incorporating network flows in intrusion incident
play

Incorporating Network Flows in Intrusion Incident Handling and - PowerPoint PPT Presentation

Aug 22, 2023 •9 likes •349 views

Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1 EE/CS Network Infrastructure Three buildings with one

  1. Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1

  2. EE/CS Network Infrastructure • Three buildings with one router – (Gates) Computer Science – (Packard) Electrical Engineering – (Allen) Center for Integrated Systems • Composition – 25 VLANs controlled by disparate groups – 10,000 IP addresses (about half are active) – Eclectic mix of Windows, Linux, Solaris, OS-X, … – No firewall beyond minor university filters • Analysts – A half-dozen people with network (and other) responsibilities FloCon 2008 2

  3. Incident Investigation Process • Find answers to a set of classic questions… – Who – What – When – Where – Why – How • …using an iterative process – Inspect events of a focus node – Augment, refine, filter data – Compare events of related nodes, looking for correlation – Pivot on an “interesting” node to refocus FloCon 2008 3

  4. Network Data Sources (each step is orders of magnitude more volume) • Traffic counters (SNMP, MRTG, ….) – Configurable in network devices • Event/Alert logs (Syslog, HTTPD, SNORT, ...) – Collected by firewalls, IDS, individual machines and services • Flows (Netflow, YAF, Argus, ….) – Typically collected at border routers or taps • Packet Headers / Traces (tcpdump, wireshark, …) – Collected at switches, routers, or taps FloCon 2008 4

  5. Network Flows • Advantages – Relatively uniform and increasingly available – Hard to subvert – Mitigate privacy concerns – Largely insensitive to encryption • Disadvantages – Still voluminous compared to event logs – Aggregate measure – Lack content FloCon 2008 5

  6. Flow Capture and Data Management • Sensor – Span ports from two Cisco backbone switches – See all layer 3 traffic for three buildings (not just external) – Argus capture of bidirectional ICMP, UDP, TCP flows • Collector – Raw flows from sensor are multicast locally in realtime – Hourly files from sensor compressed and archived – 20-30M (peak 70M) Argus flows/day (~1G compressed) – Retain several months of data online for analysts to access FloCon 2008 6

  7. Support flat files and database tables • Flat text files – Familiar and familiar tools – Extracts useful for exchange and reporting – Straightforward sequential processing – Import to other tools for aggregation and analysis • Relational databases – No longer exotic – Suitable for large data volumes – Greater expressibility for queries – Built-in support for aggregation and analysis FloCon 2008 7

  8. Database Infrastructure • MySQL server running on collector – Live flows from sensor inserted in real-time – Daily tables recreated from archived raw flows – Monthly “merge” tables – Anonymize extracts for research with CryptoPAN • Flow schema tuning – Transform src/dst to local/remote – Add ASN (routeviews.org) and local VLAN metadata – Convenience columns for locality, local role, dst port – Index most dimensions (adds about 50%) – Tables + indices ~2G/day FloCon 2008 8

  9. Flows in Incident Handling • Worms and Trolls – Volume and promiscuity • Immaculate Intrusions – Scrubbers, Keyloggers, and Remote Tunnels • Botnets – Beaconing to Command+Control Hosts FloCon 2008 9

  10. Traffic Volume • Windows Esbot worm circa 2005 – Spread via PNP buffer overflow – Installed backdoor trojan – Victim turns into attacker • Report – Overall traffic suddenly increased an order of magnitude • Analysis – Flow distribution showed port 445 at 500-1000 flows/sec – Keyed on 445 traffic to identify attackers – Used “flow monitor” to reveal local compromises FloCon 2008 10

  11. Esbot on the Flow Monitor FloCon 2008 11

  12. Promiscuity • SSH Troll – Intruder gains access to local machine – Installs SSH troll – Launches attack on remote networks • Report – Odd outbound traffic spike from local IP • Analysis – Flow distribution showed many IPs, few ASNs, single port – Backtrack in time to find initial SSH compromise – Pivot reveals other victims FloCon 2008 12

  13. SSH Troll: Volume + Promiscuity FloCon 2008 13

  14. SSH Troll: Identifying targets FloCon 2008 14

  15. SSH Troll: Locate Compromise FloCon 2008 15

  16. SSH Troll: Pivot to identify other victims FloCon 2008 16

  17. Immaculate Intrusions - Keyloggers • Unprotected X-Window server – Intruder maps 0x0 pixel client and signs up for keypress events – Steals credentials for other machines from local user – Uses credentials to login to experimental machine • Report – Experimental machine crashes when intruder’s tools fail • Analysis – Local user logged in when user not present – Discover open X-server on user’s desktop machine – Backtrack in time to find keylogger flows – Pivot reveals other victims FloCon 2008 17

