Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring The NetViewer Experiment PAVG in collaboration with Networking Systems.

Slides:



Advertisements
Similar presentations
Report on Common Intrusion Detection Framework By Ganesh Godavari.
Advertisements

Good afternoon. My name is Marek Pawłowski
Arrow color indicates specific subset of Security Service Desk Common Backplane API. is DC Backplane API impledmented by the Backplane Services. Devices.
CCNA 1 v3.1 Module 11 Review.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
Protocols and the TCP/IP Suite Chapter 4 (Stallings Book)
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Networks: HTTP and DNS1 The Internet and HTTP and DNS Examples.
Protocols and the TCP/IP Suite
Networks: HTTP and DNS 1 The Internet and HTTP and DNS Examples.
Application architectures
Networks: HTTP and DNS1 The Internet and HTTP and DNS Examples.
Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
Report on Common Intrusion Detection Framework By Ganesh Godavari.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 TCP/IP architecture A set of protocols allowing communication across diverse networks Out of ARPANET Emphasize on robustness regarding to failure Emphasize.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CP476 Internet ComputingCh.1 # 1 Lecture 2. A Brief Introduction to the Internet The objective is to understand The history of Internet What the Internet.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
思科网络技术学院理事会. 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Layer 4 of the TCP/IP protocol stack: Application level Services: TELNET, FTP, SMTP, HTTP, DNS, RIP, NFS Hierarchy of protocols and services.
Internet applications Bill Chu. © Bei-Tseng Chu Aug 2000 Need for Domain Name Service (DNS) Natively, a TCP host is identified by its IP address hosts.
13/09/2015 Michael Chai; Behrouz Forouzan Staffordshire University School of Computing Transport layer and Application Layer Slide 1.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
9/15/2015© 2008 Raymond P. Jefferis IIILect Application Layer.
Protocol Architectures. Simple Protocol Architecture Not an actual architecture, but a model for how they work Similar to “pseudocode,” used for teaching.
TCP/IP Yang Wang Professor: M.ANVARI.
World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Lec4: TCP/IP, Network management model, Agent architectures
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Data and Computer Communications Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based Applications 1.
Chapter 4 Networking and the Internet. © 2005 Pearson Addison-Wesley. All rights reserved 4-2 Chapter 4: Networking and the Internet 4.1 Network Fundamentals.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
TCP/IP Transport and Application (Topic 6)
Computer Networks Chapter 2: Applications and Layered Architectures.
ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.
TCP/IP Protocol Architecture CSE 3213 – Fall
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Connecting to the Network Introduction to Networking Concepts.
1 Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
CHAPTER 4 PROTOCOLS AND THE TCP/IP SUITE Acknowledgement: The Slides Were Provided By Cory Beard, William Stallings For Their Textbook “Wireless Communication.
Louisiana Tech Capstone Submitted by Capstone 2010 Cyber Security Situational Awareness System.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
COMPUTER NETWORKS Hwajung Lee. Image Source:
Application architectures Advisor : Dr. Moneer Al_Mekhlafi By : Ahmed AbdAllah Al_Homaidi.
Lecture # 02 Network Models Course Instructor: Engr. Sana Ziafat.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
Data and Computer Communications Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based Applications.
SIEM Rotem Mesika System security engineering
Protocols and the TCP/IP Suite
CompTIA Security+ Study Guide (SY0-401)
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
CompTIA Security+ Study Guide (SY0-401)
Protocols and the TCP/IP Suite
ECEN 619 “Internet Protocols and Modeling”
Packet Switching To improve the efficiency of transferring information over a shared communication line, messages are divided into fixed-sized, numbered.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
ECEN “Internet Protocols and Modeling”
Transport Protocols An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Protocols and the TCP/IP Suite
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Presentation transcript:

Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring The NetViewer Experiment PAVG in collaboration with Networking Systems R. Kamath, E. Jang, D. Luckham

2 Project Goals Detect system misuse on a global level User re-configurable and flexible Hierarchical organization of monitors Correlation of distributed monitors Monitor activity from diverse sources Monitor at multiple levels of abstraction

3 Stanford NetViewer Experiment Uses Stanford Rapide Toolset Uses Complex Event Processing technology Uses Talarian’s SmartSockets TM middleware for distributed processing FOR MORE INFO...

