security monitoring of http traffic using extended flows
play

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 - PowerPoint PPT Presentation

Jun 02, 2023 •312 likes •500 views

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

  1. SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husák Petr Velan Jan Vykopal

  2. Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic: Traditional flow-based monitoring processes only L3/L4 headers. DPI is not scalable for large and high-speed networks. Extended flows combine the benefits of both methods. Can we use large-scale HTTP monitoring for security purposes? What types of incidents can we detect using extended flows? Security Monitoring of HTTP Traffic Using Extended Flows Page 2 / 17

  3. Flow Monitoring Passive method of network monitoring. Suitable for large-scale and high-speed networks. Only the L3/L4 headers are processed. Aggregation of network traffic to flows. Network flow is a series of packets sharing 5-tuple of elements: L3 protocol, source IP, destination IP, source port, destination port. Security Monitoring of HTTP Traffic Using Extended Flows Page 3 / 17

  4. Flow Monitoring Security Monitoring of HTTP Traffic Using Extended Flows Page 4 / 17

  5. Extended Flow Monitoring Extension of traditional flow monitoring. Modules parse additional information from packets. Additional data are stored along the network flow. Modules are optimized to parse speci fi c protocol/data. Overhead is acceptable, even for monitoring 10 Gbps links. Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 5 / 17

  6. Research Questions Question I. What classes of HTTP traffic relevant to security can be observed at network level and what is their impact on attack detection? Question II. What is the added value of extended flow compared to traditional flow monitoring from a security point of view? Security Monitoring of HTTP Traffic Using Extended Flows Page 6 / 17

  7. Measurement Tools and Environment FlowMon probes deployed in campus network of Masaryk University (/16). 10 Gbps links, 40,000 users, and 15,000 active IPs per day. NetFlow and IPFIX export protocols. Extension modules for parsing HTTP headers. Over 10 G network flows containing over 1 G HTTP requests were processed. Security Monitoring of HTTP Traffic Using Extended Flows Page 7 / 17

  8. Data Elements Key flow elements: L3Proto, srcIP, dstIP, L4Proto, srcPort, dstPort. Additional elements: timeStart, timeEnd, packets, octets, TCPflags, ToS, srcAS, dstAS. HTTP elements: hostname, path, userAgent, requestMethod, referrer. responseCode, contentType. Security Monitoring of HTTP Traffic Using Extended Flows Page 8 / 17

  9. Results Traffic of interest was found in the three classes: I. Repeated request on a single host. II . Similar requests on many hosts. III . Multiple varying requests on multiple hosts. Class I Class II Class III Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 9 / 17

  10. Class I: Repeated Requests Guest Host HTTP Path #Flows G1 H1 /wp- login .php 46,031 G2 H2 / admin istrator/index.php 27,965 G3 H2 / admin istrator/index.php 27,798 G4 H3 /wp- login .php 25,316 G5 H4 /pub/linux/slax/Slax-7.x/7.0.8/slax- 5,921 Chinese-Simplified-7.0.8-i486.iso G6 H5 / proxy /lib proxy .pac 5,036 G7 H6 /node/ 4,286 G8 H4 /pub/linux/slax/Slax-7.x/7.0.8/slax- 4 , 170 English-US-7.0.8-i486 .zip G 9 H 7 /wp- login .php 3 , 632 G 10 H 7 /polit/wp- login .php 3 , 632 Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 10 / 17

  11. Brute-forcing and proxy servers Two interesting subclasses were identified: Brute-force password attacks. Clients connecting to proxy servers. Both subclasses can be r ecognized by repeating patterns in URLs. Subclass Path regular expression Portion [%] Proxy 49.4 .*libproxy.pac 45 . 0 .*sviproxy.pac 4 . 3 .*proxy.php 0 . 1 Brute-force 10.6 .*admin.* 6 . 7 .*login.* 3 . 9 Others 40.0 Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 11 / 17

