Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study



Similar documents
Cray: Enabling Real-Time Discovery in Big Data

Analyzing HTTP/HTTPS Traffic Logs

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Concierge SIEM Reporting Overview

Presented by: Aaron Bossert, Cray Inc. Network Security Analytics, HPC Platforms, Hadoop, and Graphs Oh, My

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Getting Ahead of Malware

Security Event Management. February 7, 2007 (Revision 5)

Protecting the Infrastructure: Symantec Web Gateway

How To Mitigate A Ddos Attack

Complexity and Scalability in Semantic Graph Analysis Semantic Days 2013

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

First Line of Defense

Detect & Investigate Threats. OVERVIEW

Networks and Security Lab. Network Forensics

Norton Personal Firewall for Macintosh

Load Balancing Security Gateways WHITE PAPER

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

The SIEM Evaluator s Guide

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Unified Security, ATP and more

Introduction of Intrusion Detection Systems

V1.4. Spambrella Continuity SaaS. August 2

Finding Network Security Breaches Using LiveAction Software to detect and analyze security issues in your network

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Bridging the gap between COTS tool alerting and raw data analysis

Acano solution. Security Considerations. August E

Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation

DDoS Protection on the Security Gateway

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Oracle Big Data SQL Technical Update

Detecting rogue systems

Managing Latency in IPS Networks

Next-Generation Firewalls: Critical to SMB Network Security

Extending security intelligence with big data solutions

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

First Line of Defense

F-SECURE MESSAGING SECURITY GATEWAY

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Global Partner Management Notice

5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Customer Service Description Next Generation Network Firewall

Architecture Overview

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

74% 96 Action Items. Compliance

emerge 50P emerge 5000P

Business Case for a DDoS Consolidated Solution

Security strategies to stay off the Børsen front page

Network/Internet Forensic and Intrusion Log Analysis

SourceFireNext-Generation IPS

Speed Up Incident Response with Actionable Forensic Analytics

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Security Business Intelligence Big Data for Faster Detection/Response

Sophos Endpoint Security and Control standalone startup guide

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Fidelis XPS Tech Talk: Preventing Cyber Attacks With Real-Time Threat Intelligence. June 2010 Version 1.0 PAGE 1 PAGE 1

How To Buy Nitro Security

Introducing IBM s Advanced Threat Protection Platform

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Comprehensive Advanced Threat Defense

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Network Security Monitoring

1 Introduction. Agenda Item: Work Item:

BlackRidge Technology Transport Access Control: Overview

IBM Security IBM Corporation IBM Corporation

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Breach Found. Did It Hurt?

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

This document was prepared in conjunction with work accomplished under Contract No. DE-AC09-96SR18500 with the U. S. Department of Energy.

Network Security Platform 7.5

The Cyber Threat Profiler

Web Application Firewall

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Advanced Threats: The New World Order

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

March

Threat Advisory: Accellion File Transfer Appliance Vulnerability

QRadar Security Intelligence Platform Appliances

6.0. Getting Started Guide

The webinar will begin shortly

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

Networking for Caribbean Development

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Monitoring Microsoft Exchange to Improve Performance and Availability

Asset Discovery with Symantec Control Compliance Suite

A Layperson s Guide To DoS Attacks

Transcription:

Six Days in the Network Security Trenches at SC14 A Cray Graph Analytics Case Study WP-NetworkSecurity-0315 www.cray.com

Table of Contents Introduction... 3 Analytics Mission and Source Data... 3 Analytics Approaches... 3 Analytics Successes... 3 Outbound Scanning... 4 Outbound SYN Flooding... 4 Linux SSH Brute-Forcing... 5 Wireless Network Failure... 6 Conclusion... 6 Acknowledgements... 7 WP-NetworkSecurity-0315 Page 2 of 7 www.cray.com

