Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Size: px
Start display at page:

Download "Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík"

Transcription

1 Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan

2 Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior Analysis 2 / 35

3 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe NetFlow data generation P. Čeleda et al. Network Security Monitoring and Behavior Analysis 3 / 35

4 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe NetFlow v5/v9 NetFlow collector FlowMon probe NetFlow data generation NetFlow data collection P. Čeleda et al. Network Security Monitoring and Behavior Analysis 3 / 35

5 Security Monitoring and Behavior Analysis Toolset FlowMon probe SPAM detection FlowMon probe NetFlow v5/v9 NetFlow collector worm/virus detection intrusion detection FlowMon probe NetFlow data generation NetFlow data collection NetFlow data analyses P. Čeleda et al. Network Security Monitoring and Behavior Analysis 3 / 35

6 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe SPAM detection NetFlow v5/v9 worm/virus detection NetFlow collector intrusion detection FlowMon probe NetFlow data generation P. Čeleda et al. http WWW mail mailbox syslog syslog server NetFlow data collection NetFlow data analyses Network Security Monitoring and Behavior Analysis incident reporting 3 / 35

7 Traffic Monitoring System LAN LAN Internet Firewall LAN LAN LAN Network without any flow monitoring system. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 4 / 35

8 Traffic Monitoring System LAN LAN Internet Firewall LAN FlowMon Probe FlowMon Probe LAN LAN FlowMon probe connected to in-line TAP. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 4 / 35

9 Traffic Monitoring System LAN FlowMon Probe LAN SPAN SPAN TAP Internet Firewall LAN FlowMon Probe FlowMon Probe LAN LAN FlowMon observes data from TAP and SPAN ports. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 4 / 35

10 FlowMon Probe Architecture FlowMon Probe 4000 Web Interface NfSen Collector Plugins Flow Presentation Backend Frontend NetFlow Data Storage NFDUMP Toolset Flow Collection flows FlowMon Exporter FlowMon Exporter flows flows FlowMon Exporter Flow Generation packets Fiber TAP packets packets Fiber TAP Fiber TAP Network Data P. Čeleda et al. Network Security Monitoring and Behavior Analysis 5 / 35

11 NfSen/NFDUMP Collector Toolset Architecture Web Front-End User Plugins Command-Line Interface Periodic Update Tasks and Plugins NetFlow v5/v9 NFDUMP Backend NfSen NetFlow Sensor NFDUMP NetFlow display P. Čeleda et al. Network Security Monitoring and Behavior Analysis 6 / 35

12 NetFlow Processing with NFDUMP Available Flow Statistics Raw NetFlow data. Top N statistics. Flow filtering (via IP addresses, protocols, VLAN, MAC,... ). Flow aggregation (IP addresses, protocols, VLAN, MAC,... ). Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Intf VLAN 06:49: ICMP :0 -> : M :49: ICMP :0 -> : M :51: ICMP :0 -> : M :51: ICMP :0 -> : M :51: ICMP :0 -> : M :51: ICMP :0 -> : M :54: ICMP :0 -> : M :54: ICMP :0 -> : M :56: ICMP :0 -> : M :56: ICMP :0 -> : M :56: ICMP :0 -> : M :56: ICMP :0 -> : M :57: UDP :138 -> : P. Čeleda et al. Network Security Monitoring and Behavior Analysis 7 / 35

13 NfSen Plugins The plugins allow to extend NfSen with new functionality. The plugins run automated tasks every 5 minutes. The plugins allow display any results of NetFlow measurement. Plugin Report Automatic run every 5 min Notification.pm Register Output nfsen.conf Web Interface P. Čeleda et al. Network Security Monitoring and Behavior Analysis 8 / 35

14 Part II Anomaly Detection and Behavior Analysis P. Čeleda et al. Network Security Monitoring and Behavior Analysis 9 / 35

15 Network Behavior Analysis NBA Principles identifies malware from network traffic statistics watch what s happening inside the network single purpose detection patterns (scanning, botnets,...) complex models of the network behavior statistical modeling, PCA Principal Component Analysis NBA Advantages good for spotting new malware and zero day exploits suitable for high-speed networks should be used as an enhancement to the protection provided by the standard tools (firewall, IDS, AVS,...) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 10 / 35

16 NBA Example - MINDS Method Features: Flow counts from/to important IP/port combinations. Malware identification: Comparison with windowed average of past values. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 11 / 35

