Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

FIREWALLS Chapter 11.
CCNA – Network Fundamentals
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 What can happen when you accelerate a flow twice?
Vitina, March, RURAL WINGS IP Network usage analysis WP7.3 Results of the usability tests and recommendations Patricia INIGO (Astrium)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
COS 338 Day DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
Accounting Management IACT 918 April 2005 Glenn Bewsell/Gene Awyzio SITACS University of Wollongong.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Host Intrusion Prevention Systems & Beyond
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Remote Monitoring and Desktop Management Week-7. SNMP designed for management of a limited range of devices and a limited range of functions Monitoring.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Networking Components
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 4: Managing LAN Traffic
COEN 252 Computer Forensics
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Chapter 6: Packet Filtering
Packets and Protocols Recognizing Attacks with the protocol analyzer.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
What is FORENSICS? Why do we need Network Forensics?
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Linux Networking and Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Chapter 5: Implementing Intrusion Prevention
ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Business Data Communications, Fourth Edition Chapter 11: Network Management.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Development of a QoE Model Himadeepa Karlapudi 03/07/03.
Role Of Network IDS in Network Perimeter Defense.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
CompTIA Security+ Study Guide (SY0-401)
Proventia Network Intrusion Prevention System
CONNECTING TO THE INTERNET
Top-Down Network Design Chapter Twelve Testing Your Network Design
CompTIA Security+ Study Guide (SY0-401)
* Essential Network Security Book Slides.
Chapter 11: Network Address Translation for IPv4
Transport Layer 9/22/2019.
Presentation transcript:

Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services

Abstract  Useful logs may already exist at your institution.  Network transaction logging is a very useful, flexible, and inexpensive tool for network security.  Comprehensive network security relies on log collection and analysis.  Analysis of log files can be automated, and can provide information that can be the basis for prevention and response procedures.  Useful logs may already exist at your institution.  Network transaction logging is a very useful, flexible, and inexpensive tool for network security.  Comprehensive network security relies on log collection and analysis.  Analysis of log files can be automated, and can provide information that can be the basis for prevention and response procedures.

Start with what you have  The collection and analysis of network transaction data is useful for a wide range of tasks  Security management  Network billing and accounting  Network operations management  Performance analysis  As a result, some form of network transaction logs may already exist within your institution, even if not specifically implemented for network security reasons.  The collection and analysis of network transaction data is useful for a wide range of tasks  Security management  Network billing and accounting  Network operations management  Performance analysis  As a result, some form of network transaction logs may already exist within your institution, even if not specifically implemented for network security reasons.

“Pointed stick”  Low cost, high returns  Simple to implement  Nonspecific, flexible  Non-restrictive  Low cost, high returns  Simple to implement  Nonspecific, flexible  Non-restrictive

Fundamental need  Network transaction logs are arguably the most basic, necessary countermeasure in network security.  Logs should form the basis for decisions regarding other security initiatives.  Traffic analysis will be necessary to validate the performance of other security countermeasures.  Network transaction logs are arguably the most basic, necessary countermeasure in network security.  Logs should form the basis for decisions regarding other security initiatives.  Traffic analysis will be necessary to validate the performance of other security countermeasures.

Needs pyramid: Maslow’s Hierarchy Biological and Physiological needs Safety needs Esteem needs Belongingness and Love needs Self-actualization

Needs pyramid: Network Security Network Transaction Logs Security Staff Firewalls Host Security IDS/IPS

Transparent monitor  Acts as a passive device, gathering traffic and performance statistics at appropriate places in networks (server or client locations)  Is not necessarily a point of failure in your network  Cannot alter network traffic, as active devices such as firewalls or IDS/IPS systems.  However, monitoring can co-exist with other network security devices, such as IPS/IDS  Acts as a passive device, gathering traffic and performance statistics at appropriate places in networks (server or client locations)  Is not necessarily a point of failure in your network  Cannot alter network traffic, as active devices such as firewalls or IDS/IPS systems.  However, monitoring can co-exist with other network security devices, such as IPS/IDS

Transparent monitor: Simple setup Upstream Provider Hub Network Monitor Network

Scalable  Mirroring traffic is relatively inexpensive.  Institutions may choose to capture as much data as possible and only perform limited analysis as needed.  There are appropriate solutions for implementing network transaction monitoring at just about every level of a network.  Small lab environment  Single department  University border  Mirroring traffic is relatively inexpensive.  Institutions may choose to capture as much data as possible and only perform limited analysis as needed.  There are appropriate solutions for implementing network transaction monitoring at just about every level of a network.  Small lab environment  Single department  University border

Transparent monitor: Large-scale ISP 1 ISP 2 Network Monitor

Selective memory  In order to be able to store and analyze high volumes of traffic, the memory demands must be reduced in some way.

