trace share towards provable network traffic measurement
play

Trace-Share: Towards Provable Network Traffic Measurement and - PowerPoint PPT Presentation

Jan 17, 2023 •238 likes •440 views

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno 2 3

  1. Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno

  2. 2

  3. 3

  4. 4

  5. Issues of Network Traffic Analysis Research challenges that everyone must deal with Lack of research standards missing rules for research data collection, analysis, sharing, and ethics of their usage ▪ Inaccessibility of appropriate datasets real-world data cannot be reliable annotated and needs to be anonymized, artificial data are ▪ not sufficiently realistic and provides a limited set of events in network traffic Inability to prove research results we have no approach to assess the proposed analytical method reliably ▪ No verification of other researchers’ findings data and algorithms are kept in private which leads to the impossibility of research ▪ reproducibility 5

  6. 6

  7. The Initial Idea what we realized during our research Full packet capture of a single event can be publicly shared – one network event contains only a minimum of personal data and can be publicly shared and annotated Packet capture can be „simply“ transformed – packet fields can be changed to predefined values and adapted according to real-world data Events can be mixed with each other or with real-world data – we have access to the real-world data, but we need an annotation or a ground truth 7

  8. Trace-Share: Towards Provable Network Traffic Measurement and Analysis our goal is to cover all issues related to research provability and dataset usage, but we need to start from the beginning… 8

  9. Annotated Unit single event in network traffic that is normalized and annotated Unit of network traffic ▪ A single complex event in a network containing all connections and packets related to the event ▪ Full packet capture with all application data (Pcap or PcapNg) ▪ Known capture environment and all characteristics of the network Normalized unit ▪ Unification of the unit to simplify further processing of all events ▪ MAC addresses rewrited to 00:00:00:00:00:01 (source), 01:00:00:00:00:01 (destination) ▪ IP addresses rewrited to 240.0.0.2 (source), 240.125.0.2 (destination) ▪ Capture start set to zero epoch time Annotated unit ▪ Normalized unit enriched to its annotation ▪ Capture properties, event description, and optional tags (e.g., MITRE ATT&CK™ classes) 9

  10. Annotated Unit of SSH Dictionary Attack theory is nice but real example is better ▪ Various tools providing a lot of options results in multiple annotated units for each variant ▪ Successful and unsuccessful attacks can form different annotated units ▪ Required number of connections is not specified, you decide what an attack is https://github.com/CSIRT-MU/Trace-Share/tree/master/datasets/SSH_dictionary_attacks 10

  11. Automated Creation of Annotated Units a simple way to obtain all variants of the desired event ▪ Virtual environment orchestrated by Vagrant and Ansible ▪ Configurable management script deployed on the Attacker able to manipulate settings of used hosts, run given commands, and start captures of all related network traffic ▪ Full packet trace is generated for all given commands ▪ Publicly available at https://github.com/CSIRT-MU/Trace-Share/tree/master/trace-creator 11

  12. Challenges of Annotated Units besides benefits, there are still issues that need to be addressed ▪ No sensitive content of a traffic ▪ Variability of network environment ▪ Accurate annotation ▪ Normalization in application data ▪ Easily accessible data recency ▪ Annotation format 12

  13. Semi-labeled Dataset combination of annotated units with real-world network traffic Semi-labeled dataset = additional of ground truth baseline in your unlabeled real-world data via injection of selected annotated units 1. Select annotated units based on your interest 2. Capture real-world network traffic within your environment 3. Compute characteristics of the real-world traffic capture 4. Modify annotated units to reflect characteristics of the real-world traffic 5. Merge annotated units and real-world traffic capture 13

  14. Intrusion Detection Dataset Toolkit (ID2T) a tool with awesome features suitable for our goal "ID2T facilitates the creation of labeled datasets by injecting synthetic attacks into background traffic injected synthetic attacks blend themselves with the background traffic by mimicking the background traffic’s properties to eliminate any trace of ID2 T’s usage." Publicly available at https://github.com/tklab-tud/ID2T 14

  15. Trace-Share: ID2T an extension providing injection of existing packet traces Extension of the Attack Controller to support usage of existing packet traces ▪ Instead of prescription for a synthetic attack, you can provide annotated units and specify packet fields that should be adapted according to the background traffic Adaptation of variable packet fields in major network protocols ▪ MAC and IP addresses for ARP, IPv4, IPv6, ICMPv4, ICMPv6, DNS, HTTPv1 ▪ Ports in UDP and ports, window size, maximum segment size, time-to-live in TCP ▪ Packet timestamp Background traffic Simple merge of ZeroAccess Merge by ID2T 15

