autom atic anom aly detection using nfsen
play

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet - PowerPoint PPT Presentation

May 22, 2023 •323 likes •594 views

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/ 2007 Autom atic anom aly detection using NfSen - SURFnet and netflow anomaly detection - NERD - NfSen - PeakFlow SP - Currently used detection

  1. Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/ 2007

  2. Autom atic anom aly detection using NfSen - SURFnet and netflow anomaly detection - NERD - NfSen - PeakFlow SP - Currently used detection methods - DDos - Botnet - Holt-Winters aberrant behavior 1 SURFnet – Automatic anomaly detection using NfSen

  3. SURFnet and netflow anom aly detection - NERD v1 - Developed by TNO - Based on cflowd - cflowd is no longer supported - NERD v2 - Initially developed by TNO - Has serious performance problems - NfSen can do the same but without the performance problems 2 SURFnet – Automatic anomaly detection using NfSen

  4. NfSen - Netflow Sensor (NfSen) is a - network statistics tool - Developed by Peter Haag - Currently in active development - Alert plug-in system - Generic plug-in system - Some plug-ins already available 3 SURFnet – Automatic anomaly detection using NfSen

  5. NfSen 4 SURFnet – Automatic anomaly detection using NfSen

  6. DDos detection - Simple flow analysis - based on NERD v1 DDos detection - using a low threshold and a high threshold - Rules for traffic between those thresholds - Custom thresholds for high load services 5 SURFnet – Automatic anomaly detection using NfSen

  7. Expected traffic 6 SURFnet – Automatic anomaly detection using NfSen

  8. Definitively Conspicuous Traffic 7 SURFnet – Automatic anomaly detection using NfSen

  9. Border cases 8 SURFnet – Automatic anomaly detection using NfSen

  10. High load servers 9 SURFnet – Automatic anomaly detection using NfSen

  11. Custom thresholds 10 SURFnet – Automatic anomaly detection using NfSen

  12. DDos interface: report 11 SURFnet – Automatic anomaly detection using NfSen

  13. DDos interface: Details 12 SURFnet – Automatic anomaly detection using NfSen

  14. Botnet detection - Hosts infected by viruses connect to hosts known as botnet controllers - List of botnet controllers are available, for example: http: / / www.bleedingthreats.net/ rules/ bleeding-botcc.rules - Our plug-in logs all hosts that connect to known botnet controllers - Automatically reports to incident report system using IODEF 13 SURFnet – Automatic anomaly detection using NfSen

  15. Botnet I ODEF reports <?xml version="1.0" encoding="iso-8859-1"?> <io:IODEF-Document xmlns:io="urn:ietf:params:xml:ns:iodef-1.0” lang="en"> <io:Incident purpose="reporting"> <io:IncidentID name="overflow.surfnet.nl&#10;">#33408</io:IncidentID> <io:StartTime> 2007-08-13T15:07:47+02:00 </io:StartTime> <io:EndTime> 2007-08-13T21:06:12+02:00 </io:EndTime> <io:ReportTime> 2007-08-13T21:12:07+02:00 </io:ReportTime> <io:Assessment> <io:Impact type="user"/> </io:Assessment> <io:Contact> <io:ContactName>Werner Schram</io:ContactName> </io:Contact> <io:EventData> <io:Method> <io:Reference> <io:ReferenceName> botnet </io:ReferenceName> </io:Reference> </io:Method> <io:Flow> <io:System category="source"> <io:Node> <io:Address category="ipv4-addr"> 192.168.1.1 </io:Address> <io:Counter type="flow"> 20 </io:Counter> </io:Node> </io:System> <io:System category="target"> <io:Node> <io:Address category="ipv4-addr"> 192.168.1.2 </io:Address> </io:Node> <io:Service ip_version=" 4 " ip_protocol=" 6 "> <io:Port> 80 </io:Port> </io:Service> </io:System> </io:Flow> </io:EventData> <io:AdditionalData dtype="string">Generated by NFSen</io:AdditionalData> </io:Incident> </io:IODEF-Document> 14 SURFnet – Automatic anomaly detection using NfSen

  16. Holt-W inters aberrant behavior detection - Uses information about periodic data to predict aberrant behavior. 15 SURFnet – Automatic anomaly detection using NfSen

  17. Holt-W inters: Exam ple 16 SURFnet – Automatic anomaly detection using NfSen

  18. Holt-W inters: Original im plem entation Trend Periodic information Noise Prediction 17 SURFnet – Automatic anomaly detection using NfSen