17 Part III Anomaly Detection Use Case I. Conficker Worm P. Čeleda et al. Network Security Monitoring and Behavior Analysis 12 / 35

18 Conficker Worm Spreading Phase II Phase I Victim Internet Phase III P. Čeleda et al. Network Security Monitoring and Behavior Analysis 13 / 35

19 Traditional NetFlow Analysis Using NFDUMP Tool P. Čeleda et al. Network Security Monitoring and Behavior Analysis 14 / 35

20 Traditional NetFlow Analysis Using NFDUMP Tool Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:41: ICMP :0 -> : :41: UDP :138 -> : :41: UDP : > : :41: UDP : > : :41: UDP :53 -> : :41: UDP : > : :41: UDP :53 -> : :41: TCP : > :80 A.RS :41: TCP :80 -> :49158 AP.SF :41: UDP : > : :41: UDP :53 -> : P. Čeleda et al. Network Security Monitoring and Behavior Analysis 14 / 35

21 Traditional NetFlow Analysis Using NFDUMP Tool Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:41: ICMP :0 -> : :41: UDP :138 -> : :41: UDP : > : :41: UDP : > : :41: UDP :53 -> : :41: UDP : > : :41: UDP :53 -> : :41: TCP : > :80 A.RS :41: TCP :80 -> :49158 AP.SF :41: UDP : > : :41: UDP :53 -> : P. Čeleda et al. Network Security Monitoring and Behavior Analysis 14 / 35

22 Traditional NetFlow Analysis Using NFDUMP Tool Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:41: ICMP :0 -> : :41: UDP :138 -> : :41: UDP : > : :41: UDP : > : :41: UDP :53 -> : :41: UDP : > : :41: UDP :53 -> : :41: TCP : > :80 A.RS :41: TCP :80 -> :49158 AP.SF :41: UDP : > : :41: UDP :53 -> : P. Čeleda et al. Network Security Monitoring and Behavior Analysis 14 / 35

23 Conficker Detection Using NFDUMP Tool - I Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S We focus on TCP traffic. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 15 / 35

24 Conficker Detection Using NFDUMP Tool - I Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S Traffic comes out from single host every new connection generates flow. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 15 / 35

25 Conficker Detection Using NFDUMP Tool - I Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S Infected host connects to various remote machines (horizontal scan) same destination port 445. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 15 / 35

26 Conficker Detection Using NFDUMP Tool - I Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 09:55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S :55: TCP : > :445...S TCP SYN flag set, single packet with uniform size. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 15 / 35

27 Conficker Detection Using NFDUMP Tool - II Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 10:48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.SF :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S Infected hosts from the same subnet. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 16 / 35

28 Conficker Detection Using NFDUMP Tool - II Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 10:48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.SF :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S Successful TCP communication high source ports and identical destination port 445. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 16 / 35

29 Conficker Detection Using NFDUMP Tool - II Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes Flows 10:48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.SF :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445 AP.S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S :48: TCP : > :445...S Further worm propagation port 445 horizontal scan/buffer overflow attempt. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 16 / 35

30 Worm Detection And Analysis With CAMNEP - I Threat Milions of Flows per Day Network Behavioral Analysis CAMPUS Network CSIRT Early Action P. Čeleda et al. Network Security Monitoring and Behavior Analysis 17 / 35

31 Worm Detection And Analysis With CAMNEP - II P. Čeleda et al. Network Security Monitoring and Behavior Analysis 18 / 35

32 Worm Detection And Analysis With CAMNEP - III Analyzer: CamnepKB111 Create Time: T09:58: Classification: conficker, also similar to: web_requests,dns_requests,port_scan_horizontal Flows: 5045, Bytes: , 1 sources, 5016 targets Sources: Nodes: [anonymized, random IP address in the list] Ports: 0,137,1900, , , , , , , [... ] 63052,63808,63815,65015,65288 Protocol: UDP, ICMP, TCP Targets: Nodes: [... ] and more (5016 in total) Ports: 53,80,137,139,445,1900,2048,3702,5355,52358 Protocol: UDP, ICMP, TCP P. Čeleda et al. Network Security Monitoring and Behavior Analysis 19 / 35

33 Part IV Anomaly Detection Use Case II. Chuck Norris Botnet P. Čeleda et al. Network Security Monitoring and Behavior Analysis 20 / 35

34 Chuck Norris Botnet in Nutshell Linux malware IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices ADSL modems and routers. Uses TELNET brute force attack as infection vector. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris! P. Čeleda et al. Network Security Monitoring and Behavior Analysis 21 / 35