Selective memory: Depth  IPS/IDS systems generally select certain transactions (via signature matching, etc.) for storage and analysis. In other words, only communications that match a selection criteria are recorded, and all other data is ignored. ! ! ! !

Selective memory: Breadth  Flow monitoring accounts for every transaction, but does not retain the content of the transactions.  Transactions contain both routing information and content. Only routing information is retained.  Applications that can capture this sort of transaction data include Argus, tcpdump, Ethereal, cflowd, etc.  Flow monitoring accounts for every transaction, but does not retain the content of the transactions.  Transactions contain both routing information and content. Only routing information is retained.  Applications that can capture this sort of transaction data include Argus, tcpdump, Ethereal, cflowd, etc.

Flow metrics  Metrics generally captured in network transaction logs include:  Source, destination IP addresses (for IP traffic)  Beginning, end times  Packet count  Byte count  TTL (for IP traffic)  TCP flags (for TCP/IP traffic)  TCP state progression (for TCP/IP traffic)  Base sequence numbers (for TCP/IP traffic)  Metrics generally captured in network transaction logs include:  Source, destination IP addresses (for IP traffic)  Beginning, end times  Packet count  Byte count  TTL (for IP traffic)  TCP flags (for TCP/IP traffic)  TCP state progression (for TCP/IP traffic)  Base sequence numbers (for TCP/IP traffic)

Inference  Certain traffic characteristics are very useful in making inferences about the nature of the traffic.  Examples:  Amount of bandwidth consumed  Number of connection attempts  Connections to unused address ranges  Certain traffic characteristics are very useful in making inferences about the nature of the traffic.  Examples:  Amount of bandwidth consumed  Number of connection attempts  Connections to unused address ranges

Automation  Identifying problems through inference can be automated.  Once the criteria has been clearly defined, then the tasks that were once done by humans can be performed by simple programs.  Once the identification of problems is automated, then those results can be fed into response procedures.  Identifying problems through inference can be automated.  Once the criteria has been clearly defined, then the tasks that were once done by humans can be performed by simple programs.  Once the identification of problems is automated, then those results can be fed into response procedures.

Examples  Compare logs with blacklists, such as known- spyware or spam source IP lists  Examine traffic destined for non-populated subnets  Noise-floor analysis  TCP port usage  Compare logs with blacklists, such as known- spyware or spam source IP lists  Examine traffic destined for non-populated subnets  Noise-floor analysis  TCP port usage

Endless possibilities  We are constantly discovering new uses for network transaction logs

About our institution  4,820 employees (1,069 full-time faculty)  20,143 students (18,497 full-time students)  90+ Mbps Internet bandwidth (2 ISP’s)  6,000,000,000+ packets per day  3,000,000,000+ source packets  3,000,000,000+ destination packets  2,400+ GB per day (500+ DVD-ROMs)  727 source GB per day  1,675 destination GB per day  ~12 GB Argus log files generated per day, on average (0.6% of the total bytes represented)  4,820 employees (1,069 full-time faculty)  20,143 students (18,497 full-time students)  90+ Mbps Internet bandwidth (2 ISP’s)  6,000,000,000+ packets per day  3,000,000,000+ source packets  3,000,000,000+ destination packets  2,400+ GB per day (500+ DVD-ROMs)  727 source GB per day  1,675 destination GB per day  ~12 GB Argus log files generated per day, on average (0.6% of the total bytes represented)

References/Resources  RFC 2724, “RTFM: New Attributes for Traffic Flow Measurement.” ( editor.org/rfc/rfc2724.txt) editor.org/rfc/rfc2724.txt  Argus:  RFC 2724, “RTFM: New Attributes for Traffic Flow Measurement.” ( editor.org/rfc/rfc2724.txt) editor.org/rfc/rfc2724.txt  Argus: