Protographs: Graph-Based Approach to NetFlow Analysis. Jeff Janies RedJack FloCon 2011



Similar documents
Data Fusion Enhancing NetFlow Graph Analytics

Flow Based Traffic Analysis

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Network Monitoring Using Traffic Dispersion Graphs (TDGs)

2010 Carnegie Mellon University. Malware and Malicious Traffic

ACHILLES CERTIFICATION. SIS Module SLS 1508

Introduction to Network Discovery and Identity

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

Applied Detection and Analysis Using Network Flow Data

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Nemea: Searching for Botnet Footprints

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Solution of Exercise Sheet 5

Analysis of Network Beaconing Activity for Incident Response

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Communication Systems Internetworking (Bridges & Co)

NSC E

Chapter 8 Security Pt 2

Edge Configuration Series Reporting Overview

Project 4: (E)DoS Attacks

Analysis of a DDoS Attack

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Seminar Computer Security

TDC s perspective on DDoS threats

Main functions of Linux Netfilter

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System

Packet Sniffing on Layer 2 Switched Local Area Networks

Cisco IOS Flexible NetFlow Technology

Security Technology White Paper

LIST OF FIGURES. Figure No. Caption Page No.

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Analysis of Network Packets. C DAC Bangalore Electronics City

Safeguards Against Denial of Service Attacks for IP Phones

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

Question: 3 When using Application Intelligence, Server Time may be defined as.

Characteristics of Network Traffic Flow Anomalies

Troubleshooting Tips and Tricks

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Transport and Network Layer

Firewall Implementation

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Flow Visualization Using MS-Excel

More Netflow Tools: For Performance and Security

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Investigation and Comparison of MPLS QoS Solution and Differentiated Services QoS Solutions

Configuring Security for FTP Traffic

Detecting Botnets with NetFlow

QoS (Quality of Service)

Network Visibility Guide

Denial of Service Attacks

Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

Attack and Defense Techniques 2

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Overview of Network Traffic Analysis

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Firewall Defaults and Some Basic Rules

Network Layer. Introduction Datagrams and Virtual Circuits Routing Traffic Control. Data delivery from source to destination.

Research on Errors of Utilized Bandwidth Measured by NetFlow

Network Security in Practice

Performance of networks containing both MaxNet and SumNet links

How To Prevent DoS and DDoS Attacks using Cyberoam

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Chapter 28 Denial of Service (DoS) Attack Prevention

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Outline. Outline. Outline

DoS/DDoS Attacks and Protection on VoIP/UC

Brocade NetIron Denial of Service Prevention

The changing face of global data network traffic

Sample Network Analysis Report

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

I3: Maximizing Packet Capture Performance. Andrew Brown

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

Communication Networks. MAP-TELE 2011/12 José Ruela

Network Performance Monitoring at Minimal Capex

An apparatus for P2P classification in Netflow traces

Introduction to Network Traffic Monitoring. Evangelos Markatos. FORTH-ICS

Lab 3: Recon and Firewalls

How to protect your home/office network?

Overview of TCP/IP. TCP/IP and Internet

Maximize Network Visibility with NetFlow Technology. Andy Wilson Senior Systems Engineer Lancope

Ranch Networks for Hosted Data Centers

A SOCIAL NETWORK ANALYSIS APPROACH TO ANALYZE ROAD NETWORKS INTRODUCTION

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Fuzzy Network Profiling for Intrusion Detection

How Much Broadcast and Multicast Traffic Should I Allow in My Network?

Ethernet. Ethernet. Network Devices

Transcription:

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011

Thesis Using social networks we can complement our existing volumetric analysis. Identify phenomenon we are missing because they are just not bandwidth heavy enough. Relate behaviors in novel ways. What is really the most important host in a collection a network?

