network flow analysis at scinet
play

Network flow analysis at SCinet or Network flow analysis at 880Gb/s - PowerPoint PPT Presentation

May 16, 2023 •428 likes •676 views

Network flow analysis at SCinet or Network flow analysis at 880Gb/s 1.2Tb/s Eric Dull Steven P. Reinhardt C O M P U T E | S T O R E | A N A L Y Z E Agenda What is SCinet What analytic questions were we

  1. Network flow analysis at SCinet or “Network flow analysis at 880Gb/s” 1.2Tb/s Eric Dull Steven P. Reinhardt C O M P U T E | S T O R E | A N A L Y Z E

  2. Agenda ● What is SCinet ● What analytic questions were we answering ● How we applied graphs to answer these questions ● Places to start exploring graphs C O M P U T E | S T O R E | A N A L Y Z E 2

  3. What is SCinet ● /17 publicly routed network ● Network supporting the SC technical conference and exhibit hall ● 10,972 devices on the network ● 1.2 Tb/s onto the show floor ● 296 Gb/s under BRO observation ● Set-up to teardown – about 10 days ● Rebuilt/reused every year C O M P U T E | S T O R E | A N A L Y Z E 3

  4. C O M P U T E | S T O R E | A N A L Y Z E 4

  5. C O M P U T E | S T O R E | A N A L Y Z E 5

  6. Total generated triples BRO Log type Lines Triples per line Triples files 13,432,704 10 134,327,040 syslog 1,085,812 10 10,858,120 notice 380,842 10 3,808,420 http 12,133,443 25 303,336,075 ssh 2,093,004 10 20,930,040 dhcp 986,072 10 9,860,720 weird 49,789,135 5 248,945,675 conn 1,487,430,036 12 17,849,160,432 ● RDF generated on Discover using Python scripts written at SC13 ● Used the OCOG netflow RDF format for the first time in analysis! C O M P U T E | S T O R E | A N A L Y Z E 6

  7. Flow counts 1.E+09 1.E+08 1.E+07 1.E+06 1.E+05 Commodity Connections 100G connections 1.E+04 1.E+03 1.E+02 1.5B flows 1.E+01 18 Nov 20 Nov 15 Nov 16 Nov 17 Nov 19 Nov 1.E+00 0 20 40 60 80 100 120 C O M P U T E | S T O R E | A N A L Y Z E 7

  8. Flow counts 1.E+09 1.E+08 SYN flood 1.3B flow 1.E+07 1.E+06 1.E+05 Commodity Connections 100G connections 1.E+04 1.E+03 1.E+02 1.5B flows 1.E+01 18 Nov 20 Nov 15 Nov 16 Nov 17 Nov 19 Nov 1.E+00 0 20 40 60 80 100 120 C O M P U T E | S T O R E | A N A L Y Z E 8

  9. Analytic charge ● Find outbound scanning or attacking ● Help identify groups of infected systems from C2 and download activities ● “Perform the next hop” of analysis. Use graphs to ease automated analysis ● Find new DNS and DHCP servers as they appear on the network C O M P U T E | S T O R E | A N A L Y Z E 9

  10. Applicable graph operations ● Search – “Find SSH connection networks” ● IP address based search ● Port and volume based search ● IDS alert based search ● 1,2, or 3 hop ● Jaccard Scoring – “which is the likely C2 channel for IPs downloading from this port?” ● Betweeness Centrality – “Which IP address in this network should be considered first when cleaning up an infection network?” C O M P U T E | S T O R E | A N A L Y Z E 10

