Example: Data Mining for the NBA - The University of Texas at Dallas

download report

Transcript Example: Data Mining for the NBA - The University of Texas at Dallas

Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Network Forensics - II
October 29, 2008
Outline
 Network Attacks
 Security Measures
 Network Forensics and Tools
 Types of Networks
 Relationship to Social Network Analysis
 Special presentation
- http://www.apricot.net/apricot2007/presentation/tutorial/ry
an-network-forensics-tut.pdf
Network Attacks
 Denial of service
Denial of service attacks cause the service or program to cease functioning
or prevent others from making use of the service or program.
 These may be performed at the network layer by sending carefully crafted
and malicious datagrams that cause network connections to fail.
 They may also be performed at the application layer, where carefully crafted
application commands are given to a program that cause it to become
extremely busy or stop functioning.
 Preventing suspicious network traffic from reaching hosts and preventing
suspicious program commands and requests are the best ways of minimizing
the risk of a denial of service attack.
 It is useful to know the details of the attack method, so you should educate
yourself about each new attack as it gets publicized.
Network Attacks
 Spoofing
This type of attack causes a host or application to mimic the actions of
another.
 Typically the attacker pretends to be an innocent host by following IP
addresses in network packets.
 For example, a well-documented exploit of the BSD rlogin service can use
this method to mimic a TCP connection from another host by guessing TCP
sequence numbers.
 To protect against this type of attack, verify the authenticity of datagrams and
commands.
 Prevent datagram routing with invalid source addresses. Introduce
unpredictablility into connection control mechanisms, such as TCP sequence
numbers and the allocation of dynamic port addresses.
Network Attacks
 Eavesdropping
This is the simplest type of attack.
 A host is configured to "listen" to and capture data not belonging to it.
Carefully written eavesdropping programs can take usernames and
passwords from user login network connections.
 Broadcast networks like Ethernet are especially vulnerable to this type of
attack.
 To protect against this type of threat, avoid use of broadcast network
technologies and enforce the use of data encryption.
 IP firewalling is very useful in preventing or reducing unauthorized access,
network layer denial of service, and IP spoofing attacks.
 It not very useful in avoiding exploitation of weaknesses in network services
or programs and eavesdropping.
Network Security Mechanisms
 Network security starts from authenticating any user, most likely a
username and a password.
 Once authenticated, a stateful firewall enforces access policies such
as what services are allowed to be accessed by the network users
 Though effective to prevent unauthorized access, this component
fails to check potentially harmful contents such as computer worms
being transmitted over the network.
 An intrusion prevention system (IPS) helps detect and prevent such
malware. IPS also monitors for suspicious network traffic for
contents, volume and anomalies to protect the network from attacks
such as denial of service.
 Communication between two hosts using the network could be
encrypted to maintain privacy.
 Individual events occurring on the network could be tracked for
audit purposes and for a later high level analysis.
Network Security Mechanisms
 Honeypots, essentially decoy network-accessible resources,
could be deployed in a network as surveillance and earlywarning tools.
 Techniques used by the attackers that attempt to compromise
these decoy resources are studied during and after an attack
to keep an eye on new exploitation techniques.
 Such analysis could be used to further tighten security of the
actual network being protected by the honeypot
 Some tools: Firewall, Antivirus software and Internet Security
Software. For authentication, use strong passwords and
change it on a bi-weekly/monthly basis. When using a
wireless connection, use a robust password. Network
analyzer to monitor and analyze the network.
Network Forensics Revisited
 Network forensics is the process of capturing information that
moves over a network and trying to make sense of it in some
kind of forensics capacity.
 A network forensics appliance is a device that automates this
process.
 Wireless forensics is the process of capturing information
that moves over a wireless network and trying to make sense
of it in some kind of forensics capacity.
Network Forensics: Open Source Tools
 Open source tools
- Wireshark
- Kismet
- Snort
- OSSEC
- NetworkMiner is an open source Network Forensics Tool
-
available at SourceForge.
Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols
supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP,
IPv4, IPv6
Network Forensics: NetworkMiner
 NetworkMiner is a Network Forensic Analysis Tool (NFAT) for
Windows.
 NetworkMiner can be used as a passive network
sniffer/packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without
putting any traffic on the network.
 The purpose of NetworkMiner is to collect data (such as
forensic evidence) about hosts on the network rather than to
collect data regarding the traffic on the network.
 The main view is host centric (information grouped per host)
rather than packet centric (information showed as a list of
packets/frames).
Network Forensics: Commercial Tools
 Deep Analysis Tools (data mining based tools)
- E-Detective
- ManTech International Corporation
- Network Instruments
- NIKSUN's NetDetector
- PacketMotion