35 TELNET Malware Activities 2009/ / TELNET Scans per Day Chuck Norris Botnet Suspended Chuck Norris Botnet Version 2 Campus Network Removed from Botnet Scanning List 2009/ / / / / /09 Date 2010/ / / / /07 P. Čeleda et al. Network Security Monitoring and Behavior Analysis 22 / 35

36 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device NFDUMP detection filter P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

37 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device local network NFDUMP detection filter (net local_network) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

38 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device x x x x local network NFDUMP detection filter (net local_network) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

39 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x local network NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

40 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

41 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 SYN/RESET flags x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 23 / 35

42 Detection of CNB Initialization and Update Bot s web download requests from infected host. local network NFDUMP detection filter P. Čeleda et al. Network Security Monitoring and Behavior Analysis 24 / 35

43 Detection of CNB Initialization and Update Bot s web download requests from infected host. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 24 / 35

44 Detection of CNB Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 1 ) 1 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 24 / 35

45 Detection of CNB Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) 1 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 24 / 35

46 Detection of CNB Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 SYN/ACK flags infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 1 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 24 / 35

47 Detection of CNB DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. local network NFDUMP detection filter P. Čeleda et al. Network Security Monitoring and Behavior Analysis 25 / 35

48 Detection of CNB DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 25 / 35

49 Detection of CNB DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 2 ) or 2 IP addresses of a common OpenDNS servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 25 / 35

50 Detection of CNB DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 2 ) or (dst ip DNS servers 3 )) 2 IP addresses of a common OpenDNS servers 3 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 25 / 35

51 Detection of CNB DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server DNS UDP/53 infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 2 ) or (dst ip DNS servers 3 )) and (proto UDP) and (dst port 53) 2 IP addresses of a common OpenDNS servers 3 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Network Security Monitoring and Behavior Analysis 25 / 35

52 Chuck Norris Will Never Die or Cyber War? TELNET scans against single host SURFmap P. Čeleda et al. Network Security Monitoring and Behavior Analysis 26 / 35

53 Part V Anomaly Detection Use Case III. Attack from Building Automation System P. Čeleda et al. Network Security Monitoring and Behavior Analysis 27 / 35

54 AIDRA Botnet in Nutshell Linux malware IRC bots with central C&C servers. Based on source code of Hydra botnet. Attacks poorly-configured ARM, MIPS, MIPSEL, PPC and SH4 Linux embedded devices (default Telnet credentials). First attacks observed at Masaryk University on AIDRA in action (screenshot of private version) source ( ) P. Čeleda et al. Network Security Monitoring and Behavior Analysis 28 / 35

55 Beyond Modems AIDRA Infected Device Modular Automation Station for Intelligent Buildings Control and monitoring of technical installations, e.g. HVAC. Communication: BACnet/IP (EN ISO ). Linux based (PPC) integrated web and telnet server. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 29 / 35

56 New Emerging Target Intelligent Building Topology of the Rabobank building management system source AIDRA botnet does not support any targeted attacks against intelligent buildings! P. Čeleda et al. Network Security Monitoring and Behavior Analysis 30 / 35

57 BACnetFlow Flow Monitoring for Int. Buildings BACnet Building Automation and Control Networking We introduced BACnetFlow 4 to get flow data from BACnet. BACnetFlow provides L2, L3, L4 and L7 visibility. BACnetFlow data can help detect BACnet attacks. BACnet over IP network IP network BACnet over Ethernet network mirror port BACnetFlow probe BACnet input plugin FlowMon Engine filter NetFlow exporter BACnet exporter NetFlow collector (NFDUMP) BACnetFlow collector (SQL database) 4 Krejčí, R. et al.: Traffic Measurement and Analysis of Building Automation and Control Networks. Paper to appear in AIMS P. Čeleda et al. Network Security Monitoring and Behavior Analysis 31 / 35

58 BACnet Attacks BACnet Router Traffic - detection of router spoofing attacks BACnet Router Messages Flows :00 04:00 08:00 12:00 16:00 20:00 00:00 BACnet Device Discovery Traffic - detection of DoS attacks (1) Who-Is (2) I-Am Flows/s (1) (2) 0 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 P. Čeleda et al. Network Security Monitoring and Behavior Analysis 32 / 35