4 NetViewer Experiment setup

5 SUNet Campus Network Undergrad Education Business School Admin Host 1 Computer Center 1 Computer Center 2 Admin Host 2 Stanford Hospital Grad. Education Redundancy Gateway Redundancy Gateway Redundancy Gateway Redundancy Gateway Core Gateway Core Gateway Internet To FlowCollector

6 Complex Event Processing Accept network ‘events’ from any source –CISCO NetFlow FlowCollector, tcpdump Correlates events based on content and temporal relationship between events Event Processing Agents (EPAs) connected in an Event Processing Network (EPNs) Both post-mortem and real-time processing

7 Event Processing Agents (EPAs) -- Loggers and Filters Loggers –Convert external data into events –E.g. CISCO FlowCollector logs to events Filters –Select a subset of events based on pattern –E.g. Only connections from Stanford hosts

8 EPAs-- Maps and Viewers Maps –Search for patterns in input events –Generate appropriate output events –E.g. look for IP scans and generate alarms Viewers –Graphical display of data in events –Tables, Bar Graphs

9 RapNet User interface RapNet –Graphical Interface to NetViewer tool –Easy access to EPA and EPN library –Easy re-configuration of EPAs –Easy modification of EPNs –Construct new EPNs using EPAs

10 NetViewer running under RapNet

11 Hierarchical monitoring Two types of hierarchy –Abstraction hierarchy NetViewer monitors data at different abstraction levels –Topological hierarchy NetViewers at different locations NetViewers at different levels communicate using SmartSockets middleware General case: arbitrary network of monitors

12 Network Abstraction Hierarchy Application layer –Host-based monitoring –Data exchanged by SMTP, TELNET, FTP, HTTP protocols Transport layer –Data exchanged by TCP/IP suite of protocols Network layer –Router-based monitoring –IP and UDP packets

13 Topological Hierarchy -- multiple gateways example Distributed processing of data Each NetViewer at level 1 monitors data from a different gateway Results (e.g. top 10 IPs) from level 1 NetViewers sent to level2 NetViewers Level 2 NetViewers correlate the results of level 1 NetViewers –E.g. compute top 10 IPs over all gateways

14 Distributed monitoring on SUNet Admin host Core gateway Admin host Press gateway SmartSockets over SUNet Sender running NetViewer 1 Sender running NetViewer 2 Receiver running NetViewer 3

15 Current Status -- EPAs Library of Event Processing Agents (EPAs) –Traffic categories Web, Mail, DNS, ftp … –Scan Detectors IP scan, Port scan –Policy violation detectors Access to restricted hosts Access to restricted ports on hosts –Traffic event filters Web, Mail, Hosts, Networks

16 Current Status -- EPNs Library of Viewers –Tables –Bar graphs –Pie charts Library of Event Processing Networks (EPNs) –Network of EPAs –Graphical viewers to display results

17 Research Directions Hierarchical monitoring –Data sources from different layers –Correlation of results from multiple NetViewers Accept more input formats Distributed processing –Assign individual EPAs within a NetViewer to run on different machines Expand EPA library –Work on mail spam detection

18 Experiment results on SUNet NetViewer used to process router logs –Real-time performance of about 1000 log records/sec Generated traffic statistics –Top IPs by packets or bytes –Classification of traffic into categories such as internal/external, web/mail/DNS etc. Intrusion detection –Detected IP and port scans –Well-known attack signature e.g. finger attack

19 Related projects -- CIDF Correlates information from multiple intrusion detectors –Reduces false alarms –Prioritizes network warnings Part of the DARPA Common Intrusion Detection Framework (CIDF) –Multiple intrusion detectors in cyber battlefield FOR MORE INFO...

20 Overview of the CIDF project Goal Experiment with semantic interoperability of different components in CIDF Groups Involved Group A: produces GIDOs, questions, detailed English description of the events, and the answers to the questions. Group B: gets 10 scenarios and produces 10 GIDOs describing the scenarios. Group C: gets the questions and high level scenarios from B and builds the code. Then, gets 10 GIDOs and produces text answers to the questions - Stanford belongs to group C.

21 Processing GIDOs with CEP agents Make each GIDO an event Use (and fix) our existing cidfLogger Separate event processing agent called “Qagent” Provides flexible way of handling GIDOs

22 Qagent Finds an answer from a given GIDO and a query pattern. Qagent traverses the tree to find all the possible paths that can lead to the answer. The question is fed to the program as a text file with two sections: –The input file may contain a text description –Patterns to be searched from the tree. The pattern lines are preceded with Implemented in C++ (I.e. not map language) –Easier tree traversal –File input

23 Pattern Language Lists of SID separated by comma. Answer is the subtree after the last SID Attack,AttackSpecifics,IPV4Address “#true” or “#false” to get the sibling SID rather than child SID of the last SID for the answer. ByMeansOf,Attack#true ‘^’ to indicate that the SID is one of the base SID that applies to all other parts of the pattern ^And,^Copy,Outcome,ReturnCode?success=FileSource,File Name

24 Examples Event1 Brief description: This is an attack that began on Monday, May 24, at 12:44. What is the certainty of this Attack,Certainty ( Attack ( Initiator ( IPV4Address ) ) ( Target ( IPV4Address ) ) ( AttackSpecifics ( Certainty 100 ) ( Severity 50 ) ( AttackID f ) ) ( When ( BeginTime Mon May 24 12:44: PDT ) ( EndTime Mon May 24 12:44: PDT ) )

25 Team Members Rajesh Kamath David Luckham Eunhei Jang John Kenney James Vera

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.