  16. Analysis Development with Semi-Labeled Datasets usage example of annotated units and semi-labeled datasets 1. Use annotated units for an initial comprehension of network traffic related to your problem 2. Enrich your real-world data with selected annotated units and prepare semi-labeled datasets 3. Train and develop the analysis prototype using baseline provided by generated datasets 4. Finalize the method after you can recognize all desired annotated units 16

  17. Analysis Evaluation Using Semi-Labeled Dataset injected lables serves as a ground truth in unlabeled data ▪ Injected annotated units serves as a ground truth baseline in unlabeled dataset ▪ Balanced quantitative (objective metrics) and qualitative (real-world data characteristics) aspects ▪ Unknown positives need to be verified manually and shared Annotated units Other identified events Uncertainty 17

  18. Data Sharing Platform generate your units, share them, and use what others have created ▪ Community hub ▪ Storage and management of annotated units ▪ Assisted uploading, normalization, annotation, and adaption of annotated units ▪ Inspired by OpenML platform (see https://openml.org) ▪ Prototype available at the end of the year (see https://github.com/Trace-Share) 18

  19. Summary what you should take away from this presentation ▪ You don’t need to share the entire network traffic, share only selected events! ▪ Mix events between themselves and with real-world traffic ▪ Share your differences and provide your annotated units to others ▪ Prove your research results! ▪ Check our repository https://github.com/Trace-Share ▪ If you are interested in this topic, contact me at cermak@ics.muni.cz 19

  20. Prove your research by shared trace! Milan Cermak https://github.com/Trace-Share @csirtmu cermak@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets Network Traffic Measurement and Analysis Conference (TMA 2018) June 28, 2018 Milan Cermak et al. Institute of Computer Science, Masaryk University, Brno

575 views • 25 slides
Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet? Active measurement vs. passive

771 views • 31 slides
Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet? q Active measurement vs. passive

654 views • 31 slides
Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement Kleinrock and Naylor, 1974: Original ARPANET had built-in abilities to: Trace a single packets passage through the network Obtain

475 views • 28 slides
Measurement of Data Traffic Measurement of Data Traffic in Cellular Networks 2008.8.16 Kisu

Measurement of Data Traffic Measurement of Data Traffic in Cellular Networks 2008.8.16 Kisu

Measurement of Data Traffic Measurement of Data Traffic in Cellular Networks 2008.8.16 Kisu Kim, Hyeongu Son, Taeck-keun Kwon, DK Lee*, S. Moon* and Youngseok Lee, Chungnam National University *KAIST D Daejon, Korea j K 1 Contents

1.2k views • 28 slides
Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network Qing (Kenny) Shao

Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network Qing (Kenny) Shao

Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network Qing (Kenny) Shao and Ljiljana Trajkovic { qshao, ljilja} @cs.sfu.ca Communication Networks Laboratory http://www.ensc.sfu.ca/cnl School of Engineering Science

533 views • 29 slides
Update on RMCAT Video Traffic Model: Trace Analysis and Model Update

Update on RMCAT Video Traffic Model: Trace Analysis and Model Update

Update on RMCAT Video Traffic Model: Trace Analysis and Model Update draft-ietf-rmcat-video-traffic-model-02 Xiaoqing Zhu, Sergio Mena, and Zahed Sarker April 2017 | IETF RMCAT Virtual Interim 1 Outline Setup for trace collection from

486 views • 21 slides
WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN

WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN

CPSC 641: WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN Traffic Measurements There have been several studies of wide area network traffic (i.e., Internet traffic) We will look briefly at two

655 views • 13 slides
Network Measurement Carey Williamson Department of Computer Science University of Calgary

Network Measurement Carey Williamson Department of Computer Science University of Calgary

CPSC 641: Network Measurement Carey Williamson Department of Computer Science University of Calgary Network Traffic Measurement A focus of networking research for 30+ years Collect data or packet traces showing packet activity on the

462 views • 25 slides
LAN Measurement Carey Williamson Department of Computer Science University of Calgary LAN

LAN Measurement Carey Williamson Department of Computer Science University of Calgary LAN

CPSC 641: LAN Measurement Carey Williamson Department of Computer Science University of Calgary LAN Traffic Measurements Some of the first network traffic measurement papers were for measurements done on Ethernet local area networks

696 views • 7 slides
Servers in Action: Towards Distributed Traffic Measurement in Data Centers Praveen Tammana &

Servers in Action: Towards Distributed Traffic Measurement in Data Centers Praveen Tammana &

Servers in Action: Towards Distributed Traffic Measurement in Data Centers Praveen Tammana & Myungjin Lee School of Informatics University of Edinburgh MSN14 - Cosener's House, Abingdon 1 Network Measurement in Data Centers Data

574 views • 25 slides
Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic

Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic

Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic measurement and analysis in WIDE measurement activities across research groups broad perspectives - tracking long-term trends - analysis (with wide

415 views • 12 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
A summary of security-related network measurements. David Malone Maynooth University.

