high speed traffic analysis for high speed traffic
play

High Speed Traffic Analysis for High-Speed Traffic Analysis for - PowerPoint PPT Presentation

Mar 28, 2024 •350 likes •647 views

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

  1. High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting, New Delhi, India

  2. P Presentation Outline i O li • Introduction • Observations & Findings Ob ti & Fi di • Active and Passive Measurements • Challenges and approaches • Interesting Works Interesting Works APAN 32nd Meeting, New Delhi, India

  3. I Introduction d i • Evolution – Copper to Fibre Copper to Fibre – Merging of LAN & WAN Technologies – Gigabits at LAN and Multi-Gigabits at Backbone – IPv4 to IPv6 – High-speed TCP g p – e-Governance, e-Science Application and Social computing Social computing APAN 32nd Meeting, New Delhi, India

  4. V l Vulnerabilities bili i • Backbone – Security concerns with respect to routing Sec rit concerns ith respect to ro ting (BGP) – Concerns with respect to Infrastructure C ith t t I f t t • DoS, DDoS, DNS, botnets • User End – Malware, Reconnaissance, Data-Exfiltration, , , , Buffer overflows, DDoS etc., APAN 32nd Meeting, New Delhi, India

  5. I Interesting findings i fi di • DDoS Attacks breaks the 100 Gbps barrier (2010) (2010) • Application-Layer DDoS increasing in sophistication sophistication • DNS has emerged as key attack target • IPv4-IPv6 security concerns • Mostly attack targets are targeted over • Mostly attack targets are targeted over specific customer service and aimed at network services (DNS) network services (DNS) APAN 32nd Meeting, New Delhi, India

  6. Th Threats observed b d • DDoS towards User End • Misconfigurations and failure of devices Mi fi ti d f il f d i • Botnets / Compromised hosts p • HTTP, SMTP and DNS most targeted (DDos) (DDos) • Average time to mitigate DDoS is 20 minutes i t • Zombie Computers (Botnet) p ( ) APAN 32nd Meeting, New Delhi, India

  7. I f Infrastructure Protection P i • Backbone Backbone – ACLs • RFC 1918, 3330, 3704 RFC 1918 3330 3704 – Blackholing – DNS Sinkhole, Scrubbing DNS Sinkhole Scrubbing – Committed access rate (rate limiting) – Stateful Firewall, IPS Stateful Firewall IPS • Most of them fail to handle DDoS • Customer End • Customer End – ACL, Stateful Firewall, IDS/IPS, UTM, Malware prevention prevention APAN 32nd Meeting, New Delhi, India

  8. T Traffic Analysis: Objective ffi A l i Obj ti • Trend analysis • Prevention of intrusions and attacks P ti f i t i d tt k • Anomaly detection y • QoS/SLA Validation • Network Provisioning & Design Net ork Pro isioning & Design APAN 32nd Meeting, New Delhi, India

  9. Obtain Statistics • Host/Interface based (IP address) • Application based (Port based) A li ti b d (P t b d) • Application classification (Application pp ( pp header analysis) • Temporal (time based) • Temporal (time based) • Protocol based (TCP, UDP, ICMP..) APAN 32nd Meeting, New Delhi, India

  10. A Aspects examined i d • Packet Level Packet Level – Bits per second (rate) – Size of packets – Latencies RTT Latencies, RTT – Throughput – Availability – Packet drops & errors Packet drops & errors – Deep packet inspection – Header analysis • Connection Level Connection Level – Connection rate – Direction of traffic (incoming/outgoing) – Stateful inspection – Flow analysis • Application profiling • Vulnerability assessment y • Compliance with standards (RFCs) APAN 32nd Meeting, New Delhi, India

  11. T Traffic Analysis ffi A l i • Active Measurement • Passive Measurement P i M t • Header based Analysis y • Deep Packet Inspection • Handling encrypted packets Handling encr pted packets • Signature based detection • Detecting Anomalies APAN 32nd Meeting, New Delhi, India

