Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,

Published byKerry Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,"— Presentation transcript:

1 Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services

2 Abstract  Useful logs may already exist at your institution.  Network transaction logging is a very useful, flexible, and inexpensive tool for network security.  Comprehensive network security relies on log collection and analysis.  Analysis of log files can be automated, and can provide information that can be the basis for prevention and response procedures.  Useful logs may already exist at your institution.  Network transaction logging is a very useful, flexible, and inexpensive tool for network security.  Comprehensive network security relies on log collection and analysis.  Analysis of log files can be automated, and can provide information that can be the basis for prevention and response procedures.

3 Start with what you have  The collection and analysis of network transaction data is useful for a wide range of tasks  Security management  Network billing and accounting  Network operations management  Performance analysis  As a result, some form of network transaction logs may already exist within your institution, even if not specifically implemented for network security reasons.  The collection and analysis of network transaction data is useful for a wide range of tasks  Security management  Network billing and accounting  Network operations management  Performance analysis  As a result, some form of network transaction logs may already exist within your institution, even if not specifically implemented for network security reasons.

4 “Pointed stick”  Low cost, high returns  Simple to implement  Nonspecific, flexible  Non-restrictive  Low cost, high returns  Simple to implement  Nonspecific, flexible  Non-restrictive

5 Fundamental need  Network transaction logs are arguably the most basic, necessary countermeasure in network security.  Logs should form the basis for decisions regarding other security initiatives.  Traffic analysis will be necessary to validate the performance of other security countermeasures.  Network transaction logs are arguably the most basic, necessary countermeasure in network security.  Logs should form the basis for decisions regarding other security initiatives.  Traffic analysis will be necessary to validate the performance of other security countermeasures.

6 Needs pyramid: Maslow’s Hierarchy Biological and Physiological needs Safety needs Esteem needs Belongingness and Love needs Self-actualization

7 Needs pyramid: Network Security Network Transaction Logs Security Staff Firewalls Host Security IDS/IPS

8 Transparent monitor  Acts as a passive device, gathering traffic and performance statistics at appropriate places in networks (server or client locations)  Is not necessarily a point of failure in your network  Cannot alter network traffic, as active devices such as firewalls or IDS/IPS systems.  However, monitoring can co-exist with other network security devices, such as IPS/IDS  Acts as a passive device, gathering traffic and performance statistics at appropriate places in networks (server or client locations)  Is not necessarily a point of failure in your network  Cannot alter network traffic, as active devices such as firewalls or IDS/IPS systems.  However, monitoring can co-exist with other network security devices, such as IPS/IDS

9 Transparent monitor: Simple setup Upstream Provider Hub Network Monitor Network

10 Scalable  Mirroring traffic is relatively inexpensive.  Institutions may choose to capture as much data as possible and only perform limited analysis as needed.  There are appropriate solutions for implementing network transaction monitoring at just about every level of a network.  Small lab environment  Single department  University border  Mirroring traffic is relatively inexpensive.  Institutions may choose to capture as much data as possible and only perform limited analysis as needed.  There are appropriate solutions for implementing network transaction monitoring at just about every level of a network.  Small lab environment  Single department  University border

11 Transparent monitor: Large-scale ISP 1 ISP 2 Network Monitor

12 Selective memory  In order to be able to store and analyze high volumes of traffic, the memory demands must be reduced in some way.

13 Selective memory: Depth  IPS/IDS systems generally select certain transactions (via signature matching, etc.) for storage and analysis. In other words, only communications that match a selection criteria are recorded, and all other data is ignored. ! ! ! !

14 Selective memory: Breadth  Flow monitoring accounts for every transaction, but does not retain the content of the transactions.  Transactions contain both routing information and content. Only routing information is retained.  Applications that can capture this sort of transaction data include Argus, tcpdump, Ethereal, cflowd, etc.  Flow monitoring accounts for every transaction, but does not retain the content of the transactions.  Transactions contain both routing information and content. Only routing information is retained.  Applications that can capture this sort of transaction data include Argus, tcpdump, Ethereal, cflowd, etc.