  12. Class II: Similar requests on many hosts Guest HTTP Path #Hosts % G1 /myadmin/scripts/setup.php 497 100 G1 /pma/scripts/setup.php 497 100 G1 /w00tw00t.at.blackhats.romanian.anti-sec:) 497 100 G1 /phpmyadmin/scripts/setup.php 495 99 G1 /phpMyAdmin/scripts/setup.php 494 99 G1 /MyAdmin/scripts/setup.php 491 99 G2 /manager/html 118 24 Security Monitoring of HTTP Traffic Using Extended Flows Page 12 / 17

  13. HTTP Scanners Hosts appearing in Class II. HTTP scanner requests the same URL from more hosts. Typically preceded by or accompanying TCP SYN scan. Lower number of fl ows is needed to detect a HTTP scan. The adversaries are searching for popular vulnerable resources, e.g., older versions of phpMyAdmin. Simultaneous search for more resources is common. Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 13 / 17

  14. Class III: Varying requests on multiple hosts Guest Domain Name #Hosts 207.46.13.62 msnbot-207-46-13-62.search.msn.com 7 157.55.39.107 msnbot-157-55-39-107.search.msn.com 6 137.110.244.137 bnserver2.sdsc.edu 4 157.55.39.156 msnbot-157-55-39-6.search.msn.com 4 157.55.39.6 msnbot-157-55-39-156.search.msn.com 4 37.187.28.19 z 3 .sentione.com 4 137 . 110 . 244 . 139 integromedb-crawler.integromedb.org 3 5 . 135 . 154 . 106 nks 02 .sentione.com 3 5 . 135 . 154 . 98 nks 03 .sentione.com 3 77 . 75 . 73 . 32 fulltextrobot- 77 - 75 - 73 - 32 .seznam.cz 3 77 . 75 . 77 . 17 fulltextrobot- 77 - 75 - 77 - 17 .seznam.cz 3 Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 14 / 17

  15. Web crawlers Web crawlers are mostly legitimate and welcome in the network. Two reasons to include them in the analysis: Malicious crawlers, e.g., e-mail harvesters discovering spam recipients. The large number of flows they generate. Legitimate crawlers can be identified by reverse DNS records or well-known User-Agent in HTTP field. Lack of such data indicates suspicious crawler. All detection methods have to deal with false positive alerts. Identification of legitimate crawler can reduce number of FPs. Security Monitoring of HTTP Traffic Using Extended Flows Page 15 / 17

  16. Conclusion Extended flows enable large-scale analysis of HTTP traffic. Traffic of interest was found in three classes: Repeated requests - brute-force password attack or proxy server. HTTP scanning. Activity of web crawlers. Straighforward implementation of detection methods. Lower thresholds are needed, e.g., for HTTP scan detection. Clearer evidence of malicious intent. Not limited to aggregation-based methods. Detection of accesses to a phishing website. Communication with suspicious domains. Security Monitoring of HTTP Tra ffi c Using Extended Flows Page 16 / 17

  17. THANK YOU FOR YOUR ATTENTION! Martin Husák muni.cz/csirt @csirtmu husakm@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow monitoring extended by application layer

1.99k views • 184 slides
Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark traffic flows - Police and shape traffic - Apply priority (managed scheduling) 1 Open-Loop Control / QoS Model Network performance is guaranteed to

408 views • 24 slides
Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary Outline Introduction (Carey: 20 minutes) Internet TCP/IP protocol stack

959 views • 48 slides
ISF Monitoring Committee Mandate and Terms of Reference 16 th November 2015 Internal Security

ISF Monitoring Committee Mandate and Terms of Reference 16 th November 2015 Internal Security

ISF Monitoring Committee Mandate and Terms of Reference 16 th November 2015 Internal Security Fund 2014-2020 Co-financing rate: 75% EU Funds 25% Beneficiarys Funds Sustainable Management of Migration Flows Legal Basis: The ISF Monitoring

609 views • 16 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Maximilian Merkert Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial Optimization Workshop, January 8, 2019 joint work with Gennadiy Averkov, Do Duc Le Outline 1 Introduction 2 Flow-based Extended

588 views • 39 slides
Understanding traffic flows to improve air quality Project leader: Laura Po laura.po@unimore.it

