Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Slides:



Advertisements
Similar presentations
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Wireless and Switch Security NETS David Mitchell.
Intrusion Detection Systems and Practices
Network Security Testing Techniques Presented By:- Sachin Vador.
UNITS meeting September 30, 2004 Network Security Roger Safian
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
COEN 252: Computer Forensics Router Investigation.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Department Of Computer Engineering
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Using Windows Firewall and Windows Defender
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
Step-by-Step Intrusion Detection using TCPdump SHADOW.
What is FORENSICS? Why do we need Network Forensics?
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Module 7: Fundamentals of Administering Windows Server 2008.
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
Real Time Monitors, Inc. Switch Expert™. 2 Switch Expert™ Overview Switch Expert ™ (SE) currently deployed at 80% percent of the INSIGHT-100.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11.
workshop eugene, oregon What is network management? System & Service monitoring  Reachability, availability Resource measurement/monitoring.
Security at NCAR David Mitchell February 20th, 2007.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Intrusion Detection Cyber Security Spring Reading material Chapter 25 from Computer Security, Matt Bishop Snort –
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
WINS Monthly Meeting 06/05/2003 WINS Monthly Meeting 06/05/2003.
IS3220 Information Technology Infrastructure Security
© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CompTIA Security+ Study Guide (SY0-401)
Critical Security Controls
NETWORKS Fall 2010.
Securing the Network Perimeter with ISA 2004
Network Monitoring System
CompTIA Security+ Study Guide (SY0-401)
6.6 Firewalls Packet Filter (=filtering router)
Chapter 4: Protecting the Organization
Using Splunk – A Case Study
Leveraging Visual Basic for Security
6. Application Software Security
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton

22 July 2004ESCC Meeting2 Netflow Data Mining Argonne Background Information Sliding Window Analysis Using Contextual Knowledge to adjust data-mining Incident Investigation Integration, Integration, Integration Future Conclusions

22 July 2004ESCC Meeting3 ANL Background Utilize OSU’s Flow-Tools written by Mark Fullmer Collecting from 14 different Router/Switches at ANL-East ~600GB currently stored and growing 1 Year retention period desired – backing off as we add devices Current collection/Analysis Station: IBM 360, RedHat Linux, 8GB Ram, Mhz CPU

22 July 2004ESCC Meeting4 Sliding Window Analysis The raw volume of Netflow Data can make data-mining long and cumbersome Implemented a 5 minute Sliding Window for analysis –Every minute, check previous 5 minutes of data (via cron jobs) –Reduces processing time (~20 secs) –Catches vast majority of scans/probes in near real-time

22 July 2004ESCC Meeting5 Contextual Knowledge Which way is the data flowing? Contextual knowledge will affect what we search for & what we do with the results INOUT IN Destination Source

22 July 2004ESCC Meeting6 OUT -> IN –Receive many class B/C scans a day –Only Watch for scans on open FW ports Dynamically read FW config every ½ hour to determine open ports in FW –Use Netflow Data to look for scans on open FW ports Fast Scans: Script executed every minute looking at past 5 minutes of data to catch Fast Scanners Slow Scans: Script run every hour looking at previous 24 hours of data to catch Slow Scanners –Once scanner detected, send IP for FW shun

22 July 2004ESCC Meeting7 IN -> OUT Looking for problem machines at the Lab – 1 st approximation is to look at machines which have contacted large # of Internet hosts in a short period of time –Can indicate a compromised/infected machine Exclude a number of internal machines based on apriori knowledge – servers, domain controllers, network scanning machines (ignore)

22 July 2004ESCC Meeting8 IN -> IN Requires collection on multiple internal switches/routers Detect Internal Scanning –Cron job runs every hour –Infected host scanning local subnet/supernet –Detect unauthorized internal network scans Post-Mortem Forensic Value –What did an internally compromised machine do once it was compromised –Track down cross-contamination

22 July 2004ESCC Meeting9 OUT -> OUT May not apply to every site Co-location personal or transport traffic constitute OUT -> OUT traffic on a network Scans in the OUT OUT direction are detected and the appropriate network admin/security personal are notified

22 July 2004ESCC Meeting10 Incident Investigation 1/2 What to do when an incident happens? (Besides pull your hair out) Netflow Data is invaluable in cyber security investigations. Start by classifying IP addresses into a taxonomy –Possible Bad Guy –Possible Victims –Possible Intermediary (stepping stone, rootkit resource site, etc) –This process can be aided by host syslog, etc.

22 July 2004ESCC Meeting11 Incident Investigation 2/2 By identifying the possible victims, the process of containment and clean-up becomes much easier Netflow has become an invaluable tool for our cyber security team

22 July 2004ESCC Meeting12 Integration³ To improve Signal-to-Noise ratio of cyber security events, correlating netflow data with other data sources has been very helpful –IDS logs –ARP/CAM Tables – MAC “persistence” –Firewall Logs –DHCP/VPN Logs –Host based Syslog

22 July 2004ESCC Meeting13 IDS & Netflow Logs Used to cross validate either an IDS or a Netflow alarm with each other IDS alarms usually give specific points of attack Netflow can be used to provide background or framework of attack Netflow + IDS can provide a better perspective of cyber security events Store IDS and Netflow Logs in same directory structure to make searching easier

22 July 2004ESCC Meeting14 VPN/DailUP Scan/Virus Detection Marriage of Many Data Sources Each Dailup/VPN login initiates a virus scan of connected host Dailup/VPN connected host is monitored via netflow for outbound scanning activity If remotely connected host is determined to be virally infected or doing malicious behavior, connection is terminated and user account is locked All actions are performed via automated scripts, no human intervention

22 July 2004ESCC Meeting15 Future Host Profiling Via Netflow –Determine what “normal” behavior for a host is and then alert when it varies from the norm –Some IDS products are attempting this approach (Network Flight Recorder, Lancope) Visualization of Netflow Data –Charts, Graphs, Animations of Network Conversations –Work Being done by NCSA Better Integration with other data sources

22 July 2004ESCC Meeting16 Conclusions Collecting Netflow data to support Cyber Security activities is tremendously helpful. It is an invaluable data source for performing post-mortem forensic analysis, as well as an extremely helpful tool for performing real-time detection, notification, and active response – blocking an IP address.

22 July 2004ESCC Meeting17 Thanks Chris Poetzel – Scott Pinkerton –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.