less is more with intelligent packet capture
play

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON - PowerPoint PPT Presentation

Sep 12, 2023 •206 likes •581 views

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider merits of streaming analytics Expose to advanced open source tools Encourage to experiment with OpenArgus 2 2 Streaming Analytics

  1. Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020

  2. Objectives • Consider merits of streaming analytics • Expose to advanced open source tools • Encourage to experiment with OpenArgus 2 2

  3. Streaming Analytics • Increase speed at the Edge • Reduce bandwidth • Local Resources 3 3

  4. DragonFly Design Goals = Machine Incremental Sustained Single Node Bolt-On Learning Updates Performance Architecture Mindset Analyzes data Receive updates before Maintains 20Gbps+, High-performance Integrate seamlessly as it arrives the flow is complete without a cluster with other security tools 4

  5. A Practical Application of DragonFly PCAP or it didn’t happen. 5 5

  6. 100% 80% High Cost Full Packet 60% 10Gbps Network Link Capture is 30 days ~$1.2M annually 40% Ground Truth; but… Low Signal to Noise 20% Forensically relevant network data is 0% a small fraction of total network data Packet Capture No Forensic Value Forensically Relevant Data Indicators of Compromise 6

  7. Typical Packet Capture Workflow: Retrospective Capture Record Filter Analyze 7

  8. Intelligent Packet Capture Capture Record Filter Analyze 8

  9. Intelligent Packet Capture: Real-Time Capture Analyze Filter Record 9

  10. Intelligent PCAP Using Machine Learning to Capture Packets with Forensic Value Ground truth – Full packet capture has long been viewed as the “ground truth” for activity on the network, allowing analysts to identify the source of security incidents. Intelligent Packet Capture Expensive – Despite its value, full packet capture is not used to its uses threat intelligence , $$ fullest extent because lengthy retention periods are cost prohibitive advanced analytics , and and retention only shrinks as bandwidth utilization increases. Machine Learning to decide in near real-time what to Alternatives Lack Payloads – Though valuable for portions of the security workflow, alternatives to PCAP such as Flow, and Application record. Metadata cannot provide the “ground truth” payload for irregular traffic. Combine forces – Intelligent packet capture combined with augmented flow provides a powerful combination that supports a data friendly log format plus the full packets for anomalous traffic. 10

  11. Intelligent PCAP PACKETS/S Performance Requirements EVENTS/S LOW LATENCY FEEDBACK LOOP 11

  12. Intelligent PCAP Open Source Framework Argus mlpack (extraction) (training) eBPF tcpdump (filtering) (recording) 12

  13. tcpdump -i eth0 -w /cache/pcap-%m-%d-%H-%M-%S \ -W 100 -G 300 –C 1000 13

  14. eBPF for Filtering User Space Kernel reject eBPF eBPF LLVM eBPF load Verifier program Clang bytecode JIT compiler register event config eBPF native code packet data maps 14

  15. eBPF Map struct bpf_map_def SEC("maps") watchlist = { .type = BPF_MAP_TYPE_PERCPU_HASH, .key_size = sizeof(u32), /* ipv4 address */ .value_size = sizeof(u64), /* counter/timeout */ .max_entries = 100000, .map_flags = BPF_F_NO_PREALLOC, } 15

  16. Mlpack for training Scoring Training mlpack lib Model 16

  17. mlpack splitting data 1 /usr/local/bin/mlpack_preprocess_split \ --input_file data/$filename.data.csv \ --input_labels_file data/$filename.labels.csv \ --training_file data/$filename.train.csv \ --training_labels_file data/$filename.train.labels.csv \ --test_file data/$filename.test.csv \ --test_labels_file data/$filename.test.labels.csv \ --test_ratio 0.3 \ --verbose 17

  18. mlpack generating model 2 / usr/local/bin/mlpack_random_forest \ --training_file data/$filename.data.csv \ --labels_file data/$filename.labels.csv \ --num_trees 10 \ --minimum_leaf_size 3 \ --print_training_accuracy \ --output_model_file model /$filename.eval-model.bin \ --verbose 18

