near real time multi source flow data correlation
play

Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 - PowerPoint PPT Presentation

Mar 04, 2024 •504 likes •795 views

Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 Carter Bullard QoSient, LLC Albuquerque, New Mexico Jan 7-10, 2013 carter@qosient.com Problem Statement Cyber incident attribution and forensics, is a complex process. To

  1. Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 Carter Bullard QoSient, LLC Albuquerque, New Mexico Jan 7-10, 2013 carter@qosient.com

  2. Problem Statement • Cyber incident attribution and forensics, is a complex process. • To assist in security incident response, recognizable hostile activity needs to be associated with other information system behavior in order to understand the complete cyber security incident life cycle • Within a complex internal spoofed stepping stone attack, using a Wiki vulnerability, a machine with an Antartican source address sends a message, that runs a rogue program that sends a command control message to a botnet style agent on an other machine that exfiltrates data back to Antartica. • For most existing protection strategies, this isn’t detectable.

  3. Flow data is an important component • Exfiltration should be detectable from sensors on the external border, or from a sensor in Antartica - But in this case, nada • The machine that sent the data should be able to report to something that it sent data to Antarctica - But there aren’t any logs that contain that transaction • Having some form of audit for the network activity of key hosts, is important. • Having a means to associate that transfer with the program that actually sent the data is critical, here. • Realizing that that program was run by a program, not by the current user of the system, is important. • The machine that was accessed by the Antarctican machine, like most internal machines, provide inadequate access control, protection or auditing to track. • Associating that program with the stimulating / initiating message from Antarctica is critical • Realizing that the machine isn’t really in Antartica, but its down the hall, is going to be a challenging problem.

  4. Comprehensive Enterprise Awareness Dealing with the Insider Threat Domain Name Server DNS Root Servers BGP AN AAA MPLS Network OSPF RSVP-TE/LDP IS-IS-TE End Station STP Argus BGP ARP Call Controller OSPF Policy Server End IS-IS-TE Connection Controller Station Call Control AN Policy Control Connection Control Data Plane

  5. How to approach this • Establishing a strategy that can help attribution and forensics analysis for the internal attack • Establish formal attribution / non-repudiation systems • Improve audit so that the basic information is available, reliable, and relevant • At least each host should maintain a network activity log • Improve methods and techniques so that correlation can be used to make the end-to-end attribution possible. • Currently, for many sites, its really luck, rather than engineering, that makes this stuff work

  6. How to deal with host issues? • We need to modify system audit strategies to approach this really important problem • In the absence of direct support, what to do. • We can install flow monitors on hosts • That will provide the network audit • argus is a good candidate • We need user and program bindings to flow data to make the back chaining possible to deal with our scenario. • Socket audits are possible in some systems • Demonstrate using lsof() to provide that info.

  7. Argus Strategy • In argus we have integrated into the basic argus data generation, collection, processing, storage and analytics, the ability to correlate flow and non-flow data. • Argus has a facility, Argus Events, that can be used to generate, structure and transport metadata. • Argus-3.0.6+ supports the collection of many non-flow data sources, including /etc/proc, vm_stat, SNMP data, and lsof() output. • We’ve implemented the ability to correlate lsof() data with cached flow data, as a simple example, in all ra* programs

  8. End-to-End Situational Awareness Network Optimization - Black Core Mesh SNMP RMON Element Statistics/Traps Interface Status / Transitional Events Bulk Link Statistics System Layer 2-7 Flow Data Comprehensive Layer 2-7 Flow Data Comprehensive Layer 2-7 Flow Data System Communication Efficiency Site Communication Efficiency End-to-End Communication Efficiency Connectivity / Availability Enterprise Communication Efficiency Reachability / Connectivity Offered Load / Loss / Jitter One-Way Delay (GPS synchronization) Site Offered Load / Loss / Jitter Received Load / Loss / Jitter Network Transit Times Network Transit Times Round Trip Delay Comprehensive Layer 2-4 Flow Data ISP Communication Efficiency Comprehensive Layer 2-4 Flow Data Ingress Available Capacity / Loss / Jitter Network Path Assurance / Status One-Way Delay (GPS Synchronization) Reachability / Availability Assessment Network Path Status One-Way Delay (GPS Synchronization) n a i m C o o r e D S n t e r v m e i c e P n a g e r o v i d e r M a E n t e r p r i s e M a n a g e m e n t D o m a i n Comprehensive Flow Monitor SNMP RMOM Style Monitor Information System Repository

