attribution and aggregation of network flows for security
play

Attribution and Aggregation of Network Flows for Security Analysis - PowerPoint PPT Presentation

Aug 11, 2023 •14 likes •224 views

Attribution and Aggregation of Network Flows for Security Analysis Annarita Giani Ian De Souza Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FloCon 2006,

  1. Attribution and Aggregation of Network Flows for Security Analysis Annarita Giani Ian De Souza Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FloCon 2006, Portland, OR 1

  2. Why flow data The context in which we are interested in flow analysis is the following. • We believe that automated correlation is hard to do. • The world consists of processes so our approach to correlation is process-based.. • Introduction, in 2003, of generic process-based correlation engine concept and implementation, Process Query System (PQS). • Integration of multiple existing and new sensor types and attacks models • Flow aggregation and correlations between flow data with security events • Implementation of a PQS based process detection for Cyber Situational Awareness. 2 • Need for flow data .

  3. Process Query System Observable events coming from sensors Observable events coming from sensors Hypothesis Models Hypothesis Models PQS ENGINE Implemented for: Vehicle Tracking Computer Security Tracking Tracking Social Network Algorithms 3 Algorithms Plume Tracking

  4. Cyber Situational Awareness Sample An Environment Console Indicators and Warnings 6 FORWARD PROBLEM 129.170.46.3 is at high risk 129.170.46.33 is a stepping stone ...... INVERSE PROBLEM that that detect are complex attacks used 5 consists of and anticipate 1 for the next steps Hypotheses control Multiple Processes Track 1 Track 1 λ 1 = router failure Track 2 Track 2 1 Track 3 λ 2 = worm λ 3 = scan Track 3 0.8 Track Score Hypothesis 1 0.6 Hypothesis 2 0.4 0.2 that produce 2 that 4 that PQS resolves into 0 0 100 200 are Service Degradation seen Unlabelled Sensor Reports Events as Track ……. ……. Scores Time Time 3 4 Real World Process Detection (PQS)

  5. PQS in Computer Security 5 1 2 8 7 Internet 12 DIB:s BGP IPTables Snort Flow W o BRIDGE r m DMZ E x f i l t r a t i o n WWW Mail PQS P h observations i s h observations i n g ENGINE WS Tripwire SaMBa WinXP LINUX 5

  6. Sensors and Models DIB:s Dartmouth ICMP-T3 Bcc: System 1 Snort, Dragon Signature Matching IDS 2 Sensors IPtables Linux Netfilter firewall, log based 3 Samba SMB server - file access reporting 4 Flow sensor Network analysis 5 ClamAV Virus scanner 6 Tripwire Host filesystem integrity checker 7 Noisy Internet Worm Propagation – fast scanning 1 Email Virus Propagation – hosts aggressively send emails 2 Models Low&Slow Stealthy Scans – of our entire network 3 Unauthorized Insider Document Access – insider information theft 4 Multistage Attack – several penetrations, inside our network 5 DATA movement 6 6 TIER 2 models 7

  7. Hierarchical Architecture TIER 1 TIER 2 TIER 1 TIER 1 TIER 1 TIER 2 TIER 2 TIER 2 Models Observations Hypothesis Observations Models Hypothesis Scanning Events PQS More Complex Models Snort IP Tables Infection Events PQS Snort Tripwire PQS Events PQS Data Access Samba RESULTS Exfiltration PQS Events Flow and Covert 7 Channel Sensor

  8. Multi Stage Attack Example: Phishing Web page, Stepping … as usual browses the web and … Madame X stone …. visits a web page. 1 inserts username and password. ( the same used to access his machine) accesses user machine using 100.20.3.127 2 165.17.8.126 5 username and password a t t a records username c k uploads some code s t and password h e v i c t i m 3 4 Victim downloads some data Attacker 6 8 51.251.22.183 100.10.20.9

  9. Phishing Attack Observables Stepping Web Server used- Madame X Sept 29 11:17:09 stone Attacker 1. RECON SOURCE SNORT: KICKASS_PORN DEST DRAGON: PORN HARDCORE 100.20.3.127 4 . A DEST DEST DEST S T T N Username E O 165.17.8.126 M NON-STANDARD-PROTOCOL R password Sept 29 11:23:56 P T SSH (Policy Violation) T Sept 29 11:23:56 P 2. ATTEMPT SNORT ( O A T T E T S N A e T C p I K A t 2 3. DATA UPLOAD L R FLOW SENSOR 9 B E 1 S A 1 P : D 2 O 4 T N : R 0 S 6 A E F ) F I C Victim SOURCE SOURCE SOURCE Attacker 5. DATA DOWNLOAD SOURCE DEST FLOW SENSOR 9 Sept 29 11:24:07 51.251.22.183 100.10.20.9

