Monitoring Trends in Network Flow for Situational Awareness



Similar documents
2012 CyberSecurity Watch Survey

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Network Analysis with isilk

Supply-Chain Risk Management Framework

Network Monitoring for Cyber Security

Assurance Cases for Design Analysis of Complex System of Systems Software

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

CERT Virtual Flow Collection and Analysis

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

Resolving Chaos Arising from Agile Software Development

Evaluating the Quality of Software Engineering Performance Data

Moving Target Reference Implementation

VoIP in Flow A Beginning

Risk Management Framework

SOA for Healthcare: Promises and Pitfalls

Applying Software Quality Models to Software Security

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

How To Use Elasticsearch

CMMI: What do we need to do in Requirements Management & Engineering?

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

Architectural Implications of Cloud Computing

Getting Started with Service- Oriented Architecture (SOA) Terminology

Assurance in Service-Oriented Environments

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

An Application of an Iterative Approach to DoD Software Migration Planning

How To Ensure Security In A System

Kurt Wallnau Senior Member of Technical Staff

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

UFO: Verification with Interpolants and Abstract Interpretation

Arcade Game Maker Pedagogical Product Line: Marketing and Product Plan

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management

The Key to Successful Monitoring for Detection of Insider Attacks

Cyber Intelligence Workforce

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

Common Testing Problems: Pitfalls to Prevent and Mitigate

Abuse of CPE Devices and Recommended Fixes

Using Domain Name Registrant Information To Identify Malicious Domains

USE OF ARIMA TIME SERIES AND REGRESSORS TO FORECAST THE SALE OF ELECTRICITY

Automated Provisioning of Cloud and Cloudlet Applications

The CERT Top 10 List for Winning the Battle Against Insider Threats

Penetration Testing Tools

Model Checking Distributed Software

Ipek Ozkaya Senior Researcher

Interpreting Capability Maturity Model Integration (CMMI ) for Service Organizations a Systems Engineering and Integration Services Example

Software Architecture for Big Data Systems. Ian Gorton Senior Member of the Technical Staff - Architecture Practices

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

$100 SiLK Network Flow Sensor

Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx

Information Asset Profiling

A Systematic Method for Big Data Technology Selection

Service Measurement Index Framework Version 2.1

Introduction to the OCTAVE Approach

CERT Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1

Extending AADL for Security Design Assurance of the Internet of Things

IBM SPSS Forecasting 22

Agile Development and Software Architecture: Understanding Scale and Risk

Guidelines for Developing a Product Line Production Plan

Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments

Building Resilient Systems: The Secure Software Development Lifecycle

Incident Management Capability Metrics Version 0.1

Experiences in Migrations of Legacy Systems

DoD Software Migration Planning

CMMI for Acquisition, Version 1.3

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

CMMI for Development, Version 1.3

Software Security Engineering: A Guide for Project Managers

Software Vulnerabilities in Java

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

Vector Time Series Model Representations and Analysis with XploRe

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

TIME SERIES ANALYSIS

CMMI for Development, Version 1.3

A Framework for Categorizing Key Drivers of Risk

GEO Sticky DNS. GEO Sticky DNS. Feature Description

Deriving Software Security Measures from Information Security Standards of Practice

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Building Security Into Closed Network Design

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

The CERT Approach to Cybersecurity Workforce Development

Forecasting of Paddy Production in Sri Lanka: A Time Series Analysis using ARIMA Model

Data Management Maturity (DMM) Model Update

Open Source Software used in the product

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability

Univariate and Multivariate Methods PEARSON. Addison Wesley

Time Series Analysis

Interpreting Capability Maturity Model Integration (CMMI ) for Business Development Organizations in the Government and Industrial Business Sectors

Software Assurance Competency Model

Time Series Analysis of Network Traffic

CA Nimsoft Monitor. Probe Guide for DNS Response Monitoring. dns_response v1.6 series

Open Source Management

Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders

TIBCO MFT BusinessWorks MFT Palette

Guidelines for Developing a Product Line Concept of Operations

"Account" means the Account open with NFDA by the Firm for Website Construction Services and Website Hosting Services.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0

Allscripts Professional EHR

VITAL SIGNS Quick Start Guide

TIME SERIES ANALYSIS

Transcription:

Monitoring Trends in Network Flow for Situational Awareness SEI CERT NetSA 2011 Carnegie Mellon University

NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 2

Introduction Network monitoring plays a vital role in network security and network situational awareness Monitoring > traffic data over time Time series data > Spikes, trends, periodicities Some attacks may result in other changes in patterns Underlying patterns often difficult to discern 3

Overview Propose some new metrics to track changes Four groups of metrics Estimate relative changes Output can be displayed as a dashboard Possible extensions References 4

Proposed metrics A) Parameters from the distribution {Mean; Std. Dev. Skewness Kurtosis} B) Percentile-based {10% 30% 70% 90%] Robust around median Remove outliers 5

Time Series-based Metrics Time domain > autocorrelation (by lags) >partial autocorrelation (by lags) ARIMA models > autoregressive component (PACF) > moving average components (ACF) C) Track ACF(1) ACF(2) ACF(3) PACF(2) PACF(3) Can be extended to more lags 6

Other time series properties D) Trends and Variances Linear trend Quadratic trend Burstiness (alternative measures) Heteroscedasticity (variance of the variance) Extension: Self-similarity 7

Estimation For all measures: D = [m(2) m(1)]/m(1) ~ Relative change Display on dashboard Keep repeating over each pair of consecutive periods Alerts based on thresholds: D > T 8

Situational Awareness and Alerts Setting a threshold: CI-based Need trial data; location specific Set from empirical experience Calibrate to balance FPs and FNs 9

Setting Alerts Threshold 1. Any individual D > T 2. Function of the Ds: A(D; w) > L 3. Special case: Alert when n out of the 16 Ds are greater than T 4. Calibrate thresholds for the individual Ds Indicator I(i) = 1 if any D(i) > T(i) 0 otherwise > Alert if ΣI(i) n 10

Simplified Algorithm Select an IP set (or IP) of interest Select other conditions (service/protocol/ports/etc.) Decide on time periods to compare (24 hours or other) Decide on bin size (time slices to compute the time series) Set data collection for two preceding time periods Collect the two time series data Estimate the 16 metrics (4 each in the four groups) Decide on thresholds Display /(Set alerts) 11

Example of a dashboard M SD SK KUR 10% 30% 70% 90% ACF1 ACF2 PACF1 PACF2 b1 b2 B H/h 12

Conclusions and Future Directions Proposed some new metrics to extract more information from flow data Try out with known test cases Try alternative metrics Develop and validate interpretation of these metrics Generalize to other analyses: DNS traffic 13

References Statistics Statistics for Business and Economics D. R. Anderson, D. J. Sweeney and T. A. Williams Multivariate Data Analysis J. F., B. Black, B. Babin and R. E. Anderson Statistics for Business and Economics J. T. McClave, P. George Benson and Terry Sincich Time Series Introduction to Time Series and Forecasting - P. J. Brockwell and R. A. Davis Introduction to Time Series Analysis and Forecasting D. C. Motgomery, C. L. Jennings and M. Kulhaci Times Series Analysis G. E. P. Box, G. M. Jenkins and G. C. Reinsel 14

Security Metrics IT Security Metrics L. Hayden Complete Guide to Security and Privacy Metrics D. S. Herrmann Security Metrics A. Jaquith Statistical Packages: Any standard package 15

THANK YOU! smoitra@cert.org 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information