15 Flow metrics  Metrics generally captured in network transaction logs include:  Source, destination IP addresses (for IP traffic)  Beginning, end times  Packet count  Byte count  TTL (for IP traffic)  TCP flags (for TCP/IP traffic)  TCP state progression (for TCP/IP traffic)  Base sequence numbers (for TCP/IP traffic)  Metrics generally captured in network transaction logs include:  Source, destination IP addresses (for IP traffic)  Beginning, end times  Packet count  Byte count  TTL (for IP traffic)  TCP flags (for TCP/IP traffic)  TCP state progression (for TCP/IP traffic)  Base sequence numbers (for TCP/IP traffic)

16 Inference  Certain traffic characteristics are very useful in making inferences about the nature of the traffic.  Examples:  Amount of bandwidth consumed  Number of connection attempts  Connections to unused address ranges  Certain traffic characteristics are very useful in making inferences about the nature of the traffic.  Examples:  Amount of bandwidth consumed  Number of connection attempts  Connections to unused address ranges

17 Automation  Identifying problems through inference can be automated.  Once the criteria has been clearly defined, then the tasks that were once done by humans can be performed by simple programs.  Once the identification of problems is automated, then those results can be fed into response procedures.  Identifying problems through inference can be automated.  Once the criteria has been clearly defined, then the tasks that were once done by humans can be performed by simple programs.  Once the identification of problems is automated, then those results can be fed into response procedures.

18 Examples  Compare logs with blacklists, such as known- spyware or spam source IP lists  Examine traffic destined for non-populated subnets  Noise-floor analysis  TCP port usage  Compare logs with blacklists, such as known- spyware or spam source IP lists  Examine traffic destined for non-populated subnets  Noise-floor analysis  TCP port usage

19 Endless possibilities  We are constantly discovering new uses for network transaction logs

20 About our institution  4,820 employees (1,069 full-time faculty)  20,143 students (18,497 full-time students)  90+ Mbps Internet bandwidth (2 ISP’s)  6,000,000,000+ packets per day  3,000,000,000+ source packets  3,000,000,000+ destination packets  2,400+ GB per day (500+ DVD-ROMs)  727 source GB per day  1,675 destination GB per day  ~12 GB Argus log files generated per day, on average (0.6% of the total bytes represented)  4,820 employees (1,069 full-time faculty)  20,143 students (18,497 full-time students)  90+ Mbps Internet bandwidth (2 ISP’s)  6,000,000,000+ packets per day  3,000,000,000+ source packets  3,000,000,000+ destination packets  2,400+ GB per day (500+ DVD-ROMs)  727 source GB per day  1,675 destination GB per day  ~12 GB Argus log files generated per day, on average (0.6% of the total bytes represented)

21 References/Resources  RFC 2724, “RTFM: New Attributes for Traffic Flow Measurement.” (http://www.rfc- editor.org/rfc/rfc2724.txt)http://www.rfc- editor.org/rfc/rfc2724.txt  Argus: http://www.qosient.com/argus  RFC 2724, “RTFM: New Attributes for Traffic Flow Measurement.” (http://www.rfc- editor.org/rfc/rfc2724.txt)http://www.rfc- editor.org/rfc/rfc2724.txt  Argus: http://www.qosient.com/argus

Download ppt "Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 What can happen when you accelerate a flow twice?

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 What can happen when you accelerate a flow twice?
Vitina, 13-14 March, 2008 1RURAL WINGS IP Network usage analysis WP7.3 Results of the usability tests and recommendations Patricia INIGO (Astrium)

Vitina, March, RURAL WINGS IP Network usage analysis WP7.3 Results of the usability tests and recommendations Patricia INIGO (Astrium)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
COS 338 Day 16. 2 DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.

COS 338 Day DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
Accounting Management IACT 918 April 2005 Glenn Bewsell/Gene Awyzio SITACS University of Wollongong.

Accounting Management IACT 918 April 2005 Glenn Bewsell/Gene Awyzio SITACS University of Wollongong.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Similar presentations

Ads by Google