA: 4Bn Generation Cap: ~ 26.8GW (73% Renewables) EDP RENEWABLES EDP PORTUGAL WIND &amp;

407 views • 12 slides
Oddo Media Forum Philippe Capron Member of the Management Board &amp; Chief Financial Officer

Oddo Media Forum Philippe Capron Member of the Management Board &amp; Chief Financial Officer

May 15, 2008 Oddo Media Forum Philippe Capron Member of the Management Board &amp; Chief Financial Officer IMPORTANT NOTICE: Financial results for the fiscal year ended 31st December 2007 Financial statements audited and prepared under IFRS

808 views • 36 slides
THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI WHAT IS BLIZZARD? A

THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI WHAT IS BLIZZARD? A

THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI WHAT IS BLIZZARD? A video game development company based in California established in 1991 Developed many popular franchises, such as Warcraft , Starcraft , and

479 views • 18 slides
(Literal) World Domination A talk about FOSS games Disclaimer My Own, All my own, Nothing

(Literal) World Domination A talk about FOSS games Disclaimer My Own, All my own, Nothing

(Literal) World Domination A talk about FOSS games Disclaimer My Own, All my own, Nothing but my own For those reading at home: This and opinions expressed here are my own opinion and not that of my employer, the OSDC conference or anyone

463 views • 30 slides
Online Gaming Video games played over some sort of computer network Massively Multiplayer Online

Online Gaming Video games played over some sort of computer network Massively Multiplayer Online

Online Gaming Video games played over some sort of computer network Massively Multiplayer Online Games (MMOGs) Aspects unique to MMOGs: -persistent universe that contin- ues regardless of interaction -can fit up to a few thousand players on

416 views • 20 slides

More recommend