Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

DMnet - CERT

DMnet: Detection Mitigation
Network
A Behavioral Analysis System Supporting
Trust Measurements
Owen McCusker, Scott Brunza,
Sonalysts, Inc.
{mccusker,brunza}@sonalysts.com
Dr. Carrie Gates,
CA Labs
carrie.gates@ca.com
Joel Glanfield, Diana Paterson,
Dalhousie U.
An
{joelglanfield, paterson}@cs.dal.ca
Approach
To an
ADAPTIVE
DISTRIBUTED
DYNAMIC
Threat
SBIR DATA RIGHTS Contract No.: NBCHC070124
Contractor Name: Sonalysts, Inc.
Contractor Address: 215 Parkway N., Waterford, CT. 06815
Expiration of SBIR Data Rights Period: 14 Jan 2011
The Government's rights to use, modify, reproduce, release, perform, display, or disclose technical data or computer software marked with this
legend are restricted during the period shown as provided in paragraph (b)(4) of the Rights in Noncommercial Technical Data and Computer
Software--Small Business Innovative Research (SBIR) Program clause contained in the above identified contract. No restrictions apply after the
expiration date shown above. Any reproduction of technical data, computer software, or portions thereof marked with this legend must also
reproduce the markings
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Agenda
• 
• 
• 
• 
The Need
Behavior-based Classification
Trust Derived from Behavior
Where We are Today
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
The Need
•  The cyber threat is distributed, dynamic, and multi-scale in
time
–  IDS technology is focused on “single source”
solutions, “single time-scales”.
–  Threats are buried in the noise of everyday traffic
–  Cyber defense technologies adapt mostly through the
use of signatures (exception: Anomaly Detection)
•  We need enabling technologies that facilitate the creation
of adaptive and open distributed defense technologies
•  Our Contribution:
–  Creation of an aggregated behavioral feature space
–  Separation of trust from behavior aggregation
–  Initial use of ontology to map behavior to threat
–  Share behaviors between COIs to break through
privacy barriers
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Approach: DMnet Architecture
SiLK
Sensor
Pcap
Sensor
Snort
Sensor
Honeytrap
Sensor
Sensor, Events and
Contacts Repository
Data Fusion
Functions
Ground Truth
Data Mining
Sensor and Events Data
Other DMNet Nodes Threat
Discovery
Behavioral
Analysis
Functions
Operator
Analysis
Behavioral Feature
Space
Classification
Correlation
Known Profiles
(Threat and Non-Threat)
Classification Functions
Threat Non‐Threat Unknown Anomalous Actionable Information
Current Work
Threat
Mitigation
Risk
Assessment
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Asset
Management
Future Work
Behavior-based Classification
•  Ingest events and data from multiple sensor types
–  Architecture supports different sensor types
–  Currently using SiLK
•  Derive features from capture events and data
–  Create a rich feature space used for behavioral
analysis
–  Leverage primitive features during analysis
•  Identify Behaviors
–  The Goal is to create a behavioral language used to
describe and identify cyber threats
–  Based on analyzing feature space using different ntuple sets.
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Behavior-based Classification
•  Threats are detected by the identification of multiple
behavioral patterns
–  Has an “analog” to OCR and voice recognition
•  Threat behavior can be characterized / detected using
adaptive heuristics.
–  Success despite primitive state of current rule set.
–  Architecture will support concurrent use of more
complex and adaptive heuristics.
•  Analysis can be enhanced by:
–  Increased Community of Interest size (number of
correlated network sensors),
•  Automation necessary to improve / expand analysis.
–  There is a need for a common behavioral Ontology
•  Application of “Hyperplaning” for Botnet Detection
–  University of Connecticut
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Approach: Multiple Views of Feature Space
Behavior Are Used to Identify Possible
Threats
Host exhibiting normal behavior
Host exhibiting threat behavior
Threat Behavior Hot Spots
Raw Sensor Data
Normal Behavior Regions
Behavioral
Analysis
Threat
Host behavior
in cluster
Feature Space of
Network Behaviors
Views into Feature Space
Network Behavior
Host Cluster
View 1 - Classifier
View 2 - Classifier
View N - Classifier
Threat behavior
In cluster
Threat
Correlator 1
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Normal
Host behavior
in cluster
Benefit: Weak Signal Cyber Detection (Threat signals stand out of the Noise)
CN Data Exfiltration Case Post-Event Comparison of Selected Host
US – blue
CN – orange
Non-US, non-CN - red
AOL Hosts
Pings hitting firewall
from around globe.
Panther Express
included.
AltaVista Hosts
Single NTP Host
Hosts NAT’d through
firewall
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
POP3 activity
Single CN host doing
data exfiltration
CN enumeration hosts
SiLK Data Transfers
From remote site. rwsend,
rwrecieve.
AOL Hosts
POP3 activity
Single NTP server
changing behavior
over month
Single CN
host doing
data
exfiltration
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Differentiator: Adding in another visual dimension
(source/sink) to separate out host behaviors
October (ingested 5 days)
Total Contacts:
251K
Red is source, Black is Sink
DHT Protocol
0
1e+02
1e+03
1e+04
Average bytes per flow
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
1e+05
1 
10
100
1000
Outgoing Request
flows, 131 bytes
Average packets per
flow
Incoming Response
flows, 305 bytes
Differentiator: Adding in another visual dimension (byte variance) to separate out
host behaviors
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Benefit: Normal Behaviors Repeat over Time,
DNS behavior region
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Benefit: Normal Behaviors Repeat over Time,
DNS behavior region
Thousands of host exhibiting DNS activity
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Benefit: Threat Anticipation
Regional Byte Variance Over
Time
Byte Variance Associated With Flows
January 2009 (RU)
RU
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Unexplained / suspect
behavior originating from
two different regions at the
same time.
