Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

Slides:



Advertisements
Similar presentations
NETFLOW & NETWORK-BASED APPLICATION RECOGNITION
Advertisements

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
FLAME: A Flow-level Anomaly Modeling Engine
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
UNITS meeting September 30, 2004 Network Security Roger Safian
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
(Geneva, Switzerland, September 2014)
Arbor Multi-Layer Cloud DDoS Protection
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
INTERNET TOPOLOGY MAPPING INTERNET MAPPING PROBING OVERHEAD MINIMIZATION  Intra- and inter-monitor redundancy reduction IBRAHIM ETHEM COSKUN University.
Association of Communications Engineers Corralling the Broadband Stampede May 7 – 9, 2012 Fort Worth, Texas.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Connect. Communicate. Collaborate A Network Security Service for GÉANT2 (and beyond….) Maurizio Molina, DANTE TNC 08, Brugges, 20 th May 2008.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Using Windows Firewall and Windows Defender
Chapter 6: Packet Filtering
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
GN2 Performance Monitoring & Management : AA Needs – Nicolas Simar - 2 nd AA Workshop Nov 2003 Malaga, Spain GN2 Performance Monitoring & Management.
INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Honeypot and Intrusion Detection System
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Performance Monitoring - Internet2 Member Meeting -- Nicolas Simar Performance Monitoring Internet2 Member Meeting, Indianapolis.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Chapter 5: Implementing Intrusion Prevention
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
Connect communicate collaborate GÉANT3 Services Connectivity and Monitoring Services by and for NRENs Ann Harding, SWITCH TNC 2010.
© 2004 AARNet Pty Ltd Measurement in aarnet3 4 July 2004.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.
FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.
1 Network Measurement Summary ESCC, Feb Joe Metzger ESnet Engineering Group Lawrence Berkeley National Laboratory.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Connect. Communicate. Collaborate The Security Model of GÉANT2: A Co-operative Approach Christoph Graf, SWITCH TNC’07, Lyngby, 22 May 2007.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Charaka Palansuriya EPCC, The University of Edinburgh An Alarms Service for Federated Networks Charaka.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Simple, End-to-End Performance Management Application Performance.
1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 Network Measurement Challenges LHC E2E Network Research Meeting October 25 th 2006 Joe Metzger Version 1.1.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Jian Wu (University of Michigan)
Improved Algorithms for Network Topology Discovery
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Technology & Analytics
Impact of Packet Sampling on Anomaly Detection Metrics
Balancing Risk and Utility in Flow Trace Anonymization
Improving global routing security and resilience
Presentation transcript:

connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politècnica de Catalunya (UPC) Ashish Jain - (Guavus) TNC, Vilnius, 2 nd June 2010

connect communicate collaborate Content Introduction: The network and the service scenario The Tools The benchmarking process Deployment and initial usage of the selected tool Some recent enhancements (Apriori) Network Security Service The Objectives The Service Details Current Status Event Workflow Conclusion

connect communicate collaborate The Network Scenario …. A Transit Network with Global Visibility Up to 60 Gbit/s in peak times +/- 10 Million Speaking Hosts Per Day Unusual “research” Traffic Large FTP Transfers SSH Traffic Grid Traffic Bandwidth Testing Traffic Mixed with “ordinary” Internet Traffic (e.g. DWS)

connect communicate collaborate The Service Elements Observe global security anomalies trends at the GÉANT “boundary” What are the most common attack types? What the potentially more harmful? Are some Networks heavy security anomalies sources or targets? Why? Can something be done about it? 1- Periodic Summary Reporting Specific events can be reported to NREN CERTs… …that the NREN may not have noted due to lack of monitoring… …or noted but lacking metadata for root cause analysis 2- Punctual Anomaly Notification

connect communicate collaborate Pre-requisite: anomaly detectability in GÉANT backbone Both service elements require anomaly “detectability” in the GÉANT backbone With Sampled NetFlow only => no dedicated probes! Already proved with NfSen plugins (Molina: TNC 08) Decision to look at commercial tools for: Support Quick evolution to detecting new threats Anomaly origin/destination analysis

connect communicate collaborate The benchmarked tools Three Distinct Tools Netreflex – Guavus – Fuses BGP & ISIS Data – Creates an 18 x 18 Router Matrix Peakflow SP – Arbor – Uses BGP & SNMP Data – Originally designed to pick large scale (D)DoS attacks Stealthwatch – Lancope – Per Host Behavioural Analysis – Requires 1 anomaly end point to be part of prefix list

connect communicate collaborate The benchmarking process Same data fed to tools 13 days of cross comparison 1066 anomalies in total Each anomaly Cross checked with NfSen and raw NetFlow Classified as True or False positive Some events forwarded to CERTs for further Confirmation & Discussion StealthwatchNetReflex Flow fanout Peakflow SP

connect communicate collaborate The benchmarking results: True and False Positives NeReflexPeakFlowStealtwatch

connect communicate collaborate The benchmarking results: source of anomalies NeReflexPeakFlowStealtwatch

connect communicate collaborate NetReflex vs Stealthwatch: more details Stealthwatch Netreflex Different scale!