  19. Lim itations of the original im plem entation - The original algorithm has three parameters which define: - the weight of historical data - the weight of the trend - the amount of expected noise - The original algorithm has a constant learning rate - If a low learning rate is used, the selection of the initial values is critical. This will introduce false positives for a long time. - With a high learning rate, the model will likely be overfitted. This will introduce false negatives - The trend parameter has no significant influence with the resolution we are using 18 SURFnet – Automatic anomaly detection using NfSen

  20. Holt-W inters: Multiple trends Network traffic time series often show multiple recurring patterns, for example a weekly trend: 19 SURFnet – Automatic anomaly detection using NfSen

  21. Holt-W inters: Multiple periods Daily Period Weekly period Noise 20 SURFnet – Automatic anomaly detection using NfSen

  22. Learning rate Fixed learning rate: The first pattern is overweighted Adaptive learning rate: The weight of the first pattern is relative to the rest 21 SURFnet – Automatic anomaly detection using NfSen

  23. Real data exam ple SURFnet – Automatic anomaly detection using NfSen 22

  24. Holt W inters: Usage Exam ple Normal ICMP Traffic Aberrant ICMP Traffic: Caused by DDos attack by Stormworm botnet 23 SURFnet – Automatic anomaly detection using NfSen

  25. Holt W inters: Other possible uses Common SMTP Traffic Last week SMTP Traffic 24 SURFnet – Automatic anomaly detection using NfSen

  26. Wim Biemolt Wim.Biemolt@surfnet.nl www.surfnet.nl Werner Schram Werner.Schram@surfnet.nl www.surfnet.nl 25 SURFnet – Automatic anomaly detection using NfSen

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of Electrical Engineering KTH, Stockholm , Sw eden Attending the kick-off: Mikael Johansson Henrik Sandberg Pablo Soldati Bo Wahlberg 1 Outline

280 views • 23 slides
I nitial discussion to help inform evidence base Autom atic fire suppression system s for

I nitial discussion to help inform evidence base Autom atic fire suppression system s for

I nitial discussion to help inform evidence base Autom atic fire suppression system s for existing high rise dom estic residential buildings ( sprinkler system s) Building Standards Division 9 August 2017 Holistic overview of fire safety

500 views • 17 slides
Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed

Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed

Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed to continuously build a culture of automation, innovation and being updated. Bokaro Caster overview Tw o identical tw in strand slab casters

439 views • 19 slides
Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from

Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from

Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from High Resolution VNI R Data Resolution VNI R Data Dm itry L. Varlyguin GDA Corp. JACI E Presentation March 1 4 -1 6 , 2 0 0 6 Cloud And Shadow

1.32k views • 15 slides
Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code

Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code inspection Automation of code reviewing Possible bugs Code convention violations Dead code Duplicated code Suboptimal

227 views • 12 slides
An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 ,

An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 ,

An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 , Shuai Ma 1 , and Jinpeng Huai 1 1 SKLSDE Lab, Beihang University, China 2 IBM T. J. Watson Research Center, USA 1 Motiv tivatio tion Anomaly

802 views • 27 slides
Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W

Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W

Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W right TRL I nfrastructure Division TRL I nfrastructure Division Group m anager, Technology Technology Developm ent Developm

544 views • 29 slides
The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2

The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2

The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2 K-Grande QGSJet II-4 20 RunJob K-Grande electron poor Jacee K-Grande electron rich Tibet-III Auger (ICRC 2013) PAMELA PAMELA-CALO log 10 E 2.7

1.29k views • 84 slides
Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on

Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on

Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on GP GPU-Ac Accel eler erat ated ed HPC PC Mac Machin ines es Pengfei Zou, Ro Rong Ge Clemson University Ang Li, Kevin Barker Pacific

240 views • 12 slides
YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! The GCSE Drama specification allows for much freedom in the curriculum in terms of Group sizes, Topics and

973 views • 86 slides
Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen,

Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen,

Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen, bnielsen@cs.aau.dk 3 Script Based Testing 3. Script-Based Testing + / - test impl. = programming + automatic execution + auto regression testing + auto

285 views • 14 slides
Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern

Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern

Autom atic Test Pattern Generation Rolf Drechsler, Grschwin Fey University of Bremen drechsle@informatik.uni-bremen.de Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern Generation Proof

722 views • 35 slides
SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris

SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris

SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris Forsyth Chris Forsyth March 8, 2006 March 8, 2006 Agenda Agenda Wireless Division Overview Wireline Division Overview SRP &amp; SRP

