Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Nfsight: Netflow-based Network Awareness

advertisement 
Nfsight: Netflow-based Network Awareness
Michel Cukier (with R. Berthier (UIUC), M. Hiltunen (AT&T),
D. Kormann (AT&T), and G. Vesonder (AT&T))
Architecture
Goals
• 
Gaining situational awareness on
large networks:
– 
– 
• 
Dr. Cukier’s Research
What servers are deployed?
Are there rogue services?
• 
• 
Organization
Network
Routers
Visualizing network traffic at
various granularities
Automated Alerts,
Collaboration Features
Operator
• 
– 
– 
– 
Visualize, Filter,
Drill-down
Nfsen/Nfdump Framework
• 
Contributions
• 
Unidirectional
Flows
– 
• 
MySQL
PHP/AJAX
Bidirectional
Flows
(Netflows paired-up by
IP/port)
Features and Formula Used
Output
Heuristic 0
Timestamp of request <
Timestamp of reply
[0, 1]
IP Address
Proto.
Port
Type
Bayesian
Probability
Heuristic 1
Src port > Dst port
{0, 0.5, 1}
10.0.123.1
TCP
22
Server
98%
Heuristic 2
Src port > 1024 > Dst port
{0, 0.5, 1}
80
Server
92%
25
Server
97%
143
Server
98%
80
Client
75%
443
Client
87%
TCP
6667
Server
95%
UDP
22456
Client
62%
Heuristic 3
Port in /etc/services
{0, 0.5, 1}
Heuristic 4
# ports related
[0, 1]
Heuristic 5
# IP related
[0, 1]
Heuristic 6
# Tuples related
[0, 1]
Anomaly detection and
automated alerts
Nfsight enables operators to
write anomaly detection
signatures and be alerted by
email
Signatures are based on data
fields from graphlet structures
stored for each IP
Detect TCP Scanning
Behavior
Protocol == TCP AND unique_dst_IP > 100
AND #failed_connections > 80
• 
PI of NSF REU Site on computer security
(collaboration with Women in Engineering)
Funded by NSF, DARPA, AT&T, Raytheon
Heuristic ID
10.0.123.8
Decisions combined
with Bayesian infer.
192.168.1.34
192.168.4.56
TCP
TCP
Visualization Front-end
Filter and Selection Form
Intrusion Detection
• 
Nfsight
Front-end
Profiling attacker behavior following SSH compromises
Analyzing Intrusion Prevention System Event Data
Honeypot Architecture for Network Threats Quantification
Client/Server Detection
Heuristics and Bayesian inference
are used to generate bidirectional
flows from Netflow
Back-end as plugin for Nfsen/
Nfdump
Web-based front-end developed in
PHP and Javascript
Bidirectional
Flows
Service and
Intrusion
Detection
Perl Scripts
Lightweight and easy to deploy
– 
• 
Nfsight
Back-end
Netflow-based client/server
detection
– 
• 
Netflow
Collector
Goal: quantification of computer security
Empirical studies using all security related data
collected on the UMD network
Research projects examples:
Top 20 Scanned Services:
End Points
Metrics
Network Activity (Timeseries + Heatmap)
Detection of Scanning Activity:
Related documents
DEFINING AND EXPLORING VIRTUAL REALITY: A BURKEIAN AND HEURISTIC ANALYSIS ABSTRACT ONLY
DEFINING AND EXPLORING VIRTUAL REALITY: A BURKEIAN AND HEURISTIC ANALYSIS ABSTRACT ONLY
Fall Final Study Guide - TJ
Fall Final Study Guide - TJ
Apollo 13 DVD Review..
Apollo 13 DVD Review..
6.3.3.4 Worksheet - Protocol Definitions and Default Ports IT Essentials 5.0
6.3.3.4 Worksheet - Protocol Definitions and Default Ports IT Essentials 5.0
Pseudocode AStar - E-Learning | STMIK AMIKOM Yogyakarta
Pseudocode AStar - E-Learning | STMIK AMIKOM Yogyakarta
1 2
1 2
Limitations of Front-to-End Bidirectional Heuristic Search
Limitations of Front-to-End Bidirectional Heuristic Search
Download
advertisement