Understanding traffic flows to improve air quality Project leader: Laura Po laura.po@unimore.it

Understanding traffic flows to improve air quality Project leader: Laura Po laura.po@unimore.it University of Modena and Reggio Emilia - ITALY MOTIVATIONS Environmental impacts of traffic are of major concern throughout many European

225 views • 7 slides
Optimisation and Prioritisation of Flows of Air Traffic through an ATM Network SESAR Innovation

Optimisation and Prioritisation of Flows of Air Traffic through an ATM Network SESAR Innovation

Optimisation and Prioritisation of Flows of Air Traffic through an ATM Network SESAR Innovation Days, Braunschweig, November 2012 Hugo de Jonge and Ron Selje, NLR jongehw@nlr.nl Nationaal Lucht- en Ruimtevaartlaboratorium National

883 views • 23 slides
TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An

TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An

TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An End-to-End ML Platform Integrated Frontend for Job Management, Monitoring, Debugging, Data/Model/Evaluation Visualization Shared Configuration

1.83k views • 129 slides
IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

455 views • 24 slides
All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring Systems Andrei Costin EURECOM, France 1 st Workshop on Security & Privacy in the Cloud (SPC) 30 Sep 2015, Florence Italy Agenda

640 views • 63 slides
Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner

Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner

Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Joint work with Temur

901 views • 30 slides
Extended mean-flow analysis of periodic flows Olivier Marquet & Marco Carini Department of

Extended mean-flow analysis of periodic flows Olivier Marquet & Marco Carini Department of

Extended mean-flow analysis of periodic flows Olivier Marquet & Marco Carini Department of Aerodynamics, Aeroacoustics and Aeroelasticity 16 th European Turbulence Conference 21-24 August 2017, Stockholm, Sweden Introduction Periodic flow

527 views • 37 slides
Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at

922 views • 49 slides
Collabora've*monitoring** of*Air*Traffic*and*RF*spectrum:**

Collabora've*monitoring** of*Air*Traffic*and*RF*spectrum:**

Collabora've*monitoring** of*Air*Traffic*and*RF*spectrum:** the**OpenSky*and*ElectroSense*projects* Fabio*Ricciato*(speaker),*on*behalf*of** Vincent*Lenders,*MaThias*Schaefer,*Domenico*Gius'niano,*Roberto*Calvo* **and*many*others* *

1.08k views • 63 slides
KAFKA STREAMS CLOUD MONITORING AWS CLOUD MONITORING AWS APP CLOUD MONITORING AWS HTTP APP

KAFKA STREAMS CLOUD MONITORING AWS CLOUD MONITORING AWS APP CLOUD MONITORING AWS HTTP APP

FROM USE CASE TO PRODUCTION KAFKA STREAMS CLOUD MONITORING AWS CLOUD MONITORING AWS APP CLOUD MONITORING AWS HTTP APP CLOUD MONITORING AWS METRICS NRDB HTTP APP CLOUD MONITORING SCHDLR JOBS AWS NRDB METRICS HTTP WORKER CLOUD

1.43k views • 124 slides
What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera , Paul van Oorschot 1 Secure Shell (SSH) Protocol to enable remote logins and network services over an unsecured network. Typically used for

537 views • 27 slides
Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

641 views • 24 slides
Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

467 views • 22 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
k k text text The same key is used to encrypt the document before sending and decrypt it at

k k text text The same key is used to encrypt the document before sending and decrypt it at

Cryptographic methods: Why use cryptography? Can offer genuinely secure solutions to Brian Candler important security problems Updated by Hervey Allen Some governments forbid it Confidentiality Can I be sure no-one else can see my

845 views • 11 slides
TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TM TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda Background Passwords and configuration files Threats Web applications Keeping up to date Policy and process Operating system

842 views • 28 slides
DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

380 views • 18 slides
Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Is the Fait Accompli the Primary Challenge for Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University December 12 th , 2018 Why the Fait Accompli Matters Nuclear powers have fought each other twice: China vs.

467 views • 23 slides

More recommend