bidirectional flow measurement ipfix and security analysis
play

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa - PowerPoint PPT Presentation

Feb 07, 2024 •291 likes •418 views

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS Brian Trammell, CERT/NetSA Tuesday, October 10, 2006 FloCon 2006 - Vancouver, WA, US Introduction and Motivation Bidirectional flow (biflow)

  1. Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS Brian Trammell, CERT/NetSA Tuesday, October 10, 2006 FloCon 2006 - Vancouver, WA, US

  2. Introduction and Motivation • Bidirectional flow (biflow) information useful for a variety of security-relevant use cases. – Aggregate response counting – Passive identification of open hosts/services • Biflow matching easier closer to measurement interface. – Biflow matching is O(n 2 ) , so making n smaller is worth the effort. • IPFIX is the emerging standard for flow export. • Therefore, we need an efficient way to represent biflow data using IPFIX. October 10, 2006 FloCon 2006 - Vancouver, WA 2 – Issue identified at FloCon 2005 in Pittsburgh.

  3. Biflows Defined • Loosely: Association of information about both directions of a bidirectional communication. s r c(A ) ds t(B ) coun te r s / v a lues s r c(B ) ds t(A ) coun te r s / v a lues s r c(A ) ds t(B ) fwd coun ter s / va l ues r ev coun te r s / va l ues • Practically speaking: Choose one side of the communication to be the “source”, the other the “destination”, and maintain two sets of counters and other value fields (“forward” and “reverse”). October 10, 2006 FloCon 2006 - Vancouver, WA 3

  4. Biflow Direction Assignment • By Initiator: “source” is source of packet initiating the communication (active open for TCP). – Approximated by assuming first packet seen is the first packet sent. – Can be validated through use of TCP flags, application protocol analysis (e.g. UDP DNS answer count), etc. • By Interface/Address: “source” and “destination” assigned via membership in address set or side of a given interface. – Useful when defining a perimeter: assign “source” October 10, 2006 FloCon 2006 - Vancouver, WA 4 “ tt k ”

  5. Current Work in Biflows • QoSient Argus explicitly collects and exports biflows. • Any technique that needs to model the network state of end systems (e.g. IDS such as Snort, Bro) must use an internal biflow data model. • A few measurement research projects implicitly use a biflow model. – Most efforts are still trace-based, so no flow export or storage. • Most flow collection is uniflow-based. – Legacy of NetFlow and efficiency concerns on the router. October 10, 2006 FloCon 2006 - Vancouver, WA 5

  6. Efficiency in Biflow Matching • Biflow matching is O(n 2 ) on number of concurrently matchable flows. • n particularly large on asymmetrically routed networks. – All traffic must be centralized and matched. – Overhead of biflow matching may outweigh benefits. • n manageable at symmetric routing points. – A “symmetric” routing point here need not be on the same line card or in the same router, if it’s in the same room. • n trivial on smaller networks measured at layer 2. October 10, 2006 FloCon 2006 - Vancouver, WA 6

  7. IPFIX • Unidirectional, multi-transport, binary flow export protocol. – SCTP (+DTLS): preferred – TCP (+TLS): supported – UDP (+DTLS, over dedicated link): de facto • Uses templates to define record formats in terms of information elements. • Defines a message format and an information model from which information elements can be chosen. • Information model is extensible. – IANA registry – Private enterprise information elements October 10, 2006 FloCon 2006 - Vancouver, WA 7

  8. Applying IPFIX to Security Analysis • Emerging ecosystem of interoperable IPFIX meters, collectors, and intermediate processes improves information sharing. • Templated data format improves flexibility. – Interoperability on common information elements. – Ability to innovate with private information elements. – Minimal implementation effort to collect new data for specific experiments or operational measurement concerns. October 10, 2006 FloCon 2006 - Vancouver, WA 8

  9. Extending IPFIX for Biflow Export • IPFIX protocol does not natively support single-record biflow export. – Can export uniflow halves adjacently within a record stream, but this is inefficient and semantically ill-defined. – No support for “reverse” direction values in information model. • Assign direction by initiator, where possible. – Semantics and operational characteristics of address direction assignment are still an open issue. • Add “reverse” values to the information model. – Direct allocation would add significant management overhead to the IANA information element registry. – So, define a new dimension. October 10, 2006 FloCon 2006 - Vancouver, WA 9