  19. mlpack testing model /usr/local/bin/mlpack_random_forest \ 3 --input_model_file model /$filename.eval-model.bin \ --test_file data/$filename.test.csv \ --test_labels_file data/$filename.test.labels.csv \ --probabilities_file probs.csv \ --verbose 19

  20. • Scalable • Lightweight • Flexible • Extensible Version 2.0

  21. DragonFly MLE Analyzers Engine (embedded LUA JIT) Plugins 21

  22. Fast - C/C++ DragonFly Lightweight – Small Library Engine Scriptable – Embedded LUA JIT Easy – Arduino Programming Model 22

  23. DragonFly Scriptable Analyzers function M:setup() model = config[‘module.model’] rf = RandomForest.load(model) end function M:loop (event) …. rf:classify (event) end 23

  24. DragonFly Scriptable Analyzers function M:dns (event) …. rf:classify (event) end function M:tls (event) …. rf:classify (event) end 24

  25. DragonFly Plug-ins mlpack eBPF iptree Redis cuckoo filter 25

  26. Argus ra (client) Argus Radium ratop (client) (multiplexer) (flow meter) Real-time Per Flow Updates Ramle (client) 26

  27. Argus Real-Time Flow Meter Field Overview • IP Addresses • Total Bytes • Start time Flow • Ports • Total Packets • Duration • Protocol Flow Features • MAC, VLAN, MPLS, ICMP, Extended Flow • Flow details by direction • Payload TCP flags and options • Interpacket Arrival time • Connection statistics (FIN, • Connection Setup Times and Jitter RST, SYN, Window Packet • Load and Rates (bytes and • Dropped/retransmitted advertisements, Zero Dynamics packets per second) packet statistics windows) 100+ Features Computed • Producer/Consumer Ratio • Flow Active Runtime Packet Dynamic • Key Stroke Identification Statistics • App/Byte Ratio Statistics Features Derived Fields • Country Code • MAC Manufacturer (OUI) Record • Record Cause (Start, Status, • Unique Identifier (seq) • Record Type (“flow” or Management Stop, Close, Error) • Sensor ID “management”) 27

  28. Intelligent PCAP with raml • Based on Argus client (library) • Integrated with DragonFly (library) • Able to run an instance per core 28

  29. Intelligent PCAP with raml Argus raml mlpack 29

  30. raml: DGA Analyzer function M:loop (event) local v = features(event.domain, event.ttl) score = rf:classify (v) return score end 30

  31. raml: Threat Feed Analyzer function M:setup() file = config[‘ioc.filename’] iplist = iptree(file) end function M:loop (event) local daddr = event[‘daddr’] match = iplist.lookup (daddr) return match end 31

  32. Intelligent PCAP Solutions Argus raml mlpack br0 eth0 pcap0 tcpdump 32

  33. LESSONS LEARNED >14Mpps Performance >750Keps <50 msec 33

  34. Next Steps… • Complete POCs • Publish to GitHub https://github.com/counterflow-ai/dragonfly2 • Merge raml with Argus https://openargus.org/ • Explore additional use cases… 34 34

  35. • Threat Intelligence Triage Streaming Analytics Use Cases • Encrypted Traffic Analysis • Predictive Fault Detection 35 35

  36. Questions? RANDY CALDEJON rc@counterflowai.com https://github.com/counterflow-ai/dragonfly2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
Outline Introduction: what is Motion Capture? History and Motion Capture technologies. Passive

Outline Introduction: what is Motion Capture? History and Motion Capture technologies. Passive

Motion Capture Introduzione e Sistemi attivi N. Alberto Borghese Laboratory of Applied Intelligent Systems (AIS-Lab) Department of Computer Science University of Milano Laboratory of Applied Intelligent Systems

494 views • 10 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/ _______

795 views • 48 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits &amp; More Info Design &amp; Implementation: Robert Edmonds &lt;edmonds@fsi.io&gt; Website:

786 views • 40 slides
Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian Schneider J org Wallerich Anja Feldmann { fabian,joerg,anja } @net.t-labs.tu-berlin.de Technische Universtit at Berlin Deutsche Telekom