  12. Active Measurement • Interferes the network and carries out measurement by injecting specifically measurement by injecting specifically crafted probe packets – Ping traceroute (network tomography) Ping, traceroute (network tomography) – Capprobe, pathchar (delay, capacity estimation) estimation) • Vulnerability measurement – Nessus, nmap Nessus nmap • Network Interface statistics – SNMP (polling) SNMP ( lli ) APAN 32nd Meeting, New Delhi, India

  13. P Passive Measurement i M • Pure observations and analysis of traffic • Packet Analysis • Packet Analysis – Sniffers, tcpdump, Wireshark • Flow level monitoring • Flow level monitoring – Netflow, IDS (like Snort/Bro) • Traffic Classification T ffi Cl ifi ti – CoralReef • TCP TCP – Tstat (TCPtrace) – multigigabit-per-second traffic analysis tool analysis tool APAN 32nd Meeting, New Delhi, India

  14. P Passive Capture and Analysis i C d A l i APAN 32nd Meeting, New Delhi, India

  15. P Packet Capture k C • Standard Ethernet linecards – libpcap p p – libnetfilter_queue (libipq) – libnids • Dedicated Hardware – Like Endace DAG • Formats – Pcap, erf, etherpeek, snoop, flow records – RRD RRD • Challenges – Scalability, efficient memory management S l bilit ffi i t t APAN 32nd Meeting, New Delhi, India

  16. Hi h S High-Speed Packet Capture d P k C • Network support in OS is generic and hence N t k t i OS i i d h time taken for packet to move from network adapter to user space is high adapter to user space is high – Latency and per-packet processing load • Performance • Performance – System costs to bring packets from network to user space/application p pp – Application processing cost (classification, checksum etc..) • Solutions S l i – Memory mapped packet buffers (PF_RING) and DNA – NetFPGA N tFPGA APAN 32nd Meeting, New Delhi, India

  17. H Header Analysis d A l i • Threshold based: – Find no of packets generated by internal hosts to a – Find no. of packets generated by internal hosts to a destination port in a time interval – TCP SYN, UDP Packets based analysis TCP SYN, UDP Packets based analysis – Scanning of Sequential destination addresses (after randomn IP address generation) – Traffic towards unallocated IP addresses (IANA/bogon lists) – Number of distinct destination IP • Application header analysis APAN 32nd Meeting, New Delhi, India

  18. Deep Packet Inspection Deep Packet Inspection Challenges • Content Matching Complexities • Content Matching Complexities – Control Vs Data Packets (more content oriented packets) i t d k t ) – Large % HTTP Traffic with large packet sizes – Number of signatures to be analyzed (> 10,000) – Variable size of signatures, regular expression match and stateful understanding – Packet fragments and Stream reassembly • Compressed & Encrypted traffic • Compressed & Encrypted traffic APAN 32nd Meeting, New Delhi, India

  19. Fl Flow Analyzer A l APAN 32nd Meeting, New Delhi, India

  20. O Our Approach A h • Use both active and passive measurement to devise U b th ti d i t t d i effective network management system – Adrisya a Flow based passive measurement analyzer and Adrisya a Flow based passive measurement analyzer and anomaly detection solution – EDGE system was developed and deployed for monitoring Backbone routers and LAN resources Backbone routers and LAN resources – GYN (Guard Your Network) Intrusion Prevention Appliance (Multi-core based packet splitting) – NetFPGA based Content Matching NetFPGA based Content Matching – Security Assessment System (SAS) on top of Globus for grid environment • Devised Threat-Aware IDS Model using active and passive techniques to profile traffic and changing vulnerabilities (host level) in a network and utilize the ( ) same for detecting relevant intrusions APAN 32nd Meeting, New Delhi, India

  21. Analyzers Signature Detection Detection Packet & Rule Engine Context Based Decoded Detection Dynamic Loader Packet Packets Packets Packet Collector Decoder Decoder (IP Queue) Connection Management State Based Application Decoder Detection Flows Dynamic Loader Flow Flow Detection Events Traffic Flow Analyzer Collector Events IPS Management Scan Traffic Detection Profiler IDMEF communication Data User I/f Flood Detection Management Comprehensive Threat Analysis APAN 32nd Meeting, New Delhi, India