  10. Adding a Reverse Dimension • Allocate an IANA private enterprise number (PEN) to the draft. e=0 oc te tTo ta lCoun t = 85 l eng th = 4 e=1 ( r ev )Oc te tTo ta lCoun t= 85 l eng th = 4 r eve rse PEN = TBA • Information elements within this PEN number space correspond to the IANA number space, except that they apply to the reverse direction of a biflow. October 10, 2006 FloCon 2006 - Vancouver, WA 10

  11. History • FloCon 2005 (September 2005) identified issues with IPFIX: – Lack of direct support for representing biflows. – Use of transport protocol (SCTP) with inadequate support on commodity operating systems. • Authors created a draft to address the biflow representation issue. – IETF 64 (November 2005): initial revision of biflow draft. – IETF 65 (March 2006): charter changed to address biflow issue. – IETF 66 (July 2006): biflow draft accepted as working group item. • Identification of issue at FloCon cited as motivation for addressing it within the IETF. – Excellent example of community interaction in October 10, 2006 FloCon 2006 - Vancouver, WA 11 standardization

  12. Questions and Discussion October 10, 2006 FloCon 2006 - Vancouver, WA 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00 http://www.ietf.org/internet-drafts/draft-ietf-ipfix-biflow-00.txt Brian Trammell <bht@cert.org> Elisa Boschi <elisa.boschi@hitachi-eu.com> Thursday, November 9, 2006

140 views • 12 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network

IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network

IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network Security Offer to Network Security Tanja Zseby, Elisa Boschi, Thomas Hirsch, Lutz Mark zseby@fokus.fhg.de Measurement Requirements for Network

332 views • 19 slides
Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby

Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby

Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby IP Flow Information Export (IPFIX) IP Flow Information Export (IPFIX) Goal: Find or develop a protocol for exporting IP traffic flow information

398 views • 10 slides
From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

316 views • 17 slides
Applying IPFIX to Network Measurement and Management presented

Applying IPFIX to Network Measurement and Management presented

Applying IPFIX to Network Measurement and Management presented by Brian Trammell and Benoit Claise Sunday 28 July 2013 IETF 87 Berlin, Germany

1.03k views • 77 slides
Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

602 views • 39 slides
IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05 Atsushi Kobayashi, Benoit Claise, Gerhard Munz, Keisuke Ishibashi 1 History Submitted -04 version on October 2009. Received comments from

332 views • 8 slides
Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tom

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tom

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tom Jirsk, Pavel eleda {velan|jirsik|celeda}@ics.muni.cz 19th EUNICE Workshop on Advances in Communication Networking 28-30 August 2013, Chemnitz, Germany

726 views • 23 slides
An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01 http://www.ietf.org/internet-drafts/draft-trammell-ipfix-file-01.txt Brian Trammell, Elisa Boschi, Lutz Mark, Tanja Zseby Tuesday, July 11, 2006 IETF 66 - Montral, Qubec, Canada The

318 views • 6 slides
IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004 <draft-ietf-ipfix-protocol-06.txt> Benoit Claise <bclaise@cisco.com> Stewart Bryant <stbryant@cisco.com> Mark Fullmer <maf@eng.oar.net> Ganesh

265 views • 13 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Information Elements for Data Link Layer Traffic Measurement

Information Elements for Data Link Layer Traffic Measurement

Information Elements for Data Link Layer Traffic Measurement draft-kashima-ipfix-data-link-layer-monitoring-07 draft-ietf-ipfix-data-link-layer-monitoring-00 Shingo Kashima, Paul Aitken 84th IETF Meeting, Vancouver, 2012 1 Introduction

198 views • 6 slides
Measurement Techniques Part 2: Measurement Techniques Terminology and general issues

Measurement Techniques Part 2: Measurement Techniques Terminology and general issues

Part 2 Measurement Techniques Part 2: Measurement Techniques Terminology and general issues Active performance measurement SNMP and RMON Packet monitoring Flow measurement Traffic analysis Terminology and General I

758 views • 64 slides
Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September

Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September

Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September 2018 Conflicts of interest No conflicts Objective Briefly discuss Clinic->Lab->Clinic primary data flow Identify fundamental next

