using of time characteristic in netflow data for
play

Using of time characteristic in Netflow data for improvement of - PowerPoint PPT Presentation

Jul 07, 2023 •212 likes •479 views

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

  1. Using of time characteristic in Netflow data for improvement of protocol detection P. Piskač, J. Novotný, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

  2. 1 Motivation 2 Tools 3 Evaluation 4 Conclusion and future work P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 2 / 26

  3. 1 Motivation 2 Tools 3 Evaluation 4 Conclusion and future work P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 3 / 26

  4. Motivation The knowledge of network protocol distribution is very important for security applications on a computer network. For example - botnets represent some kind of communication with similar behavior and use small sets of network protocols. Information about protocols can be gathered from NetFlow but: protocol recognition based only on port numbers is weak and can be simply compromised, doesn’t work on tunneled data. Despite of these disadvantages, it is possible to use NetFlow, but it needs to be extended by some other information. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 4 / 26

  5. Methods for extending protocol detection Better results can be achieved using deep packet inspection (e.g. Snort application), which: + achieves good results, − needs a lot of computational power, which is an issue on high speed networks, − doesn’t work on encrypted communication. Other ways to extend NetFlow analysis: header analysis (L7 . . . ), analysis of first packets in a flow, methods based on time characteristic. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 5 / 26

  6. Work goals Check protocol detection based on time characteristic analysis. The goals were achieved in the following steps: select and explore one protocol from packet and flow point of 1 view, find out possibilities of detecting selected protocol using 2 information about time characteristic, implement detection methods, 3 create a plug-in for NfSen, 4 make experiments. 5 P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 6 / 26

  7. 1 Motivation 2 Tools 3 Evaluation 4 Conclusion and future work P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 7 / 26

  8. Time characteristic Time characteristic is calculated from inter-packet gaps in a flow. Time characteristic of packet a flow consists of: accurate time stamp of the flow begin, accurate time stamp of the flow end, minimal inter-packet gap in the flow, maximal inter-packet gap in the flow, average inter-packet gap in the flow, standard deviation of inter-packet gap in the flow. flow dip, sip, dport, sport, protocol flow dip, sip, dport, sport, protocol, time characteristic P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 8 / 26

  9. NetFlow data collecting P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 9 / 26

  10. NfSen NfSen is an open source graphical web based front end for the nfdump NetFlow tools. NfSen allows you to: display your NetFlow data: Flows, Packets and Bytes using RRD (Round Robin Database), easily navigate through the NetFlow data, process the NetFlow data within the specified time span, create history as well as continuous profiles, set alerts, based on various conditions, write your own plug-ins to process NetFlow data on a regular interval. There is no necessary to develop any new tool, but we can just use NfSen with appropriate plug-in for data processing. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 10 / 26

  11. Getting extended NetFlow data Existing infrastructure of Masaryk University uses FlowMon probes and some CISCO routers. Both of them don’t provide details about time characteristic. Time resolution is 1ms in standard NetFlow data. It is too imprecise for time characteristic. Flow Time Statistics (FTS) was used to get NetFlow data extended by time characteristic. FTS is testing tool for Liberouter project - it is not final solution suitable for real deployment. Important goal of the proposed work is to prove reason for extension FlowMon probes to generate time characteristic. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 11 / 26

  12. FTS connection Packet processing Data processing Data storage Input from Attack T esting FTS Statistics T ext files FTS detection module NfSen LAN eth0 FlowMon Flat-file FlowMon module database P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 12 / 26

  13. 1 Motivation 2 Tools 3 Evaluation 4 Conclusion and future work P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 13 / 26

  14. Choosing a protocol As the test protocol was chosen SSHv2 protocol because: attacks (especially dictionary) on this protocol represent security threat, which should be detected, the information about amount of SSH connections in a traffic is important from security reasons, SSH is an open and well know protocol, SSH can be used for botnet control. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 14 / 26

  15. Protocol detection Detection works on comparison two vectors - pattern vector and unknown connection vector. A vector is created from extended flow information. Data included in a vector: information about time characteristic, number of transferred bytes and packets, information about 3rd and 4th network layers. Key issue is to find pattern vector - for test purposes it was created by “hand” using data observation. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 15 / 26

  16. Choosing of pattern vector Pattern vector can be chosen from real or testing environment. Testing environment minimizes latency and other network influences. Real environment uses data with a lot of different influences. It makes finding of the right vector more complex (according “noise” in data). Pattern vector for SSH protocol has been chosen from testing environment according to results of the tests. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 16 / 26

  17. Operations with vectors There is a lack of information about any method used for time characteristic in the literature. We need to use methods from other area. Vectors were compared using: � N i = 1 ( � p i − q i � ) average distance between vectors d ( p , q ) = , N �� N i = 1 ( p i − q i ) 2 root-mean-square distance d ( p , q ) = , N �� N i = 1 ( p i − q i ) 2 , euclidean distance d ( p , q ) = � N i = 1 ( p i × q i ) angle between vectors d ( p , q ) = . �� N �� N i = 1 ( p 2 i ) i = 1 ( q 2 i ) P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 17 / 26

  18. Test results We were not capable to classify SSH protocol because user interaction brings a lot of random data, that countermeasures all vectors. But the tests show, that there is a possibility to detect some dictionary attacks on SSH. Detection of dictionary attacks was chosen to prove the method, which uses NetFlow data extended by time characteristic. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 18 / 26

  19. Accuracy of dictionary attacks detection Average distance RMS Distance TAR 1 FAR 2 Pattern TAR FAR % % % % Testing 91 8 91 10 Real 88 3 88 3 Euclidean metrics Angle between vectors Pattern TAR FAR TAR FAR % % % % Testing 91 10 94 25 Real 87 2 78 19 1 TAR - True Acceptance Rate 2 FAR - False Acceptance Rate P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 19 / 26

