Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.

Connect. Communicate. Collaborate The perfSONAR Network Monitoring Framework Maurizio Molina (on behalf of Nicolas Simar) DANTE COST TMA tech. Seminar.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

FLAME: A Flow-level Anomaly Modeling Engine

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Introduction to Honeypot, Botnet, and Security Measurement

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

Connect. Communicate. Collaborate A Network Security Service for GÉANT2 (and beyond….) Maurizio Molina, DANTE TNC 08, Brugges, 20 th May 2008.

Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Honeypot and Intrusion Detection System

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Service Oriented Architectures Presentation By: Clifton Sweeney November 3 rd 2008.

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

Connect communicate collaborate GÉANT3 Services Connectivity and Monitoring Services by and for NRENs Ann Harding, SWITCH TNC 2010.

DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.

TeraPaths TeraPaths: Establishing End-to-End QoS Paths through L2 and L3 WAN Connections Presented by Presented by Dimitrios Katramatos, BNL Dimitrios.

FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.

1 Network Measurement Summary ESCC, Feb Joe Metzger ESnet Engineering Group Lawrence Berkeley National Laboratory.

Routing integrity in a world of Bandwidth on Demand Dave Wilson DW238-RIPE

Open-Eye Georgios Androulidakis National Technical University of Athens.

Flow Aware Packet Sampling

Mining Anomalies in Network-Wide Flow Data Anukool Lakhina with Mark Crovella and Christophe Diot NANOG35, Oct 23-25, 2005.

Connect. Communicate. Collaborate The GÉANT2 Network Hans Döbbeling, DANTE Wien, 5 June 2008.

Connect. Communicate. Collaborate Global On-demand Light Paths – Developing a Global Control Plane R.Krzywania PSNC A.Sevasti GRNET G.Roberts DANTE TERENA.

Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Security System for KOREN/APII-Testbed

Peer Policy Policing with NETFLOW NANOG 25 June 9, 2002.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

Connect. Communicate. Collaborate GN2 Activities and the LOBSTER Project Nicolas Simar, DANTE TNC 2005, Poznan, June 2005.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Simple, End-to-End Performance Management Application Performance.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Policy in GÉANT Guy Roberts, Tangui Coulouarn NSI meeting, NORDUnet Conference, Uppsala, 22 Sept 2014.

1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.

Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.

NetFlow Analyzer Best Practices, Tips, Tricks. Agenda Professional vs Enterprise Edition System Requirements Storage Settings Performance Tuning Configure.

Some Great Open Source Intrusion Detection Systems (IDSs)

June 11, 2002 Abilene Route Quality Control Initiative Aaron D. Britt Guy Almes Route Optimization.

DISA Cyclops Program.

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Flow Collection and Analytics

WP7 objectives, achievements and plans

Challenges in Network Troubleshooting In big scale networks, when an issue like latency or packet drops occur its very hard sometimes to pinpoint.

NetFlow Analysis with Elastic Stack

Chapter 8: Monitoring the Network

Balancing Risk and Utility in Flow Trace Anonymization

Intrusion Detection system

Transport Layer Identification of P2P Traffic

Presentation transcript:

Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar Samos, 23 rd Sep 2008

Connect. Communicate. Collaborate The GÉANT Network DANTE operates GÉANT2 Backbone network for National Research and Education Networks in Europe 30+ NRENs, 2 global connectivity providers (Telia and GCrossing), peerings with other research networks (Abilene, Canarie, Clara, TEIN2, SINET…)

Connect. Communicate. Collaborate The GÉANT Network (IP layer) 20 Juniper routers tenths of GBit/s of aggregated traffic Main accesses and the backbone 10Gbit/s Pls see

Connect. Communicate. Collaborate The Services So…. Just a big pipe? No! Services –Dedicated L1-L2 circuits via multiple technologies –Performance Monitoring services (perfSONAR) –Support for federation of National AA Infrastructures (eduGAIN) and wireless roaming (eduROAM) –Security Service Very NEW! NEW!

Connect. Communicate. Collaborate The vision: enhance NRENs security NRENs have their (+ - evolved…) CERTs to deal with security and DANTE can filter traffic on GÉANT upon NRENs request…. ! BUT ! Can we be more proactive to NREN CERTs exploiting the visibility of the GN2 core?

Connect. Communicate. Collaborate The vision (cont.): enhance NRENs security Approach: NetFlow (+ Routing data) & good processing tools NetFlow v5 collector Netflow collected on all peering interfaces 1 / 1,000 Sampling ~3k flows/s

Connect. Communicate. Collaborate Proof of concept: Can we identify anomalies in the core? Anomalies are often “hidden” Requirements:  High detection rate  Low false positives  Anomaly classification  Evidence collection NfSen

Connect. Communicate. Collaborate From “volume” to “IP feature entropies” Connect. Communicate. Collaborate “IP features entropies” Simple linear filter

Connect. Communicate. Collaborate Drilling down on peaks Connect. Communicate. Collaborate -Concentration of DST IPs and DST ports receiving flows -Dispersion of SRC IPs and SRC ports IRC server in Slovenia, receiving a lot of 60 bytes syn pkts on port 6667, mainly from a /16 Subnetwork of an University in the Netherlands. Likely a “BotNet war”?

Connect. Communicate. Collaborate Drilling down on peaks (cont.) Connect. Communicate. Collaborate - Concentration of SRC and DST IPs and SRC ports - Dispersion of DST ports Portscan of host in CARNET, from 4 hosts, 29 bytes packets

Connect. Communicate. Collaborate Open source tools Results: –anomalies are observable in the GÉANT2 core –Novel methodologies (IP Features entropy) for their classifications are applicable Limits: –NfSen does not fuse NetFlow and Routing data –Extensions would need to be run (and tuned) on all ingress/egress points –No support, no guaranteed development

Connect. Communicate. Collaborate Commercial tools Test started Jun 08 (3 tools) –Tool 1 PCA, entropy –Tool 2 Large scale DDoS and Worm spread –Tool 3 Per host behaviour

Connect. Communicate. Collaborate Tool 1 (as a security tool…) Two main novel elements –Principal Component Analysis (PCA) –Both Volume and IP features Entropy anomaly detection Address what makes anomaly detection a complex task –PCA: single parameter to control detection sensitivity, even if anomalies are attributed to specific OD pairs –Entropy: Detection of both low volume (scans) and high volume (DoS) anomalies

Connect. Communicate. Collaborate Demo…. …. Or Screenshots….

Connect. Communicate. Collaborate

Tool 2 Well-established (and expensive!) solution for detecting “large” events Originally based on large volume shifts only Now enhanced to give alerts on “fingerprints” (e.g. communication with C&C servers) –Shared by (part) of the user community (50 out of 120) No usage of routing data –though “zones” can be manually created via BGP prefixes lists Traditional threshold based detection (although adaptive)

Connect. Communicate. Collaborate Tool 3 Per host behavioural analysis rather complex “scoring” system to distinguish normal from abnormal behaviour. Proprietary algorithms Doesn’t use routing info –though “zones” can be manually created via BGP prefixes lists Potentially attractive methodology Concerns on scalability and accuracy with 1,000 sampling

Connect. Communicate. Collaborate lessons learnt and directions for research Manual validation is required to confirm/correct anomalies –More automatic intelligence to help this process –Fusion with other data sources (router logs? Honeynets?) Detection space of 3 tools often disjoint –(Standard) anomaly injection Operations need supported tools to support services If choice is among published but “not a tool” or “secret but supported and (claiming to) work” => risk to stick to those! –Fill the gap towards TOOLS!

Connect. Communicate. Collaborate Thank you!