415 views • 25 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data

A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data

A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data volume and privacy issues are one of problems related to large-scale packet capture. Utilizing flow nature of

375 views • 3 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of

Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of

Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of Applied Intelligent Systems (AIS-Lab) Department of Computer Science University of Milano Laboratory of Applied Intelligent Systems

531 views • 30 slides
Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks. forge or decode packets, send them on the wire, capture them, and match requests and replies Handle tasks scanning, tracerouting, probing, unit

144 views • 13 slides
Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

710 views • 31 slides
Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360)

Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360)

Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360) Capture content All timetabled Lectures will still be automatically scheduled for capture* and transferred to Bb site (Policy

293 views • 16 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Creating Shared Value New Jersey Corporate Philanthropy Network Council of New Jersey Grantmakers

Creating Shared Value New Jersey Corporate Philanthropy Network Council of New Jersey Grantmakers

March 2018 Creating Shared Value New Jersey Corporate Philanthropy Network Council of New Jersey Grantmakers March 22, 2018 Table of contents Evolving approaches in the role of business in society What is shared value? Benefits and

347 views • 18 slides
Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor

Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor

Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor editing page for the CSCRS Data Repository. It is not published, therefore not visible on the UNC Dataverse. Note that the Publish and Edit buttons will

138 views • 3 slides
L e g o N X T A c o u s t i c T a p e M e a s u r e A p p l i c a

L e g o N X T A c o u s t i c T a p e M e a s u r e A p p l i c a

L e g o N X T A c o u s t i c T a p e M e a s u r e A p p l i c a t i o n S t u d e n t : J a d e C h e n g P r o j e c t : M. S . C a p s t o n e i n C o m p u t e r

856 views • 40 slides
Page 1 LEXSEE 2004 CONN. SUPER. LEXIS 123 Avalonbay Communities, Inc. v. Milford Planning and

Page 1 LEXSEE 2004 CONN. SUPER. LEXIS 123 Avalonbay Communities, Inc. v. Milford Planning and

Page 1 LEXSEE 2004 CONN. SUPER. LEXIS 123 Avalonbay Communities, Inc. v. Milford Planning and Zoning Board CV020514399S SUPERIOR COURT OF CONNECTICUT, JUDICIAL DISTRICT OF NEW BRITAIN AT NEW BRITAIN 2004 Conn. Super. LEXIS 123 January 12,

313 views • 13 slides
Pivot Table Demonstration Tools for LBOHs May 27, 2020 cott Troppy, Surveillance Epidemiologist

Pivot Table Demonstration Tools for LBOHs May 27, 2020 cott Troppy, Surveillance Epidemiologist

Pivot Table Demonstration Tools for LBOHs May 27, 2020 cott Troppy, Surveillance Epidemiologist Bureau of Infectious Disease and Laboratory Sciences MA Department of Public Health 1 Pivot Table Learning Objectives Use pivot tables to turn

330 views • 32 slides
Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step 4: RSMail! settings Step 5: Add Subscribers 5.1. Create subscriber lists 5.2. Add subscribers 5.2.1 Manual add 5.2.2 Import from CSV Step 6

625 views • 14 slides
Mashup Your Data with Free Data API Options February 18, 2010 Typical data.gov

Mashup Your Data with Free Data API Options February 18, 2010 Typical data.gov

Mashup Your Data with Free Data API Options February 18, 2010 Typical data.gov Problem The publishing of government data on the Web only bridges the gap half-way. Without the APIs to access the data, a developer is faced with

231 views • 7 slides
Maps, Messy Data, and Misleading Correlations BioQUEST 2012 Summer Workshop Dave Bourgaize Jeff

Maps, Messy Data, and Misleading Correlations BioQUEST 2012 Summer Workshop Dave Bourgaize Jeff

Maps, Messy Data, and Misleading Correlations BioQUEST 2012 Summer Workshop Dave Bourgaize Jeff Lutgen Whittier College Purposes of the exercise: 1.Pose a georeferenced question that is (hopefully) interesting. We think we have an example of

582 views • 23 slides

More recommend