  10. Flow Sensor Based on the libpcap interface for packet capturing. Packets with the same source IP, destination IP, source port, destination port, protocol are aggregated into the same flow. • Timestamp of the last packet • # packets from Source to Destination • # packets from Destination to Source • # bytes from Source to Destination • # bytes from Destination to Source • Array containing delays in microseconds between packets in the flow 10

  11. Two Models Based on the Flow Sensor Low and Slow UPLOAD Volume Packets Duration Balance Percentage Tiny: 1-128b 4:10-99 4: 1000-10000 s Out >80 5: 10000-100000 s Small: 128b-1Kb 5: 100-999 6: > 100000 s 6: > 1000 UPLOAD Volume Packets Duration Balance Percentage Tiny: 1-128b 1: one packet 0: < 1 s Out >80 2: two pckts 1: 1-10 s Small: 128b-1Kb 3: 3-9 2: 10-100 s Medium: 1Kb-100Kb 4: 10-99 3: 100-1000 s Large: > 100Kb 5: 100-999 4: 1000-10000 s 6: > 1000 5: 10000-100000 s 6: > 100000 s 11

  12. Aggregation Flow aggregation . Activity aggregation . Recognizing that different flows, Recognizing that similar activities apparently totally unrelated, occur regularly at the same time, or nevertheless belong to the same dissimilar activities occur regularly in broader event (activity). the same sequence. We correlate activities into activity Flows are aggregated from captured groups, patterns . network packets. Examples: We aggregate flows into activities . • Nightly backups to all servers (each Example: backup is an activity) User requests a webpage (all DNS • User requests a sequence of web- and HTTP flows aggregated) pages every morning. Packet = Aggregated Bytes Flow = Correlated Packets Activity = Correlated Flows 12 Pattern = Correlated Activities

  13. Web Surfing in Detail 1. The browser communicates with a name server to translate the A FLOW IS server name "www.dartmouth.edu" into an IP Address, which it uses to INITIATED connect to the server machine. A FLOW IS 2. The browser forms a connection to the web server at that IP INITIATED address on port 80. 3. Following the HTTP protocol, the browser sends a GET request to the server, asking for the file "http://www.dartmouth.edu/index.html." 4. The web server sends the HTML text for the Web page to the browser. 5. The browser reads the HTML tags and formatted the page onto your screen. 6. Browser possibly initiates more DNS requests for media such as MULTIPLE images and video. FLOWS ARE INITIATED… 7. Browser initiates more HTTP and/or FTP requests for media. 13

  14. Resulting Flows and Activity Flows in the activity Activity 14

  15. Activities and Flows UDP Flow TCP Flow Activity Long Flow 15

  16. Complex Activities .... TCP portscan Regular UDP broadcasts (NTP) Correlated Network Flows Within System upgrade a LAN Regular browsing/ download behavior UDP portscan 16

  17. Packets in a flow triggered IDS alerts PQS instantiates models based on observation coming from flow and snort sensor. Snort rule 1560 generates an alert when an attempt is made to exploit a known vulnerability in a web server or a web application. SNORT ALERTS Snort rule 1852 generates an alert when an attempt is made to access the 'robots.txt' file directly. FLOW 17 The flow can be characterized as malicious and further investigation must be done.