Byte Variance Associated With Flows
January 2009 (IN)
IN
Benefit: Consistent Behaviors within
features space views
Major port 445
Behavioral line
Mix of enumerations
Including port 445
Port 445
enumerations
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
SQL Slammer (1434) - Byte per packet mean 404
These hosts send 403 to 404 rations
Number of hosts is 1040, Mostly from CN
Trust Derived from Behavior
•  Trust is subjective driven by the security policies of the
institution
–  Host network behaviors are objective
•  Trust is too difficult to share without a common
understanding of risk
•  The overall trust of a host is a weighted sum of all trust
behaviors
–  Each measured behavior is given a value of trust
•  The change in behaviors can be used as a measure in
trust
–  Use of multiple protocols, compared to single
protocol
–  High variance in byte usage
–  High variance in entropy of payload
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Where are we Today?
•  ITT – 3rd Party evaluation
–  Web-base interface, CLI tool
–  Identified threats using a simplified set of heuristics
–  Solid system, more work needed false positives/negatives
•  Researching the application of Biological Immune System (BIS)
concepts to system
–  Self, Non-self concepts combined with Computational Trust
•  Created a commercial service for network analysis
–  Behavioral Analysis leading to Situational Awareness
•  HPC based architecture
–  Created a small cluster of nodes using OpenMPI to test scaling
our system
•  High Bandwidth
–  Just starting integrating and Endace DAG for network capture
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Approach: Test Bed
Sonalysts, Inc.
Newport, RI
• 
Using:
–  Networked sensors leveraged across
a trusted community of interest,
–  Host-centric behavioral aggregation
–  Multiple data fusion and mining
methodologies, and
–  Concurrent classification and
correlation algorithms.
• 
• 
Sonalysts, Inc.
Waterford, CT
Test Bed
Community of
Interest
Sonalysts, Inc.
San Diego, CA
To:
–  Connect the dots over long time
periods (e.g. months).
–  Detect and characterize threat
behavior in near real time.
–  Perform weak signal cyber detection.
Sharing just behaviors minimizes impact
of user data privacy
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Today:
•  Monitor incoming & outgoing traffic outside the perimeter.
•  ~400,000 host contacts / month.
•  Characterize host behavior and look for changes over
time that suggest threat behavior.
•  72 basic characteristics extracted and synthesized.
•  Correlate with country of origin.
DMnet – RD2 Prototype
Prototype Evaluation
•  Processed 6 months of data
on site in 4 days
–  30 times real time for
Sonalysts
–  Improved performance from
last year
•  TODO:
–  Integrate behavioral learning
–  Integrate classifiers and
correlators
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Benefit: Successful Detection of Data Exfiltration to
a Sophisticated “CN Host” via Company Laptop
Monthly, we conduct semiautomated regional analysis
of outgoing network flow.
•  Analysis script looks at
all incoming and outgoing
data to community of
interest.
•  Heuristics set used to
parse data into manageable
subsets.
– 
Based on location, port
usage, direction, port pair
bandwidth utilization, IP
address bandwidth usage,
client-server behavior,
protocol analysis.
•  Manually review subsets
looking for anomalies
– 
Trend analysis of past
reports.
•  Detected 408 outgoing
flows to CN via Port 9000
(out of > 6.5M flows).
•  All CN outgoing flows
occurred on 1/29 between
0900 and 1730.
•  CN flow byte/packet ratio
and frequency of outflow
had low variation.
•  Flagged, but on visitor
network – unable to
pinpoint host.
January
‘09
•  Port 9000 flows
increased.
•  Followed by twoway UDP traffic.
•  CN outflow from
multiple locations,
including inside
Community
firewalls.
•  Analysis points to
single mobile host
(laptop) or
multiple desktops.
•  IT Dept screened
suspect behavior
inside firewall.
•  Correlated
activity between
two geographic
locations to
isolate IP
address.
•  Identified /
isolated laptop.
•  Reported to
NCIS.
February
‘09
CN exfiltration was not and likely could not have been
detected by existing firewall technology.
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
March
‘09
Thank you!
Owen McCusker, Scott Brunza,
Sonalysts, Inc.
{mccusker,brunza}@sonalysts.com
Dr. Carrie Gates,
CA Labs
carrie.gates@ca.com
Joel Glanfield, Diana Paterson,
Dalhousie U.
{joelglanfield, paterson}@cs.dal.ca
COPYRIGHT 2009 SONALYSTS, INC ALL RIGHTS RESERVED
Related documents
Reasons for Reporting an Incident
Reasons for Reporting an Incident
ex_buisness_expansion
ex_buisness_expansion
1984 Anticipation Guide
1984 Anticipation Guide
Apocalypse Assignment
Apocalypse Assignment
Kinsey Preschool Classroom Management Plan
Kinsey Preschool Classroom Management Plan
Download