- Sandstorm's NetIntercept
- Mera Systems NetBeholder
- InfoWatch Traffic Monitor
Network Forensics: Commercial Tools
 Flow-Based Systems
- Arbor Networks
- GraniteEdge Networks
- Lancope http://www.lancope.com/
- Mazu Networks http://www.mazunetworks.com/
 Hybrid Systems
- These systems combine flow analysis, deep analysis, and
-
security event monitoring and reporting.
Q1 Labs http://www.q1labs.com/
Network Analysis
 Find analysis techniques developed for one type of network
and apply it to another type of network
 Types of networks
Computer and Communication Networks
- Telecommunication Network
- Transportation networks
 Highways, Railroad, Air Traffic
- Human networks
 Terror networks, Relationship networks
-
Social Network Analysis of 9/11 Terrorists
(www.orgnet.com)
Early in 2000, the CIA was informed of two terrorist suspects linked to al-Qaeda.
Nawaf Alhazmi and Khalid Almihdhar were photographed attending a meeting of
known terrorists in Malaysia. After the meeting they returned to Los Angeles,
where they had
already set up residence in late 1999.
Social Network Analysis of 9/11 Terrorists
What do you do with these suspects? Arrest or deport them
immediately? No, we need to use them to discover more of the alQaeda network.
Once suspects have been discovered, we can use their daily activities
to uncloak their network. Just like they used our technology against
us, we can use their planning process against them. Watch them, and
listen to their conversations to see...
•who they call / email
•who visits with them locally and in other cities
•where their money comes from
The structure of their extended network begins to emerge as data is
discovered via surveillance.
Social Network Analysis of 9/11 Terrorists
A suspect being monitored may have many contacts -- both accidental and intentional. We
must always be wary of 'guilt by association'. Accidental contacts, like the mail delivery
person, the grocery store clerk, and neighbor may not be viewed with investigative interest.
Intentional contacts are like the late afternoon visitor, whose car license plate is traced back to
a rental company at the airport, where we discover he arrived from Toronto (got to notify the
Canadians) and his name matches a cell phone number (with a Buffalo, NY area code) that our
suspect calls regularly. This intentional contact is added to our map and we start tracking his
interactions -- where do they lead? As data comes in, a picture of the terrorist organization
slowly comes into focus.
How do investigators know whether they are on to something big? Often they don't. Yet in this
case there was another strong clue that Alhazmi and Almihdhar were up to no good -- the
attack on the USS Cole in October of 2000. One of the chief suspects in the Cole bombing
[Khallad] was also present [along with Alhazmi and Almihdhar] at the terrorist meeting in
Malaysia in January 2000.
Once we have their direct links, the next step is to find their indirect ties -- the 'connections of
their connections'. Discovering the nodes and links within two steps of the suspects usually
starts to reveal much about their network. Key individuals in the local network begin to stand
out. In viewing the network map in Figure 2, most of us will focus on Mohammed Atta because
we now know his history. The investigator uncloaking this network would not be aware of
Atta's eventual importance. At this point he is just another node to be investigated.
Figure 2 shows the two suspects and
Social Network Analysis of 9/11 Terrorists
Social Network Analysis of 9/11 Terrorists
Social Network Analysis of 9/11 Terrorists
We now have enough data for two key conclusions:
•
All 19 hijackers were within 2 steps of the two original suspects uncovered in 2000!
•
Social network metrics reveal Mohammed Atta emerging as the local leader
With hindsight, we have now mapped enough of the 9-11 conspiracy to stop it. Again, the
investigators are never sure they have uncovered enough information while they are in
the process of uncloaking the covert organization. They also have to contend with
superfluous data. This data was gathered after the event, so the investigators knew
exactly what to look for. Before an event it is not so easy.
As the network structure emerges, a key dynamic that needs to be closely monitored is the
activity within the network. Network activity spikes when a planned event approaches. Is
there an increase of flow across known links? Are new links rapidly emerging between
known nodes? Are money flows suddenly going in the opposite direction? When activity
reaches a certain pattern and threshold, it is time to stop monitoring the network, and
time to start removing nodes.
The author argues that this bottom-up approach of uncloaking a network is more effective
than a top down search for the terrorist needle in the public haystack -- and it is less
invasive of the general population, resulting in far fewer "false positives".
Figure 2 shows the two suspects and
Social Network Analysis of Steroid Usage in Baseball
(www.orgnet.com)
When the Mitchell Report on steroid use in Major League Baseball [MLB], was published, people were
surprised at who and how many players were mentioned. The diagram below shows a human network created
from data found in the Mitchell Report. Baseball players are shown as green nodes. Those who were found to
be providers of steroids and other illegal performance enhancing substances appear as red nodes. The links
reveal the flow of chemicals -- from provider to player.
Applying to Network Forensics
 Start with infected machines
 Then follow the chain to other machines
 Visualization techniques for the network of affected machines
 Iowa State University Prototype is an example