  22. Interesting Works APAN 32nd Meeting, New Delhi, India

  23. Worms: Issues and Worms: Issues and Approaches • Target Scanning – Random, hit-list, permutation, passive scanning, etc (Staniford p p g ( et. al) – Anomalies (Connections to many unique IPs, receiving too many RST packets..) RST packets..) • Worm distribution – Self-carried, embedded/secondary channel – Anomalies (Single-packet UDP, similar and identical content sent in network, secondary channel can be detected easily/prevented by firewall) easily/prevented by firewall) • Detecting Worm activation – More of host analysis issue APAN 32nd Meeting, New Delhi, India

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MODELING AND ANAL YSIS OF TRAFFIC IN HIGH SPEED NETW ORKS A CTS A TM In ternet w

MODELING AND ANAL YSIS OF TRAFFIC IN HIGH SPEED NETW ORKS A CTS A TM In ternet w

MODELING AND ANAL YSIS OF TRAFFIC IN HIGH SPEED NETW ORKS A CTS A TM In ternet w ork Pro ject Information and T elecomm unication T ec hnology Cen ter Univ ersit y of Kansas. Mo deling and Analysis of T

1.39k views • 84 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
Generation 2.5 (2.5G) Generation 2.5 (2.5G) - HSCSD High-Speed Circuit-Switched Data o 2.5G is

Generation 2.5 (2.5G) Generation 2.5 (2.5G) - HSCSD High-Speed Circuit-Switched Data o 2.5G is

Generation 2.5 (2.5G) Generation 2.5 (2.5G) - HSCSD High-Speed Circuit-Switched Data o 2.5G is a term that developed out of enhancements of GSM HSCSD bundles up to 8 GSM traffic channels into one high speed o o channel channel It is an

410 views • 11 slides
Speed Management and Road Traffic Accidents Where are We Heading? Ir Lee Choy Hin April, 2019

Speed Management and Road Traffic Accidents Where are We Heading? Ir Lee Choy Hin April, 2019

International Seminar and Workshop Safer Road by Infrastructure Design and Operation MIROS/PIARC Technical Session 6: Traffic and Speed Management Speed Management and Road Traffic Accidents Where are We Heading? Ir Lee Choy Hin April,

501 views • 27 slides
Road Traffic (Speed Limits) Bill Presentation to Committee for Regional Development Road Traffic

Road Traffic (Speed Limits) Bill Presentation to Committee for Regional Development Road Traffic

Road Traffic (Speed Limits) Bill Presentation to Committee for Regional Development Road Traffic (Speed Limits) Bill The Department fully supports the drive to improve safety on our roads. We are a primary stakeholder in Northern

560 views • 15 slides
Speed Management in NZ

Speed Management in NZ

Speed Management in NZ The agenda 1. Benefits of reduced traffic speed (10 min) 2. Speed Quiz (15 min) 3.

948 views • 46 slides
Preprepared draft implementation plans on speed management of Viet Nam 1. Road traffic in

Preprepared draft implementation plans on speed management of Viet Nam 1. Road traffic in

Preprepared draft implementation plans on speed management of Viet Nam 1. Road traffic in Viet Nam Population: 94.569.072 Income group: Middle GNI per capita: US$ 2050 2. Analysis of road traffic accidents 3. Some causes of over

467 views • 13 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

954 views • 57 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor

High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital high speed CIS

593 views • 32 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder

Sean Graves PhD Visi-Trak Sensors Charlottesville VA High Speed/High Resolution Encoder Interface for Overview New linear position/velocity sensor Non-contact High resolution High speed Based on proven

320 views • 27 slides
1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High

1 High Speed UK Connecting the Nation, Connecting the North: The Only Way is Woodhead High Speed UK Connecting the Nation Who are we? Colin Elliff BSc CEng MICE Civil Engineering Principal, HSUK Quentin Macdonald

899 views • 85 slides
RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power

RTD-based High Speed and Low RTD-based High Speed and Low Power Integrated Circuits Power Integrated Circuits 2009. 04. 27 Kwangseok Seo Seoul National University Outline Outline Introduction RTD/HEMT Integration Technology

369 views • 22 slides
High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber

High Speed Rail for Australia: Opportunities and Issues by Dale Budd Hunter Business Chamber Newcastle, 7 December 2012 What is high speed rail? High speed rail refers to passenger trains travelling at 250 km/h or more, on purpose-built tracks.