  11. Search example: SSH chain alerting hosts– X > 10K response bytes C O M P U T E | S T O R E | A N A L Y Z E 11

  12. Search example: SSH connection chain SPARQL query CONSTRUCT{ ?ap_addr <http://cs.org/p/hasNoticeNote> <http://cs.org/notice_node#SSH::Password_Guessing>. ?ap_addr <urn:p/hasSSH> ?internal_addr. ?internal_addr <urn:p/hasSSH> ?a_addr. } { SELECT distinct ?internal_addr ?ap_addr ?a_addr WHERE { ?uid4 <http://opencog.net/p/destinationAddress> ?a_addr. ?uid4 <http://opencog.net/p/sourceAddress> ?internal_addr. ?uid4 <http://opencog.net/p/hasProtocol> <http://opencog.net/proto#tcp>. ?uid4 <http://opencog.net/p/destinationPort> <http://opencog.net/port#22> . ?uid4 <http://cs.org/p/hasRespBytes> ?rbytes1. FILTER(?rbytes1 > 10000) { SELECT distinct ?internal_addr ?ap_addr WHERE { ?uid <http://cs.org/p/hasNoticeNote> <http://cs.org/notice_node#SSH::Password_Guessing>. ?uid <http://cs.org/p/hasNoticeMsg> ?msg. ?uid <http://cs.org/p/hasOrigAddr> ?ap_addr. ?uid4 <http://opencog.net/p/sourceAddress> ?ap_addr. ?uid4 <http://opencog.net/p/destinationAddress> ?internal_addr. ?uid4 <http://opencog.net/p/destinationPort> <http://opencog.net/port#22>. ?uid4 <http://cs.org/p/hasRespBytes> ?rbytes1. FILTER(?rbytes1 > 20900) } LIMIT 1000 } } } C O M P U T E | S T O R E | A N A L Y Z E 12

  13. Jaccard example: math and SPARQL implementation SELECT ?proto ?port ?client_count ?big_client_count WHERE { { SELECT ?proto ?port (count(distinct ?ap_addr) as ?big_client_count) WHERE { ?uid3 <http://opencog.net/p/sourceAddress> ?ap_addr. ?uid3 <http://opencog.net/p/destinationAddress> ?dest_addr2 . ?uid3 <http://opencog.net/p/destinationPort> ?port . ?uid3 <http://opencog.net/p/hasProtocol> ?proto . ?uid3 <http://cs.org/p/hasRespBytes> ?rbytes2. } GROUP BY ?proto ?port } { SELECT ?proto ?port (count(distinct ?ap_addr) as ?client_count) WHERE V2 V1 { ?uid3 <http://opencog.net/p/sourceAddress> ?ap_addr. ?uid3 <http://opencog.net/p/destinationAddress> ?dest_addr2 . ?uid3 <http://opencog.net/p/destinationPort> ?port . ?uid3 <http://opencog.net/p/hasProtocol> ?proto . ?uid3 <http://cs.org/p/hasRespBytes> ?rbytes2. FILTER(?rbytes2 > 0) ?uid4 <http://opencog.net/p/sourceAddress> ?ap_addr. ?uid4 <http://opencog.net/p/destinationAddress> ?dest_addr . ?uid4 <http://opencog.net/p/destinationPort> <http://opencog.net/port#9162>. ?uid4 <http://cs.org/p/hasRespBytes> ?rbytes1. FILTER(?rbytes1 > 0) } GROUP BY ?proto ?port HAVING (?client_count > 1) } } Definition: |V1 ∩ V2| / |V1 ∪ V2| ORDER BY DESC(?client_count) C O M P U T E | S T O R E | A N A L Y Z E 13