303 views • 28 slides
Welcome to Celebrating 30 years in Semiconductor and Sensor device manufacture! Sensor and

Welcome to Celebrating 30 years in Semiconductor and Sensor device manufacture! Sensor and

Welcome to Celebrating 30 years in Semiconductor and Sensor device manufacture! Sensor and Silicon Solutions Over 250 million die shipped per year Fab 3 Fab 1 Probe & Test Fab 2 Semefab Overview Commercial Foundry Global

567 views • 46 slides
rarefaction? Joseph Caine 1 , Warren Douglas Stevens 2 & Ivn Jimnez 2 1 Harris-Stowe State

rarefaction? Joseph Caine 1 , Warren Douglas Stevens 2 & Ivn Jimnez 2 1 Harris-Stowe State

Estimation of broad-scale species richness: individual-based or spatially-constrained rarefaction? Joseph Caine 1 , Warren Douglas Stevens 2 & Ivn Jimnez 2 1 Harris-Stowe State University 2 Research and Conservation, Missouri Botanical

336 views • 22 slides
AER Draft Rate of Return Guidelines APGA Early Views Nick Wills-Johnson AER Public Forum 2

AER Draft Rate of Return Guidelines APGA Early Views Nick Wills-Johnson AER Public Forum 2

AER Draft Rate of Return Guidelines APGA Early Views Nick Wills-Johnson AER Public Forum 2 August 2018 Things we accept 60% + of Draft Guidelines Cost of debt, despite Gearing roughly in-line with gas businesses (ES Table 14,

111 views • 10 slides
Improving Auditors Consideration of Evidence Contradicting Managements Assumptions Ashley

Improving Auditors Consideration of Evidence Contradicting Managements Assumptions Ashley

Improving Auditors Consideration of Evidence Contradicting Managements Assumptions Ashley A. Austin Jacqueline S. Hammersley Michael A. Ricci Illinois Symposium on Auditing Research - Doctoral Consortium October 13, 2016 Motivation

314 views • 13 slides
Bidirectional Recurrent Convolutional Networks for Video Super-Resolution Qi Zhang & Yan

Bidirectional Recurrent Convolutional Networks for Video Super-Resolution Qi Zhang & Yan

Bidirectional Recurrent Convolutional Networks for Video Super-Resolution Qi Zhang & Yan Huang Center for Research on Intelligent Perception and Computing (CRIPAC) National Laboratory of Pattern Recognition (NLPR) Institute of Automation,

503 views • 31 slides
SENSY Presentation SENSY Presentation KNOW HOW & FLEXIBILITY THE WAY TO EXCELLENCE Bringing

SENSY Presentation SENSY Presentation KNOW HOW & FLEXIBILITY THE WAY TO EXCELLENCE Bringing

SENSY Presentation SENSY Presentation KNOW HOW & FLEXIBILITY THE WAY TO EXCELLENCE Bringing solution through special force transducers, load cells as well as customized systems is Sensy motto SENSY Presentation_EN 2 25/05/2009

644 views • 43 slides
From Sensors to Context Summer School on Wireless Sensor Networks and Smart Objects Albrecht

From Sensors to Context Summer School on Wireless Sensor Networks and Smart Objects Albrecht

August 29 - September 3, 2005 Schloss Dagstuhl, Germany From Sensors to Context Summer School on Wireless Sensor Networks and Smart Objects Albrecht Schmidt http://www.hcilab.org/albrecht/ Overview 1. Motivation and Introduction 2.

511 views • 37 slides
Date: 18 June 2020 Venue: Zwartkopjes Pumping Station Time: 10H00 AM 1 Rand Water Team

Date: 18 June 2020 Venue: Zwartkopjes Pumping Station Time: 10H00 AM 1 Rand Water Team

TENDER NO: RW10384176/20 PROVISION OF IN-SITU VERIFICATION AT RAND WATERS BULK CUSTOMER METERS WITHIN THE DISTRIBUTION NETWORK SERVICES FOR A DURATION OF THREE YEARS NB : THE TENDER SHALL BE AWARDED TO MULTIPLE SERVICE PROVIDERS Date:

339 views • 15 slides

More recommend