Social Network Analysis Demonstrates relationships through Graphs Allows us to map out interconnections. Objective measure of social importance Who connects the groups together? Who can influence communication? 3

Protocol Graphs Protocol Graphs Social networks of host communications. (Who talked to whom) Undirected Graphs Vertices The hosts that communicated. Edges Connects between hosts that communicated. Analyze a specific phenomenon. Ex: BotNet, P2P, Established services

Protograph Tool Processes raw SiLK NetFlow data. Produces protocol graphs. Only uses IP information. Reports centrality of hosts. Centrality How integral a host is to the group. 5

Example NetFlow SIP DIP Sport Dport Flags Bytes Pkts Stime 192.168.1.100 192.168.1.1 21234 80 SAF 220 4 2010/01/01T.. 192.168.1.1 192.168.1.100 80 21234 SAF 60035 5 2010/01/01T.. 10.0.1.35 192.168.1.15 32143 8080 SAR 180 4 2010/01/01T.. 192.168.1.15 10.0.1.35 8080 32143 SAR 502 5 2010/01/01T.. 10.0.1.35 192.168.1.100 32144 8080 SAR 180 4 2010/01/01T.. 192.168.1.100 10.0.1.35 8080 32144 SAR 502 5 2010/01/01T.. 10.0.1.35 192.168.1.115 32145 8080 SAR 180 4 2010/01/01T.. 192.168.1.115 10.0.1.35 8080 32145 SAR 502 5 2010/01/01T.. 10.0.1.35 192.168.1.200 32146 8080 SAR 180 4 2010/01/01T.. 192.168.1.200 10.0.1.35 8080 32146 SAR 502 5 2010/01/01T.. 6

NetFlow as a Protocol Graph That NetFlow Makes this graph. No Volume. No Direction. Just Connections. Centrality 10.0.1.35 Connects many. 192.168.1.100 Connects 192.168.1.1 to the rest of the graph. If either removed, the graph is no longer fully connected. 7

Centrality A measure of social importance. Betweenness How efficiently a vertex connects the graph. (protograph) Degree How many vertices are connected to the vertex. (SiLK rwuniq) Closeness How close a vertex is to other vertices. Eigenvector How important a vertex is.

Betweenness Which hosts provide the most shortest paths through the network? g ij Geodesic paths through host i and j. G ikj Geodesic paths through host k for i and j.

Interpretation The higher the centrality value the more "important a host is to the graph. Without a central node the graph will break down into unconnected groups. (The protocol is effected) Example: If we have all a sample of P2P traffic, centrality tells us which host to remove to cause the most damage to the overlay s QoS. Not necessarily which host is the most talkative. 10

Volume & Betweenness Spikes in centrality may exist without spikes in bandwidth. Centrality measures something not tied to volume. Sample data: One week long sample of TCP/IP traffic. Ephemeral port to ephemeral port. >1K bytes, >4 packets. Divided into intervals of 60, 30, and 15 minutes.

Volume measures

Betweenness Centrality

Betweenness Centrality Spike 1 Spike 2

Volume measures Spike 1 Spike 2

Spike 1 3 hosts have 4x the centrality measure of any host measured at any other time. all three part of same phenomenon. One host was a scan victim of two unrelated hosts. The only overlap in scan victims was this host. One scanned ~37,000 destinations on port 20,000. (usermin exploit) One SA scanned ~3,500 destinations. (various ports)

Spike 2 1 host has 3x the centrality of any other host measured at any other time. Contacts 20,000 hosts that connect a graph of 31,000 hosts. Active for 6 minutes and sent out 17 million packets. Scanner.

Second Data Sample Increased resolution to one minute intervals. One Week of TCP/IP ephemeral port to ephemeral port traffic: >120 bytes per direction. >3 packets. Contains at least a SYN and ACK flag in the OR of observed Flags.

Betweenness and Degree Comparing centralities gives richer understanding of hosts relationships. Examine hosts that have high Betweenness with modest Degree. Hosts that are important without being directly connected to many other hosts.

Volume Vs. Centralities

Only Betweenness Spikes Recorded each IP address max Degree and Betweenness values. Divided spikes, or exceedingly high Betweenness centralities into strata. High (>10,000) - All IP addresses also had comparatively high Degree centrality. Low (>1,000 and <10,000) - We investigated 11 IP addresses that had spikes in Betweenness without comparatively high Degree.

High Betweenness Low Degree 9 victims of vulnerability scans. Vulnerability scans requiring full connections. Scanner connects them to a lot of hosts. 1 contacted a host that contacted everything. It provides a service for a promiscuous host. 1 connected several of the hosts with high Degree and Betweenness centrality. Connecting segments of a P2P network. Easily identified high value asset to the P2P network.

Summary Social network analysis: Identifying components of a behavior. Complementary tool to volumetric measures. It does not consider direction or volume. Still a great deal of tuning required to make this into an actionable utility. 23

References Stephen P. Borgatti, Centrality and Network flow, Social Neworks, Vol. 27, No. 1. 2005.