  9. Complex Comprehensive Awareness Local and Remote Strategies White/Visible Node Black/Non-Visible Node Comprehensive Flow IS Argus Sensor Data Plane Situational Awareness Data

  10. Radium Data Flow Design

  11. Argus Events • Argus event type specific format for a particular collection, using a generic XML free form strategy. event[49241]= 2013/01/04.12:47:16.733468:srcid=192.168.0.68:prog:/usr/local/bin/argus-lsof <ArgusEvent> <ArgusEventData Type = "Program: /usr/sbin/lsof -i -n -P"> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mDNSRespo 53 _mdnsresponder 56u IPv4 0xbb72da10 0t0 UDP *:50451 awacsd 69 root 241u IPv4 0xbb72da10 0t0 TCP 192.168.0.68:57367->17.172.208.94:443 (CLOSED) apsd 71 root 10u IPv4 0xbb72da10 0t0 TCP 192.168.0.68:53556->17.149.32.65:443 (ESTABLISHED) blued 72 root 4u IPv4 0xbb72da10 0t0 UDP *:* ntpd 75 root 20u IPv4 0xbb72da10 0t0 UDP *:123 radium 110 root 10u IPv4 0xbb72da10 0t0 TCP 192.168.0.68:49166->192.168.0.68:561 (ESTABLISHED) radium 110 root 11u IPv6 0xbb72da10 0t0 TCP [::1]:562->[::1]:49171 (ESTABLISHED) [snip] Keynote 68546 carter 8u IPv4 0xbb72da10 0t0 TCP *:49901 (LISTEN) raevent 69821 carter 5u IPv6 0xbb72da10 0t0 TCP [::1]:51255->[::1]:562 (ESTABLISHED) perl5.12 69824 root 4u IPv6 0xbb72da10 0t0 TCP *:561 (LISTEN) perl5.12 69824 root 6u IPv4 0xbb72da10 0t0 UDP *:* perl5.12 69824 root 8u IPv6 0xbb72da10 0t0 TCP 192.168.0.68:561->192.168.0.68:49166 (ESTABLISHED) perl5.12 69824 root 9u IPv6 0xbb72da10 0t0 TCP [::1]:561->[::1]:58040 (ESTABLISHED) </ArgusEventData> </ArgusEvent>

  12. Argus Events Configuration # Argus.conf Argus Event management configuration syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/ravms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/rasnmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress"

  13. Argus Correlation Design Radium Process

  14. Argus Correlation Design Radium Process

  15. Argus Correlation Design Radium Process

  16. Argus Correlation Design Radium Process

  17. Argus Correlation Design Radium Process

  18. Argus Correlation Design Radium Process

  19. Argus Correlation Design Radium Process

  20. Argus Correlation Design Radium Process

  21. Argus Correlation Design Radium Process

  22. Argus Correlation Design Radium Process

  23. Argus Correlation Design Radium Process

  24. Argus Strategy • Argus events processing generates flow descriptions and annotation labels that contain the user and the program • We append these labels to the record. • And then process like any other flow record • Lot of rules on how argus labels work. • Argus Metadata Tutorial has a lot of stuff on this topic.

  25. Live Demonstration from Presentation Laptop ra and ratop screens showing live traffic as observed from the laptop and realtime labeling of user, pid, program name inserted into the flow record itself.