Introduction Through engagements with its customers and partners, Cray has applied graph analytics to computer network analysis, helping identify threats and risks to enterprise-scale networks. One of these networks is SCinet, the high-bandwidth network that supports SC, the annual supercomputing technical conference and exhibition. SCinet is operational for approximately seven days every year during the conference, linking the convention center to research and commercial networks around the world. Supercomputing 2014 (SC14) had the largest network to date. With 1.2 Tbits/s reaching the show floor, it supported 11,000 devices. The network had a /17 (32,000 IP addresses) of publicly routable IPv4 space (and some IPv6 space). SCinet is staffed by more than 300 volunteers from national labs, universities and vendors who work together over the entire year to design, construct, operate and dismantle the network every year. Cray has participated in SCinet on the network security team in various forms since 2012. Analytics Mission and Source Data At SC14, the SCinet network security team had two primary missions: 1. Detect and mitigate any outbound scanning or attacking behavior. 2. Identify, quantify and inform likely compromised hosts on the network. Cray supported these missions with Discover, a 2-TB Cray Urika-GD graph discovery appliance. Cray also supported an additional mission identifying rogue domain name system (DNS) and Dynamic Host Configuration Protocol (DHCP) servers utilizing Spark Streaming, software that is part of the Urika-XA extreme analytics system stack. This provided a streaming, alerting analytics capability that highlighted new servers as soon as the network security sensors observed their traffic. Data is key when performing analysis, and at SCinet, the network security team used Bro, an opensource deep packet inspection system to monitor nearly 300 GB/s of network bandwidth. These sensors generated nearly 1.6 billion records, which Discover parsed into 18.6 billion RDF triples for analysis. Analytics Approaches Cray used three analytics approaches/algorithms with Discover, a Urika-GD graph discovery platform, to develop answers to the network security team s analytics questions. These included basic search queries ( Find and visualize patterns of behavior that look like this ), Jaccard scoring ( What are these systems downloading malware likely using as command and control channels? ) and betweenness centrality ( Where should we start cleaning up this mess? ). Using Spark Streaming, Cray monitored DHCP and DNS logs, maintaining for each a histogram of uses (count, earliest and latest) and emitting an event when a new DHCP or DNS server was encountered. These analytics could be run either in a continuous streaming mode or in a batch mode for retrospective analysis. Analytics Successes These approaches were very fruitful for Cray and the SC14 network security team. At SC14, the SCinet security team observed several network security events, including: WP-NetworkSecurity-0315 Page 3 of 7 www.cray.com

Outbound scanning Outbound SYN flooding Linux SSH brute-forcing Wireless network failure Cray conducted analysis detecting, correlating and analysis of these events. Outbound Scanning Outbound scanning can be detected using a graph concept called dispersion: the out-degree of a given node. In computer network analysis, dispersion is used with port and protocol combinations to show nodes exhibiting unusual behaviors in a specific area. Cray used dispersion at SC13 and SC14 to successfully identify outbound scanning. At SC14, Cray identified infected clients on the wireless network scanning for vulnerable servers or sending malware out of the network. Outbound SYN Flooding SYN flooding is a computer network attack in which a client opens partial connections to a host and leaves them open. This attack is designed to remove a host from the network by exhausting its ability to accept inbound connections. If the host isn t on the network, it isn t available in the current available-everywhere networked-computing environment. At SC14, the network security team observed two clients on the network participating in SYN flood attacks. These two network events accounted for 86 percent of all network flow observed on the network. Figure 1 shows the flow count profile. Figure 1. Flow count from SC14, with SYN floods highlighted. Note the log-scale Y access. All of the network security team s tools identified these SYN floods. The team then looked for their root cause. Cray combined alerts from one intrusion detection system (IDS), showing a malware download on an odd port, with network flow and Jaccard similarity scoring to identify likely infected client behaviors. Jaccard similarity scoring identifies similarities by looking for entities with multiple shared nodes connecting the entities while the entities are not directly connected. Figure 4 visually illustrates the connection between tcp port 9162 (the port with the detected malware download from the IDS) and tcp port 7668 (the port that Jaccard scoring identified with behavior similar to 9162). These identified behaviors showed additional SCinet clients that may have been infected by the same type of malware. Figure 2 shows an example of this analysis. No other tool at SCinet performed this analysis, which then guided the rest of the security team in their follow-up examinations. The root cause of the infection was believed to be malware targeting Linux systems running SSH servers. The network security team spent the entire conference chasing the infections from this malware. WP-NetworkSecurity-0315 Page 4 of 7 www.cray.com