connect communicate collaborate Tool Selection - Netreflex Chose Netreflex as the Tool for anomaly detection More uniform detection of Anomalies across Types More uniform detection across Geant Peers Higher Cross Section Of Detected Anomalies Strengths Cover Scans & (D)Dos Origin of Anomalies – Well Balanced NREN vs Non

connect communicate collaborate Deployment and Initial Usage of NetReflex NetFlow is now 1/100 sampled (was 1/1,000 during trials) Better detection Lower false positives (below 8%) Anomalies can be exported via Anomaly database created Statistics & Reports Generated for Analysis Netreflex v2.5 Deployed in Production Environment Advanced Filtering Capabilities in Anomaly Analysis Updated Reporting

connect communicate collaborate Early Results – Anomaly Distribution Network Scans 79% DDos only 2% Network Scans a Precursor 40% of Network Scans from _Global Connectivity Providers Network Scan SRC IP’s traced to _Port Scans & Dos Events

connect communicate collaborate Early Results – Source & Destination Grouping NRENs target of attacks at 70% 56% of Events originating outside of GN 38% of Events originating from NRENs NREN to no NREN accounts for 21% NREN to NREN 17% 25% of Countries & Regions account for _77% of Attacks

connect communicate collaborate Early Results, AS Pairs for Anomaly Distribution Global Connectivity _Providers Greece & Portugal? Israel & Estonia Small networks appear high in the list of targets: why?

connect communicate collaborate A (research) enhancement: apriori The manual validation of anomalies via NetFlow record inspection stimulated us to explore automatic approaches “Apriori”: algorithm adapted from marked basked analysis to find association rules (*) “If customer buys item X, what is he likely to buy as well?” Analogy: if a flow is involved in an anomaly, what other “similar” flows may be involved? We refined the original algorithm and implemented a GUI (*) D. Brauckhoff, et al. - Anomaly extraction in backbone networks using association rules - IMC’09 - November 2009.

connect communicate collaborate Apriori for mining anomalies: GUI Anomaly InvestigationAnomaly detection

connect communicate collaborate Apriori for mining anomalies: one example The Anomaly detection tool detected this port scan Apiori revealed another port scan can on the same target, and a DDoS as well Portscans DDoS

connect communicate collaborate Network Security Service – The Objectives The NSS is a service that will enhance backbone security and will extend the NRENs ability to protect their infrastructure. – … thereby assisting in reducing the network impact of security events on their networks – … provide additional security incident response to NRENs to extend to their customers – … and prevent attacks against the GN infrastructure thereby providing a safer GN network

connect communicate collaborate Network Security Service – Event Workflow

connect communicate collaborate Network Security Service – The Service Details Protect GEANT Infrastructure Identify Threats Identify Targets & Sources Identify Affected Peering’s Protect NREN Access to the Backbone Collaborate with NRENs to mitigate threats affecting them Provide NREN’s with additional network visibility Assist less advanced NREN’s with security event notifications Provide reports on security events affecting NREN

connect communicate collaborate Phase 1 – Anomaly Detection Toolset Deployment, Selection & Tool Tuning Further Analysis & Reduction of FP rate Findings widely reported to community; TF-CSIRT; FIRST; Phase 2 - NREN Security Event reporting Reporting Security Events to NRENs Provide event evidence with notifications Collaborate with NREN’s on events. Increase level of security monitoring for NREN’s Network Security Service – Current Status

connect communicate collaborate Conclusion Proven detectability of Security Events in the Backbone Network Extensive Tool Comparison Trial Reduction in FP Ratio of Anomalies in Netreflex Automatic Anomaly Validation Network Security Service – Provide NREN’s with Additional Visibility – Provide Security Event Notification and Reporting Phase Two of Deployment – Targeted NREN Alerts – Closer Security Interaction & Collaboration

connect communicate collaborate Acknowledgements Daniela Brauckhoff & Xenofontas Dimitropoulos (ETH Zurich) for sharing their implementation of Apriori Domenico Vicinanza & Mariapaolo Sorrentino (DANTE) for the discussion on bandwidth test tools

connect communicate collaborate Conclusion Thank-You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.