526 views • 24 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent

Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent

Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent t Er Error ors s for or CAL ALL Marie Garnier CAS/IRIT, Universit de Toulouse, France EuroCALL 2012, 22-25 August, Gothenburg Background

573 views • 22 slides
Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve

Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve

Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve Ltd Busin iness Develo lopm pment nt Manager Luigi i Bisbig iglia Grand Drive will be an end -to-end journey of around 200 miles

428 views • 15 slides
Counting Initiative: Methodologies for Non-motorized Traffic Monitoring 22 May 2013

Counting Initiative: Methodologies for Non-motorized Traffic Monitoring 22 May 2013

The Minnesota Bicycle and Pedestrian Counting Initiative: Methodologies for Non-motorized Traffic Monitoring 22 May 2013 Todays Presentation MN Bicycle and Pedestrian Counting Initiative Research objectives and guiding principles

343 views • 30 slides
CCTV CCTV Thappaya Thappaya 2310 2310 Unit Unit GIS GIS ATC (Area Traffic

CCTV CCTV Thappaya Thappaya 2310 2310 Unit Unit GIS GIS ATC (Area Traffic

CCTV CCTV Thappaya Thappaya 2310 2310 Unit Unit GIS GIS ATC (Area Traffic Control) ATC (Area Traffic Control) Pattaya Backbone Network Pattaya Backbone Network VoIP VoIP Internet Internet Internet Internet Pattaya City

235 views • 20 slides
Environment Scrutiny 9th June 2015 Household Waste Recycling Centre Developments Background

Environment Scrutiny 9th June 2015 Household Waste Recycling Centre Developments Background

Environment Scrutiny 9th June 2015 Household Waste Recycling Centre Developments Background 2013/14 Council approved moving from four HWRC to two 2014/15 Council Budget approved: Reduction from 4 sites to 2 by keeping

469 views • 10 slides
GTR (Govia Thameslink Railway) The new franchise UKs biggest ever rail franchise; 22%

GTR (Govia Thameslink Railway) The new franchise UKs biggest ever rail franchise; 22%

GTR (Govia Thameslink Railway) The new franchise UKs biggest ever rail franchise; 22% of all passenger train services Thameslink identity restored for services running through central core; Great Northern for Kings

721 views • 35 slides
Transportation Systems Management and Operations (TSM&amp;O) Arizona Highway Safety Improvement

Transportation Systems Management and Operations (TSM&amp;O) Arizona Highway Safety Improvement

Transportation Systems Management and Operations (TSM&amp;O) Arizona Highway Safety Improvement Program Summary of Results- New call February 15, 2018 FY 2019 and 2020 Highway Safety Improvement Program (HSIP) Update 25 projects: 8 on the

578 views • 23 slides
February 18, 2014 SFMTA Board of Directors 1 PROPOSED FY 2015 &amp; 2016 OPERATING BUDGET

February 18, 2014 SFMTA Board of Directors 1 PROPOSED FY 2015 &amp; 2016 OPERATING BUDGET

PUBLIC HEARING FY 2015 AND FY 2016 OPERATING AND CAPITAL BUDGET February 18, 2014 SFMTA Board of Directors 1 PROPOSED FY 2015 &amp; 2016 OPERATING BUDGET Introduction Presentation, discussion and public input on the SFMTAs FY 2015 and FY

698 views • 36 slides
Driving Permits 74 th Session of WP.1 21 24 Sept 2016 F ormal Document ECE/TRANS/WP.1/2016/2

Driving Permits 74 th Session of WP.1 21 24 Sept 2016 F ormal Document ECE/TRANS/WP.1/2016/2

Driving Permits 74 th Session of WP.1 21 24 Sept 2016 F ormal Document ECE/TRANS/WP.1/2016/2 Rev 1 Background Informal Document no. 3 prepared by the UN ECE WP1 Secretariat, with the collaboration of ISO and FIA, was presented during the

504 views • 27 slides
RISK ASSESSMENT OF PEDESTRIAN AND CYCLIST suggest increased no. of falls in winter FALLS IN

RISK ASSESSMENT OF PEDESTRIAN AND CYCLIST suggest increased no. of falls in winter FALLS IN

Falling in winter conditions How big is the problem? We actually dont know Official statistics in Germany: High level of underreporting of single bicycle accidents Pedestrian falls are not recorded Data from insurers

282 views • 3 slides

More recommend