  18. Future Direction Theoretical approach for clustering aggregated flows. Flow = As defined Activity = Aggregated flows Pattern = Correlated Activities Approach: Graph theory (flows are the nodes and the edges are between correlated nodes). We are thinking about defining a metric that captures the closeness between two different activities to allow grouping into patterns. Activity 2. Activity 1. Can they be grouped in one x x pattern? y z Notion of distance between y activities. t t w s 18 s

  19. 19 agiani@ists.dartmouth.edu www.pqsnet.net

  20. PQS-Net Network 5 Student and researcher use this network to browse the web, print documents, send upload and download files… 20

  21. Web Surfing 208.253.154.210 host name 208.253.154.195 dns.pqsnet.net 129.170.16.4 ns.dartmouth.edu 1. ns.pqsnet.net requests www.nytimes.com ip address to ns.dartmouth.edu 2. ns.dartmouth.edu returns the ip address – 199.239.136.245 3. TCP three-way handshake between the host machine and the web server. 4. HTTP GET request to 199.239.136.245 5. TCP ACK from the web server 6. Other packets exchanges between the web server and the host 21 All these network connections are related to the same host activity.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

4.2 Network Flows A directed graph can model a flow network where some material (e.g., widgets, current, . . . ) is produced or enters the network at Mat 3770 a source and is consumed at a sink . Network Flows Production and consumption

465 views • 11 slides
NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function c : A R + . Here c ( x , y ) for ( x , y ) A is the capacity of the edge ( x , y ) . We use the following notation: if : A R and S , T

566 views • 17 slides
Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM545 Linear and Integer Programming Lecture 12 Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Network Flows Outline Duality 1. (Minimum Cost) Network Flows 2. Duality in

625 views • 35 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Behavior-Aware Network Segmentation using IP Flows The 14th International Conference on

Behavior-Aware Network Segmentation using IP Flows The 14th International Conference on

Behavior-Aware Network Segmentation using IP Flows The 14th International Conference on Availability, Reliability and Security August 26 August 29, 2019 University of Kent, Canterbury, UK Juraj Smeriga , Tomas Jirsik Institute of Computer

762 views • 23 slides
Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Upper bounds on flow Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on flow Definition of a network 1 4 2 1 s t 3 2 1 2 3 2 3 2 A set N of nodes . Here, N = { s , 1 , 2 ,

749 views • 34 slides
IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

455 views • 24 slides
Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM545 Linear and Integer Programming Lecture 11 Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Network Flows Duality Outline Assignment and Transportation 1. (Minimum Cost)

675 views • 39 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer

Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer

DM545 Linear and Integer Programming Lecture 10 Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Well Solved Problems Outline Network Flows 1. Well Solved

278 views • 23 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30 About this presentation Based on a previous talk

Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30 About this presentation Based on a previous talk

Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30 About this presentation Based on a previous talk by Kevin Chege and Chris Wilson, with thanks! Y ou can access this presentation at: Online: http://afnog.github.io/sse /fir ewalls/ Local:

432 views • 30 slides
MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the

MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the

MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the IEC Connecting an Electric Vehicle to the Grid (Smart) Power generation Grid Battery electric Charging station vehicle looks easy but many

278 views • 15 slides
FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes

FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes

FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes D155 strives to keep its operating funds in the black. Revenues exceeded expenditures in 2014-2015 &amp; 2015-2016 Revenues are

747 views • 41 slides
FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY

FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY

SPECIAL EVENT: FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY Manfred Nowak United Nations Independent Expert leading the Global Study on Children Deprived of Liberty Wednesday, 30. May 2018,

548 views • 25 slides
BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The

BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The

BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The Story of the International Commission on Missing Persons (ICMP) Sousse, Ankara, the Sinai Peninsula, Beirut, Paris, Bamako and the migration and

230 views • 6 slides
Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham

Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham

Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham M+4 Resettlement Claire Kane Settlements Sean ORourke Disputes &amp; Repricing Update Julie McGee Known Issues Update Eoin Farrell Ex-Ante

1.01k views • 85 slides
The problem: FSMs Basis of CS and CE Current standard for representation:

The problem: FSMs Basis of CS and CE Current standard for representation:

S halva Kohen A runavha Chanda K ai-Zhan Lee E mma Etherington The problem: FSMs Basis of CS and CE Current standard for representation: Unintuitive interface Very long descriptions Redundant behavior commands

137 views • 13 slides
Bending the Cost Curve within a Pioneer ACO: The Role of Care Management John Hsu 28 June 2016

Bending the Cost Curve within a Pioneer ACO: The Role of Care Management John Hsu 28 June 2016

Bending the Cost Curve within a Pioneer ACO: The Role of Care Management John Hsu 28 June 2016 AcademyHealth Annual Research Meeting Boston 1 Study Team and Disclosures John Hsu Maggie Price Christine Vogeli Richard Brand

473 views • 19 slides

More recommend