  26. Supporting Slides

  27. Distributed Situational Awareness Attack Scenarios - Interior Exterior Spoofing White/Visible Node Black/Non-Visible Node Data Plane Command and Control Attack Traffic

  28. Spoof Correlation • Simple multi-domain flow correlation • However, with NAT, encryption, tunneling, traditional flow correlation is not possible. • No applicable flow identifiers for matching • Flow granularity mismatch • Need flow metadata to make assessment • Content • Time • Packet dynamics (PD). • Absence of correlation is the key • Statistical systems are unusable

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Real-Time Multi/Many-Core Architecture Heechul Yun 1 Real-Time Multi/Many-Core Architecture

Real-Time Multi/Many-Core Architecture Heechul Yun 1 Real-Time Multi/Many-Core Architecture

Real-Time Multi/Many-Core Architecture Heechul Yun 1 Real-Time Multi/Many-Core Architecture Projects on Real-Time CPU Architectures Assigned Papers Shedding the Shackles of Time-Division Multiplexing, RTSS, 2018 Deterministic

749 views • 31 slides
Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza

Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza

Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza Mohaqeqi, Jakaria Abdullah, and Wang Yi Uppsala University Ada-Europe 2016 Overview Introduction Data Flow Graphs: [ 1 , 3 ] [ 2 ] Signal processing a

508 views • 46 slides
Real time and comunications 1 Examples of use and data capture Network time Basic

Real time and comunications 1 Examples of use and data capture Network time Basic

Real time and comunications 1 Examples of use and data capture Network time Basic protocol for real-time traffic Protocol for the management of data flow Secure version of the protocol 2 What is real-time (time of

629 views • 33 slides
Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on

Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on

Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on Integrated Network Management ( IM 2019) May 9, 2019 Milan Cermak, Martin Lastovicka, Tomas Jirsik Institute of Computer Science, Masaryk University, Brno

403 views • 11 slides
Andrea Fichtner, MPH Network 14 Real-time data source Communication between health care

Andrea Fichtner, MPH Network 14 Real-time data source Communication between health care

Andrea Fichtner, MPH Network 14 Real-time data source Communication between health care providers Alerts Evacuation planning Mapping Resource availability There are 22 TSAs or trauma service areas, and each

433 views • 12 slides
Near Real-time Data Warehousing with Multi-stage Trickle &amp; Flip J nis Zuters , University

Near Real-time Data Warehousing with Multi-stage Trickle &amp; Flip J nis Zuters , University

This work has been supported by ESF project No. 2009/ 0216/ 1DP/ 1.1.1.2.0/ 09/ API A/ VI AA/ 044 Near Real-time Data Warehousing with Multi-stage Trickle &amp; Flip J nis Zuters , University of Latvia, BIR 2011, October 8, 2011 Data

360 views • 15 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Correlation scales of chorus emissions determined from multi-point THEMIS observations Vitalii

Correlation scales of chorus emissions determined from multi-point THEMIS observations Vitalii

Introduction Data selection B w distribution Chorus spatial correlation scales Chorus temporal correlation scales Conclusions Ackno Correlation scales of chorus emissions determined from multi-point THEMIS observations Vitalii Shastun 1 ,

280 views • 15 slides
Tim Walpole Using big data to unlock the delivery of personalized, multi-lingual real-time chat

Tim Walpole Using big data to unlock the delivery of personalized, multi-lingual real-time chat

Tim Walpole Using big data to unlock the delivery of personalized, multi-lingual real-time chat services for global financial service organizations Cognitive Architect About the Speaker Head of Mobile Cognitive Architect Passionate about

758 views • 37 slides
Real-time PCR Data Markup Language A new standard for archiving and exchanging real-time PCR data

Real-time PCR Data Markup Language A new standard for archiving and exchanging real-time PCR data

Real-time PCR Data Markup Language A new standard for archiving and exchanging real-time PCR data Steve Lefever On behalf of the RDML consortium qPCR = golden standard for nucleic acids quantification Dedicated and precise instruments needed

780 views • 21 slides
Modelling of the London Bus Network The Data London Open Transport API Real-time bus

Modelling of the London Bus Network The Data London Open Transport API Real-time bus

Alex Gubbay Real Time Graph Modelling of the London Bus Network The Data London Open Transport API Real-time bus arrivals at every stop 130,000 data points a minute Also provided: Real-time traffic incidents Real-time

173 views • 5 slides
Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer,

Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer,

Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer, Architect &amp; Technologist Founder &amp; Principal Consultant =&gt; Big Data Open Source Security LLC - http://stealth.ly Big Data Open Source

637 views • 40 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Big Data in Real-Time at Twitter by Nick Kallen (@nk) What is Real-Time Data? On-line