59 Part VI Conclusion P. Čeleda et al. Network Security Monitoring and Behavior Analysis 33 / 35

60 Conclusion Why we need NSM and NBA? Networks are complex and prone to failures and attacks. Networks are difficult to manage without detailed information. IP flows present scaleable and long-time monitoring solution. Everybody leaves traces in network traffic (you can t hide). Observe and automatically inspect 24x7 your network data. Detect attacks before your hosts are infected. Experiences Better network knowledge after you deploy NSM and NBA. NSM and NBA are essential in liberal network environments. P. Čeleda et al. Network Security Monitoring and Behavior Analysis 34 / 35

61 Thank You For Your Attention! Network Security Monitoring and Behavior Analysis Pavel Čeleda et al. Project CAMNEP Project CYBER P. Čeleda et al. Network Security Monitoring and Behavior Analysis 35 / 35

Similar documents

Detecting Botnets with NetFlow

Detecting Botnets with NetFlow Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell

More information

Revealing Botnets Using Network Traffic Statistics

Revealing Botnets Using Network Traffic Statistics Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda vojtec}@ics.muni.cz, radek.krejci@mail.muni.cz Security and Protection of Information 2011, 10-12 May 2011, Brno,

More information

NfSen Plugin Supporting The Virtual Network Monitoring

NfSen Plugin Supporting The Virtual Network Monitoring NfSen Plugin Supporting The Virtual Network Monitoring Vojtěch Krmíček krmicek@liberouter.org Pavel Čeleda celeda@ics.muni.cz Jiří Novotný novotny@cesnet.cz Part I Monitoring of Virtual Network Environments

More information

Network Security Monitoring and Behavior Analysis Best Practice Document

Network Security Monitoring and Behavior Analysis Best Practice Document Network Security Monitoring and Behavior Analysis Best Practice Document Produced by CESNET led working group on network monitoring (CBPD133) Author: Pavel Čeleda September 2011 TERENA 2011. All rights

More information

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH Some operational questions, popping up now and then: Do you see this peek on port 445 as well? What caused this peek on your

More information

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag 2005 SWITCH What I am going to present: The Motivation. What are NfSen and nfdump? The Tools in Action. Outlook

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

Automatic Network Protection Scenarios Using NetFlow

Automatic Network Protection Scenarios Using NetFlow Automatic Network Protection Scenarios Using NetFlow Vojt ch Krmí ek, Jan Vykopal {krmicek vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al.

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

Nemea: Searching for Botnet Footprints

Nemea: Searching for Botnet Footprints Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech

More information

Flow Based Traffic Analysis

Flow Based Traffic Analysis Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode

More information

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik From traditional to alternative approach to storage and analysis of flow data Petr Velan, Martin Zadnik Introduction Network flow monitoring Visibility of network traffic Flow analysis and storage enables

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Flow-based detection of RDP brute-force attacks

Flow-based detection of RDP brute-force attacks Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer

More information

FlowMon. Complete solution for network monitoring and security. INVEA-TECH info@invea-tech.com

FlowMon. Complete solution for network monitoring and security. INVEA-TECH info@invea-tech.com FlowMon Complete solution for network monitoring and security INVEA-TECH info@invea-tech.com INVEA-TECH University spin-off company 10 years of development, participation in EU funded projects project

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Detecting peer-to-peer botnets

Detecting peer-to-peer botnets Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,

More information

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure

More information

Pilot Deployment of Metering Points at CESNET Border Links

Pilot Deployment of Metering Points at CESNET Border Links CESNET Technical Report 5/2012 Pilot Deployment of Metering Points at CESNET Border Links VÁCLAV BARTOš, PAVEL ČELEDA, TOMÁš KREUZWIESER, VIKTOR PUš, PETR VELAN, MARTIN ŽÁDNÍK Received 12. 12. 2012 Abstract

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag

NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag 2004 SWITCH NFSEN ( NetFlow Sensor ) 12th TF-CSIRT Meeting Hamburg: 2004 SWITCH 2 NFSEN http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-haag.pdf

More information

Exercise 7 Network Forensics

Exercise 7 Network Forensics Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:

More information

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free) Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Network and Incident monitoring

Network and Incident monitoring August, 2013 Network and Incident monitoring Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan Agenda 1. Introduction of TSUBAME 2. Recent Observation cases 2 1. INTRODUCTION OF TSUBAME