  14. Jaccard example: SSH password forced C2 channel candidates C O M P U T E | S T O R E | A N A L Y Z E 14

  15. Jaccard example: ports 7668 and 9162 visualization C O M P U T E | S T O R E | A N A L Y Z E 15

  16. Betweenness example: pseudo-math and SPARQL implementation How to compute Betweeness SELECT ?vertices ?scores centrality (All-pairs shortest-path) WHERE { ● From every node, compute the CONSTRUCT{ #<urn:SSH_forcer> <urn:/p/HasMember> ?src_addr. ?src_addr <urn:p/hasSSH> ?dest_addr. shortest path(s) to every other node ?dest_addr <urn:p/hasSSH> ?dest_addr2 } ● For every node, count the number of WHERE { shortest paths that go through it SELECT distinct ?src_addr ?dest_addr ?dest_addr2 ● For every edge, count the number of WHERE { ?booth2 a <http://sc14.org/class#SCinet_subnet> . ?booth2 <http://opencog.net/hasMember> ?dest_addr . shortest paths that go through it ?uid3 <http://opencog.net/p/sourceAddress> ?dest_addr . ● Divide the shortest path counts by the ?uid3 <http://opencog.net/p/destinationAddress> ?dest_addr2 . ?uid3 <http://opencog.net/p/hasProtocol> <http://opencog.net/proto#tcp>. total number of shortest paths to ?uid3 <http://opencog.net/p/destinationPort> <http://opencog.net/port#22> . ?uid3 <http://opencog.net/p/start> ?start_time2. generate centrality scores ?uid3 <http://cs.org/p/hasRespBytes> ?rbytes2. FILTER (?rbytes2 > 12000) FILTER (?start_time < ?start_time2) OPTIONAL The nodes and edges with the highest { centrality scores are most central SELECT ?src_addr ?dest_addr ?start_time { #?src_addr a <http://sc14.org/class#SSHattacker>. ?uid <http://cs.org/p/hasNoticeNote> <http://cs.org/notice_node#SSH::Password_Guessing>. ?uid <http://cs.org/p/hasNoticeMsg> ?msg. ?uid <http://cs.org/p/hasOrigAddr> ?src_addr. ?uid3 <http://opencog.net/p/sourceAddress> ?src_addr . ?uid3 <http://opencog.net/p/destinationAddress> ?dest_addr . ?uid3 <http://opencog.net/p/hasProtocol> <http://opencog.net/proto#tcp>. ?uid3 <http://opencog.net/p/destinationPort> <http://opencog.net/port#22> . ?uid3 <http://opencog.net/p/start> ?start_time. ?uid3 <http://cs.org/p/hasRespBytes> ?rbytes2. FILTER(?rbytes2 > 12000) } LIMIT 500 } } } INVOKE yd:graphAlgorithm.betweenness_centrality (.5,1) PRODUCING ?vertices ?scores } ORDER BY DESC(?scores) C O M P U T E | S T O R E | A N A L Y Z E 16

  17. Betweenness example: SSH / Internal / ? C O M P U T E | S T O R E | A N A L Y Z E 17

  18. Betweenness example: Centrality results C O M P U T E | S T O R E | A N A L Y Z E 18

  19. Successes and next steps ● Successes ● Identified outbound scanning behaviors (and SYN floods) ● Identified candidate external C2 hosts ● Identified candidate internal infected hosts based on port usage ● Identified candidate C2 ports using Jaccard scoring ● Identified the first place to start cleaning up the XX SSH client chain (if we chose to do that. We turned off the network instead) ● Used Spark Streaming to identify DHCP servers during Wireless network ‘troubles’ ● Next steps ● More RDF/BRO parsers (particularly DNS) ● Improved Python parser to more easily use the multiple cores on the XT5 blades ● Easier link-chart generation ● More and more mature Spark Streaming C O M P U T E | S T O R E | A N A L Y Z E 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SC18 INDIS Workshop Architecture, Xnet, NRE Agenda 1. Experimental Network - XNET 2. Network

SC18 INDIS Workshop Architecture, Xnet, NRE Agenda 1. Experimental Network - XNET 2. Network

SC18 INDIS Workshop Architecture, Xnet, NRE Agenda 1. Experimental Network - XNET 2. Network Research Exhibition - NRE 3. SCinet Architecture XNET SCinet Experimental Networks Each year SCinet evolves and creates a new network to allow

531 views • 32 slides
Drainage network analysis Drainage network analysis 4 flooding 9 6 5 8 3 7 1 2 flow

Drainage network analysis Drainage network analysis 4 flooding 9 6 5 8 3 7 1 2 flow

Drainage network analysis Drainage network analysis 4 flooding 9 6 5 8 3 7 1 2 flow routing watershed labelling flow routing flow accumulation flow accumulation 1 25 612 1 25 612 1350 1350 compute for each

417 views • 12 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow of items through a network Example Transporting goods through the road/rail/air network Flow of fluids (oil, water,..) through pumping

949 views • 84 slides
Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

1 Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we can bring from a source to a sink (infinite) (intermediates cannot hold water) 6 Network Flow terminology Definitions: c(u,v)

576 views • 34 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) = directed graph, no parallel edges. Two distinguished nodes: s = source, t = sink. c(e) = capacity of edge e. 9 2 5 10 15 15 10 4 source 5