  20. Practical example 250 Average distance method RMS method Euclidean distance method Angle between vectors method 200 Number of possible attacks 150 100 50 0 14:00 16:00 18:00 20:00 22:00 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 Time P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 20 / 26

  21. 1 Motivation 2 Tools 3 Evaluation 4 Conclusion and future work P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 21 / 26

  22. Conclusion This field of interest has not been deeply explored yet. Some protocols (e.g. HTTPS, IMAP) are very similar to SSH from time characteristic point of view. Vector comparison methods give very similar results with exception of angle between vectors method. It has been explored, that password based authentication protocols look very similar. This method works for revealing dictionary attacks. P. Piskac et al. Using of time characteristic in Netflow data for improvement of protocol detection 22 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016 Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach

510 views • 32 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
Singularities in characteristic zero and singularities in characteristic p Karl Schwede 1 1

Singularities in characteristic zero and singularities in characteristic p Karl Schwede 1 1

Singularities on algebraic varieties Types of singularities in characteristic zero Singularities in characteristic p > 0 Singularities in characteristic zero and singularities in characteristic p Karl Schwede 1 1 Department of Mathematics

1.76k views • 146 slides
NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich) Talk Outline The DDoSVax Project The SWITCH Network

249 views • 23 slides
GUI Testing Chapter 19 GUI characteristic Figure 19.1 What is the main characteristic of

GUI Testing Chapter 19 GUI characteristic Figure 19.1 What is the main characteristic of

GUI Testing Chapter 19 GUI characteristic Figure 19.1 What is the main characteristic of GUIs? GUI2 GUI characteristic 2 What is the main characteristic of GUIs? Event driven GUI3 Levels of testing What are the

718 views • 43 slides
Keywords: Fig, qualitative and quantitative characteristic, diversity, productivity . Time of

Keywords: Fig, qualitative and quantitative characteristic, diversity, productivity . Time of

Keywords: Fig, qualitative and quantitative characteristic, diversity, productivity . Time of study: 2015-2019 Place of study: Collection of fruit tree, Agriculture University of Tirana, germplasm field in Valias. To evaluation, to

638 views • 62 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Teryl Taylor Purpose Visualize pair-wise data attributes from a Netflow record (e.g.

Teryl Taylor Purpose Visualize pair-wise data attributes from a Netflow record (e.g.

Teryl Taylor Purpose Visualize pair-wise data attributes from a Netflow record (e.g. source host/network vs destination host/network). Deal with some key issues facing current connection-based visualizations: occlusion, drill

509 views • 12 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

<Your Name> Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson gdobson@andrew.cmu.edu June 2020 Center for Computational Analysis of Social and Organizational Systems

259 views • 14 slides
FlowRadar: A Better NetFlow for Data Centers Yuliang Li and Rui Miao, University of Southern

FlowRadar: A Better NetFlow for Data Centers Yuliang Li and Rui Miao, University of Southern

FlowRadar: A Better NetFlow for Data Centers Yuliang Li and Rui Miao, University of Southern California; Changhoon Kim, Barefoot Networks; Minlan Yu, University of Southern California

260 views • 15 slides
Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Dagstuhl: Cybersafety in Modern Online Social Networks Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology Joint work with Q. Cao, Xiaowei Yang and 1 K. Munagala at Duke University Friend Spam in

439 views • 27 slides
Model e v al u ation and implementation C R E D IT R ISK MOD E L IN G IN P YTH ON Michael

Model e v al u ation and implementation C R E D IT R ISK MOD E L IN G IN P YTH ON Michael

Model e v al u ation and implementation C R E D IT R ISK MOD E L IN G IN P YTH ON Michael Crabtree Data Scientist , Ford Motor Compan y Comparing classification reports Create the reports w ith classification_report() and compare CREDIT RISK

727 views • 35 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Marking and Selectively Retransmitting High-Priority Packets Jonathan Lennox Layered Media

Marking and Selectively Retransmitting High-Priority Packets Jonathan Lennox Layered Media

Marking and Selectively Retransmitting High-Priority Packets Jonathan Lennox Layered Media Note Well: Layered Media has potential IPR on this proposal. If its accepted as a standards-track document, well license on the

375 views • 10 slides
WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Song Liu, Larry J.

WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Song Liu, Larry J.

Cooperative Anomaly Detection in Cooperative Anomaly Detection in Dynamic Spectrum Access Networks Dynamic Spectrum Access Networks WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Song Liu, Larry J. Greenstein, Wade

620 views • 15 slides
Autonomous Mobility-on-Demand Systems: False Myths and Open Questions Prof. Dr. Emilio Frazzoli,

Autonomous Mobility-on-Demand Systems: False Myths and Open Questions Prof. Dr. Emilio Frazzoli,

Autonomous Mobility-on-Demand Systems: False Myths and Open Questions Prof. Dr. Emilio Frazzoli, Claudio Ruch, Jan Hakenberg Institute for Dynamic Systems and Control D-MAVT, ETH Zrich, Switzerland | 1 Mobility-on-demand system serving

377 views • 19 slides
PrefMiner: Mining Users Preferences for Intelligent Mobile

PrefMiner: Mining Users Preferences for Intelligent Mobile

PrefMiner: Mining Users Preferences for Intelligent Mobile No5fica5on Management Abhinav Mehrotra Robert Hendley Mirco Musolesi University College London University of

871 views • 43 slides
SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya

SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya

SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya Lakshmanan * , Inkyu Bang + , Min Suk Kang * , Jun Han * , Jong Taek Lee # * National University of Singapore, + Agency for Defense Development, #

578 views • 36 slides

More recommend