  18. Immaculate Intrusions - Scrubbers • Unpatched Linux machine – Unpatched server vulnerable to remote root compromise – Intruder installs backdoor, trojan binaries, and scrubs logs – Uses trojan ssh to steal credentials of local users – Uses ssh known_hosts data to attack other local machines • Report – Local machine two hops away found sending spam • Analysis – Backtrack of login sessions leads to compromised machine – Trojan binaries found, but no plausible root logins – Flow logs show original compromise and backdoor logins – Pivot reveals other victims FloCon 2008 18

  19. Immaculate Intrusions - Tunnels • Tunnels – Intruder compromises desktop machine running VNC client – Desktop machine has forwarded ports over ssh-tunnel – Intruder’s traffic is tunnelled and reparented inside cluster • Report – Apparent Nessus scan of isolated cluster machine • Analysis – System logs of head node show no logins – Flow logs show massive ssh traffic from compromised machine FloCon 2008 19

  20. Isis :Visual Analysis of Flow Data (see paper by Phan et al in VizSec 2007) Progressive Multiples • Make exploration history visible • Reorder rows to reveal structure and event sequencing FloCon 2008 20

  21. Beaconing • Botnet zombie – Intruder gains access to local machine – Installs IRC client bot – zombie bot “calls home” periodically • Report – Recurrent traffic to suspect IRC servers • Analysis – Backtrack in time to find initial compromise – Observe tool download and installation – Pivot … FloCon 2008 21

  22. IRC bot: Timeline Investigation FloCon 2008 22

  23. The Event Table FloCon 2008 23

  24. From Event Table to Event Plot Event Table Event Plot Time 1 Time A … Measures A 1 IP Z FloCon 2008 24

  25. From Event Table to Event Plot Event Table Event Plot Time 1 Time A … Measures A 1 5 9 34 . . . # Time IP … Measures IP . . . Z 8 13 n Time Z … Measures FloCon 2008 25

  26. Event Plot FloCon 2008 26

  27. IRC Bot: Initial SSH Connection Outgoing SSH Connection Incoming SSH Connection FloCon 2008 27

  28. IRC Traffic on port 6667 IRC Connections FloCon 2008 28

  29. Download of Intrusion Tools Download from 66.175.39.28 FloCon 2008 29

  30. Reordered Rows FloCon 2008 30

  31. Switch to Ordinal Time FloCon 2008 31

  32. Mine the Gap FloCon 2008 32

  33. Sequence of Intrusion 1. SSH connection from 69.42.69.18 2. Download of client tools 3. IRC traffic 4. Port Scans After Intrusion FloCon 2008 33

  34. Future Work • Scalable query performance – Want to query billion row tables at interactive speeds – Column-oriented database – Distribute across commodity cluster • Finding network signatures – Bottom up capture of analyst domain knowledge (see our paper by Xiao in VAST 2006) – Top down search for frequent patterns – Build disparate flows into behaviors (boot, logon, mail, print, surf, …) • Modeling Local Machine Behavior – Shift the burden to the attacker? FloCon 2008 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

4.2 Network Flows A directed graph can model a flow network where some material (e.g., widgets, current, . . . ) is produced or enters the network at Mat 3770 a source and is consumed at a sink . Network Flows Production and consumption

465 views • 11 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function c : A R + . Here c ( x , y ) for ( x , y ) A is the capacity of the edge ( x , y ) . We use the following notation: if : A R and S , T

566 views • 17 slides
Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of

DM545 Linear and Integer Programming Lecture 12 Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Network Flows Outline Duality 1. (Minimum Cost) Network Flows 2. Duality in

625 views • 35 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Upper bounds on flow Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on flow Definition of a network 1 4 2 1 s t 3 2 1 2 3 2 3 2 A set N of nodes . Here, N = { s , 1 , 2 ,

749 views • 34 slides
Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of

DM545 Linear and Integer Programming Lecture 11 Network Flows Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Network Flows Duality Outline Assignment and Transportation 1. (Minimum Cost)

675 views • 39 slides
Beyond networks: Incorporating node metadata into network analysis Leto Peel Universit

Beyond networks: Incorporating node metadata into network analysis Leto Peel Universit