Linux SSH Brute--Forcing In SSH brute-forcing, an adversary connects to an SSH server and attempts to guess the password for an account on the system. The adversary repeats this behavior thousands of times. These attacks are mitigated by strong passwords and restrictions on the external hosts from which the server accepts connections. SCinet enacted neither of these mitigations; every booth and attendee at the conference chose their own passwords for their accounts, and all hosts were allowed to receive SSH connection requests from any internal or external clients. With the Linux malware in the environment, the network security team spent the four days of the conference identifying infected hosts using Figure 2. Betweenness centrality. Scinet:245.140 is the most central host in this IDS tools and then notifying graph. infected users. The team identified multiple hosts per day and visited three to four booths each day to inform them of their infection and recommend mitigations. Cray participated in this analysis by identifying likely internal hosts that may have been compromised using graph search and visualization techniques over a set of merged datasets, including flow, IDS alerts, DHCP events and HTTP activities, to enable forensic analysis. Figures 2 and 3 show sample visualizations of these SSH connection networks identified in our analysis. Cray applied betweenness centrality (a Urika-GD platform-specific SPARQL extension) to extracted SSH connection networks to prioritize network hosts for network security mitigation. Figure 2 shows an example of betweenness centrality. WP-NetworkSecurity-0315 Page 5 of 7 www.cray.com

Wireless Network Failure One afternoon during SC14, the SCinet network went down briefly and then restarted. Once the network came back up, clients were unable to reconnect to it. The wireless and network security teams worked together to identify the cause of the failure. Cray aided this analysis using Spark Streaming to identify DHCP servers present on the network. Cray s Spark Streaming analytics workflow allowed the combined team to quickly rule out a rogue DHCP server as a cause of the network failure. Figure 3. SSH connection chain visualization. Figure 4. Jaccard scoring. Urn:9162 is the seed port, and urn:7668 is the likely candidate target port. Conclusion Cray participated for another year in the SCinet network security team and used the Urika-GD graph discovery appliance and Spark Streaming to develop and perform a number of analyses in the four days of the SC14 conference. Using 1.6 billion records converted into 18.6 billion triples, these analyses utilized various graph techniques to quickly generate new analytics workflows in minutes to hours that execute within seconds. About the Urika-GD Graph Data Analytics Appliance Cybersecurity is one of the top use cases for the Urika-GD appliance. The appliance enables enterprises to: Discover unknown and hidden relationships and patterns in big data. Build a relationship warehouse, supporting inferencing/deduction, pattern-based queries and intuitive visualization. Perform real-time analytics on the largest and most complex graph problems. The Urika-GD system features a large shared memory and massively multithreaded custom processor designed for graph processing and scalable I/O. With its industry-standard, open-source software stack enabling reuse of existing skill sets and no lock in, the Urika-GD appliance is easy to adopt. The Urika- GD appliance complements an existing data warehouse or Hadoop cluster by offloading graph workloads and interoperating within the existing enterprise analytics workflow. WP-NetworkSecurity-0315 Page 6 of 7 www.cray.com

Acknowledgements Written by Eric Dull, formerly of Cray Inc. Cray s Peter Himmelfarb, system administrator, provided configuration and support during SC14. 2015 Cray Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owners. Cray is a registered trademark, and the Cray logo and Cray Urika-GD are trademarks of Cray Inc. Other product and service names mentioned herein are the trademarks of their respective owners. WP-NetworkSecurity-0315 Page 7 of 7 www.cray.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information