A summary of security-related network measurements. David Malone Maynooth University.

A summary of security-related network measurements. David Malone Maynooth University. 2017-09-11 15:15:00 Network Measurement Results Internet Measurement Conference (IMC), Passive and Active Measurement Conference (PAM), Traffic

812 views • 12 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Clemson OpenFlow Trials Enabling Network Traffic Measurement and Control over C Campus Ethernet,

Clemson OpenFlow Trials Enabling Network Traffic Measurement and Control over C Campus Ethernet,

Clemson OpenFlow Trials Enabling Network Traffic Measurement and Control over C Campus Ethernet, Wireless Mesh, and Vehicular Networks Eth t Wi l M h d V hi l N t k Campus Ethernet + Wireless Mesh for Vehicle Access + C f Campus

370 views • 7 slides
BETTER RESEARCH BY APPLYING SYNTHESIS OF EVIDENCE Focus on High Research Quality and Translation as

BETTER RESEARCH BY APPLYING SYNTHESIS OF EVIDENCE Focus on High Research Quality and Translation as

BETTER RESEARCH BY APPLYING SYNTHESIS OF EVIDENCE Focus on High Research Quality and Translation as well as a Culture of Care by Implementing AUGUST a new powerful initiative at AARHUS UNIVERSITY Birgitte Kousholt, DVM, PhD Department of

449 views • 16 slides
Apport des modlisations ab initio pour la comprhension des proprits structurales et

Apport des modlisations ab initio pour la comprhension des proprits structurales et

Apport des modlisations ab initio pour la comprhension des proprits structurales et dynamiques de verres borosilicats Laurent Pedesseau 1,2 , Simona Ispas 1 & Walter Kob 1 1 Laboratoire Charles Coulomb Universit Montpellier 2

615 views • 24 slides
Heartily Welcomes You Innovating with QUALITY & VALUE forever Innovating with OUR

Heartily Welcomes You Innovating with QUALITY & VALUE forever Innovating with OUR

Innovating with QUALITY & VALUE forever Heartily Welcomes You Innovating with QUALITY & VALUE forever Innovating with OUR STRENGTHS Quality & Value & CAPABILITIES Innovating with QUALITY & VALUE forever Background

618 views • 39 slides
Supporting Innovation in Technology Enhanced Learning Carmen Luisa Padrn-Npoles (ATOS)

Supporting Innovation in Technology Enhanced Learning Carmen Luisa Padrn-Npoles (ATOS)

Supporting Innovation in Technology Enhanced Learning Carmen Luisa Padrn-Npoles (ATOS) Stefania Aceto (MENON) Anthony Camileri (EFQUEL) Workshop at EC-TEL 2014 Conference September 16th, 2014 Graz, Austria Table of contents Introduction

647 views • 26 slides
Dementia NICE Guideline Dr Umar Bedi Consultant-Old Age Psychiatry Topics for Discussion

Dementia NICE Guideline Dr Umar Bedi Consultant-Old Age Psychiatry Topics for Discussion

Dementia NICE Guideline Dr Umar Bedi Consultant-Old Age Psychiatry Topics for Discussion Dementia: Nice Guideline Primary Care: Key Points Changes and Implications Berkshire Dementia Pathway Dementia News Daily Mail

888 views • 52 slides
Strengthening ETC Engagement With NGOs Session Purpose 1. Inform members of the ETC NGO

Strengthening ETC Engagement With NGOs Session Purpose 1. Inform members of the ETC NGO

Strengthening ETC Engagement With NGOs Session Purpose 1. Inform members of the ETC NGO Engagement Strategy process 2. Seek support from ETC Plenary to advocate for stronger and sustained NGO engagement at global and local levels w w w

352 views • 8 slides
Bill Fuller, FDOT District One Question 1 Question 1 Whic Which h Re Response A

Bill Fuller, FDOT District One Question 1 Question 1 Whic Which h Re Response A

Bill Fuller, FDOT District One Question 1 Question 1 Whic Which h Re Response A Agency D Do You R u Represent? epresent? Other Law FHP Fire/Rescue Other Total Enforcement 5 4 27 11 47 Counties and Number of

519 views • 16 slides
VIROFIGHT Project 1 VIROFIGHT project has received funding from the European Unions Horizon

VIROFIGHT Project 1 VIROFIGHT project has received funding from the European Unions Horizon

VIROFIGHT Project 1 VIROFIGHT project has received funding from the European Unions Horizon 2020 research and innovation programme under grant a greement No 899619. VIROFIGHT: General purpose virus-neutralizing engulfing shells with modular

293 views • 13 slides

More recommend