Beyond networks: Incorporating node metadata into network analysis Leto Peel Universit catholique de Louvain @PiratePeel Here is a network G=(V,E) social networks food webs internet protein interactions Network nodes can have properties or

834 views • 36 slides
Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy School of Engineering, University of Warwick, UK Introduction Mainstream approaches in intrusion detection do not scale well to the embedded

936 views • 7 slides
System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy

System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy

Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network

462 views • 27 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
RESULTS PRESENTATION 26 WEEKS ENDED 28 AUGUST 2016 AGENDA CHAIRMANS RESULTS PROGRESS

RESULTS PRESENTATION 26 WEEKS ENDED 28 AUGUST 2016 AGENDA CHAIRMANS RESULTS PROGRESS

RESULTS PRESENTATION 26 WEEKS ENDED 28 AUGUST 2016 AGENDA CHAIRMANS RESULTS PROGRESS INTRODUCTION OVERVIEW ON OUR PLAN Gareth Ackerman Bakar Jakoet Richard Brasher Chairman Chief Financial Officer Chief Executive Officer | 2 |

643 views • 40 slides
Report to the Board of Health March-April 2019 DeKalb County Health Department Leadership

Report to the Board of Health March-April 2019 DeKalb County Health Department Leadership

Report to the Board of Health March-April 2019 DeKalb County Health Department Leadership Team Lisa Gonzalez, MPH - Public Health Administrator Brenda Courtney - Director of Administrative Services Cindy Graves, RN, MSHA -

1.07k views • 81 slides
Peer Health Navigation for Latinx with Serious Mental Illness Sonya Ballentine, BS Project

Peer Health Navigation for Latinx with Serious Mental Illness Sonya Ballentine, BS Project

Peer Health Navigation for Latinx with Serious Mental Illness Sonya Ballentine, BS Project Manager Illinois Institute of Technology College of Psychology November 1, 2018 #PCORI2018 Sonya Ballentine Has nothing to disclose. 2

449 views • 20 slides
WBF Roundtable Presentation Manila Peninsula, 26 October 2017 Mr. VINCE DIZON President and CEO,

WBF Roundtable Presentation Manila Peninsula, 26 October 2017 Mr. VINCE DIZON President and CEO,

WBF Roundtable Presentation Manila Peninsula, 26 October 2017 Mr. VINCE DIZON President and CEO, Bases Conversion and Development Authority (BCDA) The BCDA in partnership with the entire economic team is doing what it can to contribute to the

342 views • 5 slides
Sanctuary Group Quarterly update Period ended 30 December 2018 Results reported under IFRS

Sanctuary Group Quarterly update Period ended 30 December 2018 Results reported under IFRS

Sanctuary Group Quarterly update Period ended 30 December 2018 Results reported under IFRS Agenda Highlights Operating overview Highlights Statement of Financial Position, cash flow and treasury information Progress with short-term

323 views • 19 slides
Brite-Mat Sizes/Print Areas: Rectangular mouse mat 240x190mm, Circular Mouse Mat 200mm diameter,

Brite-Mat Sizes/Print Areas: Rectangular mouse mat 240x190mm, Circular Mouse Mat 200mm diameter,

Brite-Mat Sizes/Print Areas: Rectangular mouse mat 240x190mm, Circular Mouse Mat 200mm diameter, Square coaster 95 mm square, Round coaster 95mm diameter Brite-Mat Sizes/Print Areas: Rectangular mouse mat 240x190mm, Circular Mouse Mat 200mm

192 views • 6 slides
PROJECT PRESENTATION 5G-COMPLETE A unified network, Computational and stOrage resource Management

PROJECT PRESENTATION 5G-COMPLETE A unified network, Computational and stOrage resource Management

PROJECT PRESENTATION 5G-COMPLETE A unified network, Computational and stOrage resource Management framework targeting end-to-end Performance optimization for secure 5G muLti-tEchnology and multi-Tenancy Environments Short Presentation of

407 views • 5 slides
Voronoi Volumes in Dense Granular Flow Chris Rycroft Department of Mathematics, MIT MIT Dry

Voronoi Volumes in Dense Granular Flow Chris Rycroft Department of Mathematics, MIT MIT Dry

Voronoi Volumes in Dense Granular Flow Chris Rycroft Department of Mathematics, MIT MIT Dry Fluids Group: Martin Bazant, Ken Kamrin, Ruben Rosales, Arshad Kudrolli (Clark University) Collaborators: Andrew Kadak (MIT Nuclear Engineering)

287 views • 11 slides

More recommend