354 views • 11 slides
PHYSICS LABORATORY PRACTICE PHYSICS FOUNDATIONS ON COMPUTER SCIENCE E.T.S.I.N.F. Instructor:

PHYSICS LABORATORY PRACTICE PHYSICS FOUNDATIONS ON COMPUTER SCIENCE E.T.S.I.N.F. Instructor:

PHYSICS LABORATORY PRACTICE PHYSICS FOUNDATIONS ON COMPUTER SCIENCE E.T.S.I.N.F. Instructor: Jorge Ms jmas@fis.upv.es ASSESSMENT FINAL MARK THEORY AND PROBLEMS, LABORATORY PRACTICES TESTS AND ATTENDANCE 20% 80 % LABORATORY LABORATORY

484 views • 16 slides
W ATER : V OLVO C ARS , FFI PROJECT , 2006-2011 U Water inlet L. Davidson, FFI, April 2019

W ATER : V OLVO C ARS , FFI PROJECT , 2006-2011 U Water inlet L. Davidson, FFI, April 2019

H OW TO CARRY OUT FUNDAMENTAL RESEARCH TOGETHER WITH INDUSTRY Lars Davidson Division of Fluid Dynamics Dept. of Mechanics and Maritime Sciences (M2) Chalmers A PPLIED AND F UNDAMENTAL R ESEARCH I will show five nice examples of fundamental

506 views • 33 slides
Explicit Representation of Cost Efficient Strategies Suboptimality of Path-dependent Strategies

Explicit Representation of Cost Efficient Strategies Suboptimality of Path-dependent Strategies

Explicit Representation of Cost Efficient Strategies Suboptimality of Path-dependent Strategies Carole Bernard (University of Waterloo) & Phelim Boyle (Wilfrid Laurier University) Carole Bernard Path-dependent inefficient strategies 1

448 views • 43 slides
P

P

P

425 views • 10 slides
Rationality and Traffic Attraction Rationality and Traffic Attraction Incentives for Honest Path

Rationality and Traffic Attraction Rationality and Traffic Attraction Incentives for Honest Path

Rationality and Traffic Attraction Rationality and Traffic Attraction Incentives for Honest Path Announcement in BGP Princeton AT&T AT&T $ IBM Local Local ISP ISP ISP ISP Comcast Sharon Goldberg Shai Halevi Aaron D. Jaggard

735 views • 47 slides
Barycentric Coordinates Interpolation Barycentric given data at sites, interpolate

Barycentric Coordinates Interpolation Barycentric given data at sites, interpolate

Barycentric Coordinates Interpolation Barycentric given data at sites, interpolate Coordinates smoothly and intuitively in between easy over simplices: linear easy over simplices: linear more general shapes needed

89 views • 5 slides
CONTENT DISCLAIMER Optimisation is the art of making something faster Desire: It must go too

CONTENT DISCLAIMER Optimisation is the art of making something faster Desire: It must go too

CONTENT DISCLAIMER Optimisation is the art of making something faster Desire: It must go too slow Benchmark: You must know how fast it goes Profile: You must know what to change Fast XML Parsing with Haskell Neil Mitchell Fast XML

795 views • 47 slides
Extended Foster Care Hot Topics Susan Zimny Program and Policy Analyst, Transition Age Youth

Extended Foster Care Hot Topics Susan Zimny Program and Policy Analyst, Transition Age Youth

Extended Foster Care Hot Topics Susan Zimny Program and Policy Analyst, Transition Age Youth Policy Unit California Department of Social Services July 11, 2017 1 Infant Supplement for parenting NMDs Infant supplement more than doubled to

524 views • 21 slides

More recommend