Big Data in Real-Time at Twitter by Nick Kallen (@nk) What is Real-Time Data? On-line

Big Data in Real-Time at Twitter by Nick Kallen (@nk) What is Real-Time Data? On-line queries for a single web request Off-line computations with very low latency Latency and throughput are equally important Not talking about

710 views • 46 slides
Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan detection goals and objectives A review of Threshold Random Walk Real time vs. Flow based approaches Bi-flows and Oracles Extensions

522 views • 18 slides
Investor Presentation April 2017 1 Safe Harbor During the course of this presentation the

Investor Presentation April 2017 1 Safe Harbor During the course of this presentation the

Investor Presentation April 2017 1 Safe Harbor During the course of this presentation the Company will be making forward-looking statements (as such term is defined in the Private Securities Litigation Reform Act of 1995) that are based on our

911 views • 41 slides
Overview of services at North West Cancer Centre, Altnagelvin Hospital 15 th March 2018 North

Overview of services at North West Cancer Centre, Altnagelvin Hospital 15 th March 2018 North

Overview of services at North West Cancer Centre, Altnagelvin Hospital 15 th March 2018 North West Cancer Centre Vision To provide innovative, holistic and compassionate Cancer Care for the North West of Ireland. Radiotherapy Service Mission

425 views • 13 slides
Radiation Protection and Regulatory Requirements on use of Medical X-ray Equipment in ORTHOPAEDICS

Radiation Protection and Regulatory Requirements on use of Medical X-ray Equipment in ORTHOPAEDICS

Radiation Protection and Regulatory Requirements on use of Medical X-ray Equipment in ORTHOPAEDICS Directorate of Regulatory Affairs &amp; Communications Atomic Energy Regulatory Board www.aerb.gov.in A tomic E nergy R egulatory B oard | IOACON

409 views • 25 slides
BIZ Opportunity Day Performance Q32018 Busin iness Ali lignment Public Company Li Limite

BIZ Opportunity Day Performance Q32018 Busin iness Ali lignment Public Company Li Limite

BIZ Opportunity Day Performance Q32018 Busin iness Ali lignment Public Company Li Limite ted Date : : N November 27, , 2018 Presentation Agenda Com ompany Ov Overview Business Outlook Financial Performance Q&amp;A

1.04k views • 24 slides
City of Virginia Beach Uranium Mining Impact Study Energy Advisory Committee September 29, 2011

City of Virginia Beach Uranium Mining Impact Study Energy Advisory Committee September 29, 2011

City of Virginia Beach Uranium Mining Impact Study Energy Advisory Committee September 29, 2011 Uranium Mill Tailings Original Concept 119 million # of uranium (0.06% ore) 100 million pounds of yellow cake Open-Pit, 76 MCY of

339 views • 20 slides
Agenda 6.30pm Housekeeping and introductions. 6.35pm Revised Berry bypass alignment. 6.40pm

Agenda 6.30pm Housekeeping and introductions. 6.35pm Revised Berry bypass alignment. 6.40pm

Agenda 6.30pm Housekeeping and introductions. 6.35pm Revised Berry bypass alignment. 6.40pm What do we want to focus on? known community issues. 6.45pm Issues focus Known issues. New issues? Urban Design Background. Table Work on

483 views • 12 slides
Welcome Case Study on Remediation at a Sediment Site in Northern California with Radium-226 and

Welcome Case Study on Remediation at a Sediment Site in Northern California with Radium-226 and

Welcome Case Study on Remediation at a Sediment Site in Northern California with Radium-226 and Heavy Metal Contamination, including Use of SCM Technology to Expedite Remediation at the Source Seaplane Lagoon Site, former Naval Air Station

345 views • 32 slides
RADON Remediation Company providing peace of mind from Radon in homes and businesses throughout

RADON Remediation Company providing peace of mind from Radon in homes and businesses throughout

A Full Service Radon Testing, Mitigation &amp; RADON Remediation Company providing peace of mind from Radon in homes and businesses throughout Southeastern PA and the Tri-State Area. IS YOUR FAMILY AT RISK ? www.RadonRid.com |

226 views • 20 slides

More recommend