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

An overview of traffic analysis using NetFlow

An overview of traffic analysis using NetFlow The LOBSTER project An overview of traffic analysis using NetFlow Arne Øslebø UNINETT Arne.Oslebo@uninett.no 1 Outline What is Netflow? Available tools Collecting Processing Detailed analysis security

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

More information

SECURING APACHE : DOS & DDOS ATTACKS - II

SECURING APACHE : DOS & DDOS ATTACKS - II SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

A Critical Investigation of Botnet

A Critical Investigation of Botnet Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

[Optional] Network Visibility with NetFlow

[Optional] Network Visibility with NetFlow [Optional] Network Visibility with NetFlow TELE301 Laboratory Manual Contents 1 NetFlow Architecture........................... 1 2 NetFlow Versions.............................. 2 3 Requirements Analysis...........................

More information

Introduction TELE 301. Routers. Firewalls

Introduction TELE 301. Routers. Firewalls Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Internet Worms, Firewalls, and Intrusion Detection Systems

Internet Worms, Firewalls, and Intrusion Detection Systems Internet Worms, Firewalls, and Intrusion Detection Systems Brad Karp UCL Computer Science CS 3035/GZ01 12 th December 2013 Outline Internet worms Self-propagating, possibly malicious code spread over Internet

More information

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com Charles Herring cherring@lancope.com 1 CREATING THE AUDIT TRAIL 2 Creating the Trail Logging Provides user and application details

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

2010 Carnegie Mellon University. Malware and Malicious Traffic

2010 Carnegie Mellon University. Malware and Malicious Traffic Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Description: Course Details:

Description: Course Details: Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet

More information

IP Filter/Firewall Setup

IP Filter/Firewall Setup IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

IBM Advanced Threat Protection Solution

IBM Advanced Threat Protection Solution IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain

More information

FIREWALL AND NAT Lecture 7a

FIREWALL AND NAT Lecture 7a FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security

More information

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

More information

Malicious Network Traffic Analysis

Malicious Network Traffic Analysis Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the

More information

CISCO IOS NETFLOW AND SECURITY

CISCO IOS NETFLOW AND SECURITY CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network

More information

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o. NetFlow use cases ICmyNet / NetVizura, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic Patterns NREN

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.

More information

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

DDoS Mitigation Techniques

DDoS Mitigation Techniques DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through

More information

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally

More information

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

Technical Note. ForeScout CounterACT: Virtual Firewall

Technical Note. ForeScout CounterACT: Virtual Firewall ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

Flow Analysis Versus Packet Analysis. What Should You Choose?

Flow Analysis Versus Packet Analysis. What Should You Choose? Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation

More information

Network Security Monitoring

Network Security Monitoring Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Monitoring sítí pomocí NetFlow dat od paketů ke strategiím

Monitoring sítí pomocí NetFlow dat od paketů ke strategiím Monitoring sítí pomocí NetFlow dat od paketů ke strategiím Martin Rehák, Karel Bartoš, Martin Grill, Jan Stiborek a Michal Svoboda ATG, České vysoké učení technické v Praze Jiří Novotný, Pavel Čeleda a

More information

Netflow For Incident Detection 1

Netflow For Incident Detection 1 Netflow For Incident Detection 1 Michael Scheck / Cisco CSIRT mscheck@cisco.com Introduction Netflow is often deployed for network billing, auditing, and accounting. However, Netflow can also be for incident

More information

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849 WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore

More information

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan

More information

How To Understand A Network Attack

How To Understand A Network Attack Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information

Using Argus to analyse network flows. David Ford OxCERT Oxford University Computer Services

Using Argus to analyse network flows. David Ford OxCERT Oxford University Computer Services Using Argus to analyse network flows David Ford OxCERT Oxford University Computer Services What are network flows? A convenient way of representing traffic on your network Contain a timestamp, the source/

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Keep you computer running Keep your documents safe Identity theft Spreading infection Data Integrity (DPA: Data Protection Act)

Keep you computer running Keep your documents safe Identity theft Spreading infection Data Integrity (DPA: Data Protection Act) Security Analysis E-Commerce Security 2008 Matthew Cook Network & Security Manager Loughborough University Why bother? Keep you computer running Keep your documents safe Identity theft Spreading infection

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

More information

GregSowell.com. Mikrotik Security

GregSowell.com. Mikrotik Security Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.

More information

Classification of Firewalls and Proxies

Classification of Firewalls and Proxies Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Stateful Firewalls. Hank and Foo

Stateful Firewalls. Hank and Foo Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

More information
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information