finding the needle in the haystack
play

Finding the Needle in the Haystack Jonzy Data Security Analysis, - PowerPoint PPT Presentation

Oct 30, 2022 •43 likes •243 views

Finding the Needle in the Haystack Jonzy Data Security Analysis, Sr. Information Security Office Finding the Needle in the Haystack With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor

  1. Finding the Needle in the Haystack Jonzy Data Security Analysis, Sr. Information Security Office

  2. Finding the Needle in the Haystack With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedures such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external embarrassment, and local analysis identifies local problems that can lead to bigger problems. Information Security Office

  3. Network Layout / Flow Collection IBR - 2 routers, with a 100 Gb/s channel to the Net WAN - 2 routers, with a 40 Gb/s commodity network LAN - 28 routers, with a 40 Gb/s internal network HSN - 1 router, with a 100 Gb/s channel to the Net FP - Flow Processor Null-route / Blockage Netflow Collection QR to FP link QR Tap Information Security Office

  4. Flow Collection Hardware and Stats The Collector HP ProLiant DL380p Gen8 Processor: 2x Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz 6/6 cores; 12 threads 64-bit Capable Memory: 98 GB DDR3 1333 MHz RAM Storage: 12x HP 600GB 15K RPM 6GBs SAS Drives configured RAID 5 NIC: 3x 1Gbs copper NIC connected full duplex Average Load: less then 1.5, but has been as high as 22. Flow Collection Statistics AVERAGE/DAY AVERAGE_TIME COLLECTOR NUM_FLOW_RECORDS TO_PROCESS_24_HOURS IBR 719,521,466 13 seconds WAN 711,442,717 12 seconds LAN 1,945,181,346 32 seconds HSN 14,065,862 less then a second Information Security Office

  5. Information Security Office

  6. Information Security Office

  7. Destination Port Traffic Information Security Office

  8. Destination Port Traffic Information Security Office

  9. Information Security Office

  10. Information Security Office

  11. Information Security Office

  12. Information Security Office

  13. Information Security Office

  14. Thresholds Identify Bad Actors Any given IP generating X amount of flows per time period T, destined to N number of unique hosts is cause for alarm when: X >= number of flows threshold, 128 for example N >= unique destination IP's threshold, 75% or 96 for example Caution: This does not guarantee a Bad Actor. Case in point, there may be a case where multiple local devices are accessing a 1 or more remote IP's for anything ranging from News, Patches, or a remote proxy. Either way, looking are local responses, SYN flags, number of packets, and byte size can help identify problematic traffic. Anything matching X >= 256 and N >= 75% or 192, where all the destination IP's reside in a /24 or contiguous set of Class-C Ciders, is almost 100% a remote probe. Information Security Office

  15. Thresholds Identify Bad Actors Another situation is a botnet probing your local network, where X is small, say16, and N is 16 – a possible probe. Additionally you may see a small X, say 16, with an N < 25% - a possible brute force attack. The key with using thresholds, is determined by your environment. Some thresholds will be different for different ports. Case in point, you may see a local host attempting to contact a remote host dozens of times a second, but this type of traffic would have X = ? but N = 1. Information Security Office

  16. Thresholds Identify Bad Actors Information Security Office

  17. Thresholds Identify Bad Actors Information Security Office

  18. Thresholds Identify Bad Actors Information Security Office

  19. Thresholds Identify Bad Actors Information Security Office

  20. Conclusion Monitoring and tracking destination port usage is by no means a complete solution finding the “Needle in the Haystack”, but it definitely turns a needle into haystack. Thresholds for the number of flows generated by remote IP's, per unique destination IP's also turns a needle into a haystack. Using destination port analysis along with thresholds is one method for finding the Needle in the Haystack. Information Security Office

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li, J. Sobel, and P. Vajgel: Finding a Needle in Haystack: Facebook's Photo Storage, in Proceedings USENIX OSDI 2010, Vancouver, Canada, October

397 views • 23 slides
Finding the Needle in a Haystack: Materials discovery through

Finding the Needle in a Haystack: Materials discovery through

Finding the Needle in a Haystack: Materials discovery through high-throughput ab ini;o compu;ng and data mining Geoffroy Hau+er Max conference January

508 views • 40 slides
Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver,

Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver,

Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver, Sanjeev Kumar, Harry C. Li, Jason Sobel, Peter Vajgel Question 1: : Please briefly introduce the Haystacks architecture. Haystack consists of 3

377 views • 12 slides
Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and P. Ienne FPL19, Barcelona, 09.09.2019 cole Polytechnique Fdrale de Lausanne *Intel Corporation Why harden connections? 2 crossbar LUT LUT

626 views • 44 slides
Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio, Ph.D. PA DEP- Office of the Great Lakes 19 March 2019 Presentation Outline Share current AIS monitoring research Discuss regional AIS

623 views • 24 slides
Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S.

Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S.

Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S. Cox and Steven D. Gribble. University of Washington Divya Muthukumaran Some slides borrowed from Aditya Y.S.V Whats the big picture? Can we

305 views • 30 slides
Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

. Zhuoren Jiang 3 . . . . . . . Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree Model Guoxiu He 1,2 Yangyang Kang 2 Zhe Gao 2 Changlong Sun 2 . Xiaozhong Liu *4,2 Wei Lu *1 Qiong Zhang 2 Luo

489 views • 19 slides
Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47 Speaker: Sebastien Tricaud I Live and work in Paris (FR)

601 views • 48 slides
Data Acquisition and Event Filtering Problem: finding the needle in the haystack total

Data Acquisition and Event Filtering Problem: finding the needle in the haystack total

Data Acquisition and Event Filtering Problem: finding the needle in the haystack total inelastic cross section 50 mb Interesting physics most channels &lt; 100 nb 2x10 6 interactions /s Data rate after FEE

277 views • 14 slides
Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding

Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding

Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding a Needle in Haystack: Facebook's Photo Storage, in Proceedings USENIX OSDI 2010. Introduction 65 billion photos (in 4 copies) 260

295 views • 28 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain

Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain

Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain Sudipta Basu Introduction Suppose someone is studying heart diseases. They want to find out what are the possible factors that may cause

451 views • 33 slides
Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data

Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data

Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data Liang Wang* , Ville Hyvnen, Teemu Pitknen, Sotiris Tasoulis, Teemu Roos, and Jukka Corander University of Cambridge*, UK University of Helsinki,

266 views • 16 slides
Content Relevancy starts with understanding your international Audience Rob Zomerdijk

Content Relevancy starts with understanding your international Audience Rob Zomerdijk

Content Relevancy starts with understanding your international Audience Rob Zomerdijk Rzomerdijk@sdl.com 7 May 2014 2 It can sometimes feel like looking for a needle in a haystack! 3 How to find a needle in a haystack? 4

514 views • 19 slides
FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device

FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device

Automated Trace Analysis for Testing of CANopen Devices by Andrew Ayre &amp; Olaf Pfeiffer FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device Testing Highly dynamic systems has its limits can

1.02k views • 16 slides
Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount

Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount

Finding a needle in Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount of data: 260 billion images 20 petabytes of data Traditional filesystems perform poorly under their workload

550 views • 21 slides
HY-240 2nd Programming Project What will you learn - Binary Search Trees - Priority Queues

HY-240 2nd Programming Project What will you learn - Binary Search Trees - Priority Queues

HY-240 2nd Programming Project What will you learn - Binary Search Trees - Priority Queues (as heaps) - Complete Trees - Hash Tables Alexander the Great army - Implemented as a Binary Search Tree - Sorted on soldiers ID - struct

454 views • 12 slides
The Ohio State University Aviation Program: Academics and The Airport at Don Scott Field &amp;

The Ohio State University Aviation Program: Academics and The Airport at Don Scott Field &amp;

The OSU Aviation Program: Academics and The Airport at Don Scott Field The Ohio State University Aviation Program: Academics and The Airport at Don Scott Field &amp; The 2004 OSU Airport Master Plan Presentation to the Worthington City Council

566 views • 18 slides
SUOMEN ILMAILUOPISTO OY GENERAL INFORMATION FOUNDED 2002 Formerly Finnair Aviation Academy

SUOMEN ILMAILUOPISTO OY GENERAL INFORMATION FOUNDED 2002 Formerly Finnair Aviation Academy

FINNISH AVIATION ACADEMY SUOMEN ILMAILUOPISTO OY GENERAL INFORMATION FOUNDED 2002 Formerly Finnair Aviation Academy started 1985 in the same premises Owned by The government of Finland 49.5% Finnair 49.5% The city of Pori 1%

394 views • 23 slides
AERO PB LTD Parts and materials supplier in the Aviation Industry. Aero PB supports large range

AERO PB LTD Parts and materials supplier in the Aviation Industry. Aero PB supports large range

AERO PB LTD Parts and materials supplier in the Aviation Industry. Aero PB supports large range of Aircraft models Airbus/Eurocopter Agusta Bell Cessna Robinson Sikorsky ATR Boeing Bombardier

124 views • 8 slides
AVL-Based Snow Clearance Information For Residents on Portal Site and Mobile Application

AVL-Based Snow Clearance Information For Residents on Portal Site and Mobile Application

AVL-Based Snow Clearance Information For Residents on Portal Site and Mobile Application Operations and ITS Morgan Jones and Nasir Kenea November 9, 2015 1 Purpose To provide General Committee with information on: implementation of

383 views • 9 slides
Overview: Motivation Automated testing for quality assurance Test-driven development

Overview: Motivation Automated testing for quality assurance Test-driven development

Hey guys, were making a new language! k-AWK (kay-awk) k. The Testing Language Albert Cui, Karen Nan, Michael Raimi, Mei-Vern Then Overview: Motivation Automated testing for quality assurance Test-driven development

393 views • 12 slides
Creating a Leading National Water Utility: Revised Merger Terms August 6, 2018 Safe Harbor

Creating a Leading National Water Utility: Revised Merger Terms August 6, 2018 Safe Harbor

Creating a Leading National Water Utility: Revised Merger Terms August 6, 2018 Safe Harbor Statement Cautionary Statement Regarding Forward-Looking Statements This document contains forward-looking statements within the meaning of the Private

379 views • 10 slides
Let's make better* scripts * Improved readability, increased fault-tolerance, and more security

Let's make better* scripts * Improved readability, increased fault-tolerance, and more security

Let's make better* scripts * Improved readability, increased fault-tolerance, and more security Michael Boelen michael.boelen@cisofy.com NLUUG, November 2019 Before we begin... Topics (blue pill) Why Shell Scripting? Challenges

1.19k views • 91 slides

More recommend