Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Snort - Open Source Network Intrusion Detection System Survey.
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Chapter 5 The Network Layer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.
Examining IP Header Fields
Report on statistical Intrusion Detection systems By Ganesh Godavari.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Reading Report 14 Yin Chen 14 Apr 2004 Reference: Internet Service Performance: Data Analysis and Visualization, Cross-Industry Working Team, July, 2000.
Ana Chanaba Robert Huylo
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IIT Indore © Neminah Hubballi
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.
Information Visualization for Intrusion Detection Analysis: A Needs Assessment of Security Experts John Goodall, Anita Komlodi, Wayne G. Lutters UMBC Workshop.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Intruders Detection Systems Presently there is much interest in systems, which can detect intrusions, IDS (Intrusion Detection System). IDS are of very.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Linux Networking and Security
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
An overview.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Advanced IDS Brian Caswell & Jeff Nathan. Kung Fu IDS Brian Caswell Jeff Nathan
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Network Intrusion Detection System (NIDS)
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
4: Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
IPv6 Internet Protocol, Version 6 Yen-Cheng Chen NCNU
Snort – IDS / IPS.
Internet Control Message Protocol (ICMP)
Introduction to TCP/IP networking
Hping2.
The New Internet Protocol
Internet Protocol Formats
Wireshark Lab#3.
The New Internet Protocol
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Protocol Formats
IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )
SNORT RULES.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Presentation transcript:

Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University

Forest through the trees “Too much information” Abilene generating 5-6,000 flows/second Typically about 270, ,000 “active” active flows during the day “Raw” data analysis inadequate Forest through trees

SNORT raw log file example [**] [117:1:1] (spp_portscan2) Portscan detected from xxx.xxx: 4 targets 21 ports in 28 seconds [**] 10/14-09:50: xxx.xxx:80 -> xxx.xxx:49194 TCP TTL:60 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0xD756E195 Ack: 0xDDC23C59 Win: 0x16A0 TcpLen: 40 TCP Options (6) => MSS: 1460 NOP NOP TS: TCP Options => NOP WS: 0 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload length [**] 10/14-09:51: xxx.xxx:0 -> xxx.xxx:0 UDP TTL:128 TOS:0x0 ID:16642 IpLen:20 DgmLen:206 Len: 178 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 10/14-09:52: xxx.xxx -> xxx.xxx ICMP TTL:249 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: xxx.xxx -> xxx.xxx ICMP TTL:122 TOS:0x0 ID:2394 IpLen:20 DgmLen:92 ** END OF DUMP [**] [106:4:1] (spp_rpc_decode) Incomplete RPC segment [**] 10/14-09:52: xxx.xxx:5190 -> xxx.xxx:32771 TCP TTL:106 TOS:0x0 ID:45414 IpLen:20 DgmLen:98 DF ***AP*** Seq: 0xD9256CFA Ack: 0xC79F78B9 Win: 0x4000 TcpLen: 20 [**] [111:8:1] (spp_stream4) STEALTH ACTIVITY (FIN scan) detection [**] 10/14-13:18: xxx.xxx: > xxx.xxx:13091 TCP TTL:47 TOS:0x0 ID:59791 IpLen:20 DgmLen:52 DF *******F Seq: 0x32BE0760 Ack: 0x0 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS:

Problems with that Visually unattractive “Angry Fruit Salad” Information overload False-positives

Forest through the trees Evolution of visualization techniques Text-Based 2D visualization of old text information I.e. ACID interface to SNORT

ACID display

Ok, getting better. System is doing some aggregating for us. We have some visualization (traffic profile) This is from a real display (Fall Internet2 member’s meeting)

ACID display But still showing us the same alerts, the vast majority of which are not actually issues.

2D frontends Did much to clean up aggressive “angry fruit salad” of text-only interface Inherent advantage of “eye candy” But still relied on same underlying data Bias towards false-positives

Emergence of statistical tools Next step was emergence of so-called statistical tools Idea of establishing a baseline of “normal” activity Detect deviations from “normal” Throw a nice 2D front-end on it

ARBOR display

Statistical tools Even more aggregation (good) Greatly reduce “false positive” issue over signature tools But the bias is still there What’s more damning, overreporting or underreporting? More good eye candy

Problems with statistical tools You have to be able to establish a baseline of “normal” activity Is that even possible in a dynamic environment? Example: Abilene research Land Speed Records Protocol experiments Video over IP Drive the models “nuts.”

More problems Still have to map a lot of 2D-information onto a conceptual framework of the network “What are the ingress and egress points?” “Is this sourced, destined, or just transiting the network” Miss low-level activity as “noise” in the network I.e. slow portscans, host scans, etc.

Forest through the trees Evolution of visualization techniques Text-Based 2D visualization of old text information I.e. ACID interface to SNORT 3D visualization?

gCube Nascent effort to develop a useful 3D modelling capability. Not an original idea (Shakespeare had it first) Saw a similar tool at SC2003 Steve Lau (LBNL) Cube of potential doom BRO project ( Nevertheless, rooted in tragedy for sure Ongoing development

gCube Abilene in Winter

What is it? Basic version is 3D view of “flow” activity X/Z axis determined by source/destination IP Y axis determined by port number Usually destination port number

Where does it get its input? Three possible inputs: Direct NETFLOW feed Archived NETFLOW (files) PCAP view of local network

Looking down on Abilene

What are we seeing? Entire IPv4 address space (all 4 billion possible source and destination addresses) Blank areas represent portions of IP space not allocated to Abilene-connected institutions Allocation pattern is interesting 4 “towers” Early remnants of class-A allocations MIT,.gov, etc.

Side view of Abilene

What structures are visible? Special “floors” 32K port allocation floor 40K port allocation floor Density of port allocations at lower levels An apparent port scan!

The low level

Visualizing DDoS with gCube Eventual hope is to develop gCube into a DDoS visualization tool Particularly good at detecting Port Scans Host Scans Scans into “abnormal” IP space I.e. Slammer type stuff Rate/bandwidth anomalies

Simple case, portscan

Simulated Portscan

DDoS in the real world

What is that? January 14th, 2003, ~2-3PM EST Port scan of a destination address Spoofed source IP addresses Distributed equally through IP space Had been preceded by apparent “experiments” earlier in the day and earlier in the week (Jan 5th) Experiments used only a single or few test ports

Experiments

Note Attacks to three separate IPs/closely clustered groups of IPs Spoofed source IPs But possibly from as many as three different organizations At least one real source appeared to be suppressing sources from the multicast space

Backscatter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.