1.01k views • 21 slides
CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t? 4 Soviet Rail Network, 1955 Reference: On the history of the transportation

1.05k views • 84 slides
Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms g Residual Graph Richard Anderson Ford Fulkerson Algorithm Lecture 22 Cuts Network Flow Maxflow-MinCut Theorem Network Flow

860 views • 4 slides
Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at

Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at

CSE 632: Analysis of Algorithms II: Combinatorial Optimization and Linear Programming (Fall 2020) Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at Buffalo Outline Network Flow 1 Ford-Fulkerson

995 views • 77 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow 1 Network flow: 2 graph G=(V,E). 2 2 s 1 t Special vertices s (source) and t (sink). 2 2 Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz capacity constraint: every

503 views • 15 slides
CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t ? 2 Soviet Rail Network, 1955 Reference: On the history of

889 views • 75 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Internship Report Erin Kersh July 27, 2009 Nextrans Center A Strategic Planning Framework to

Internship Report Erin Kersh July 27, 2009 Nextrans Center A Strategic Planning Framework to

Internship Report Erin Kersh July 27, 2009 Nextrans Center A Strategic Planning Framework to Enhance Infrastructure Network Survivability and Functionality under Disasters Srinivas Peeta and Lili Du Outline Background Related

863 views • 34 slides
Route Choice Model using Smartphone GPS Data Gregory Lue Presentation Outline Introduction

Route Choice Model using Smartphone GPS Data Gregory Lue Presentation Outline Introduction

Estimating a Toronto Pedestrian Route Choice Model using Smartphone GPS Data Gregory Lue Presentation Outline Introduction Background Data Smartphone Data Alternative Route Generation Choice Model Toronto Case Study

1.32k views • 84 slides
Adapted and Constrained Dijkstra for Elastic Optical Networks Ireneusz Szczeniak Department of

Adapted and Constrained Dijkstra for Elastic Optical Networks Ireneusz Szczeniak Department of

Adapted and Constrained Dijkstra for Elastic Optical Networks Ireneusz Szczeniak Department of Communications AGH University of Science and Technology Poland Boena Wona-Szczeniak Institute of Mathematics and Computer Science Jan

622 views • 16 slides
Optimal Route Planning on Mobile Systems Adrian Batzill Structure Route Planning

Optimal Route Planning on Mobile Systems Adrian Batzill Structure Route Planning

M A S T E R T H E S I S Optimal Route Planning on Mobile Systems Adrian Batzill Structure Route Planning Unidirectional, Bidirectional, Hierarchical External Memory Results Optimal Route Planning on Mobile Systems 2/22

327 views • 22 slides
Project Plan O.P.E.N. v2.0: Smart Order Picking The Capstone Experience Team Phoenix Group

Project Plan O.P.E.N. v2.0: Smart Order Picking The Capstone Experience Team Phoenix Group

Project Plan O.P.E.N. v2.0: Smart Order Picking The Capstone Experience Team Phoenix Group Austin Littley Austin Rix Bryce Corey Charlie Deneau Evan Brazen Department of Computer Science and Engineering Michigan State University Fall 2017

287 views • 13 slides
traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer

traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer

traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer August 27, 2015 LiU/ITN, UC Berkeley (USA) why are linkflows of interest? Linkflow number of vehicles or people using a link during a certain time

786 views • 53 slides
Analysis of mode and walk route choice in a downtown area considering heterogeneity in trip

Analysis of mode and walk route choice in a downtown area considering heterogeneity in trip

Analysis of mode and walk route choice in a downtown area considering heterogeneity in trip distance Toshiyuki Yamamoto, Shinichi Takamura and Takayuki Morikawa Nagoya Univ. Analysis of mode and walk route choice Nested choice structure

600 views • 30 slides
Uncertainty in Hazardous Materials Transportation Changhyun Kwon Department of Industrial &amp;

Uncertainty in Hazardous Materials Transportation Changhyun Kwon Department of Industrial &amp;

| Industrial and Systems Engineering Intro Risk Measures Data Uncertainty Behavioral Uncertainty Uncertainty in Hazardous Materials Transportation Changhyun Kwon Department of Industrial &amp; Systems Engineering University at Buffalo, SUNY

960 views • 72 slides

More recommend