Transcript NetSEC: metrology based-application for network security

NetSEC:
metrology-based application
for network security
Jean-François SCARIOT
Bernard MARTINET
Centre
Interuniversitaire
de Calcul de Grenoble
TNC 2002
June 2002
Plan

Metrology



NetSEC




Why, what & how?
Analyze
Goals
Architecture
Available tools
Conclusion
2
why to measure?

To know network usage

To know network availability

To detect dysfunction

To do cost sharing

Also… to improve security
3
What and how to measure?
 Qualitative: knowing its network
 I/O traffic load, CPU load, collision…
 Watch the counters of the equipments
 Quantitative: controlling its network
 Traffic type, I/O traffic load per host or
group...
 extract information from frame analysis
4
Measurement to supervise

Daily supervision (15’ is enough )

Curves or bar graphs

Always the same "look"
“To control and manage a network,
you must visualize its behaviour”
5
Highlighting a problem
A « normal » day
Monday April the 2nd 2001
May be some problems
Monday April the 9th 2001
6
Highlighting a problem
Unfortunately!
Problem discovery is a posteriori
We have to go back
And
analyze the traffic of the involved period.
7
Traffic analyzing

Locate the host(s)

Date, addresses, intrusion method, extend of
the damage…

HOW?

Doing crosschecking

Sorting metrology data on several parameters
 Powerful sorting tools are needed!
8
NetSEC goals

To have an evolving software

To analyze “well-known” data



NetMET
IPtrafic
To support open standards
To improve the security of
networking computers
9
NetSEC foundations

Using a relational database

A simple network description

A modular architecture

Using an open source software
10
Open software

Linux system (Redhat)

MySQL database

Apache Web server

JAVA
11
About database

JDBC database access

Basic SQL queries

One loader per collector
12
DB structure

One table for one day (of data)





src@ & dst@
Date
Port & protocol
Volume
One table for the network description
13
Network description

A network


An organism


University Joseph Fourier
An entity


192.168.10.11/24
CICG
A location

Campus of Grenoble
14
Available tools

A data query module

A graphic generator module

A data mining module
15
Architecture
Query
Process
Collector
HTML
Requests
Query Engine
Collected
Data
SQL
Requests
Loader
DB
SQL
Requests
Graphic
Generation
Process
Graphic Generator Engine
Network
Description
SQL
Requests
KDD
Process
Knowledge Discovery
Database Engine
ALARMS
REPPORTS
16
The query tool

To use the SQL power




Sort
Query
Extract
Querying data with a friendly interface
17
Web interface (Question)
18
How does it work?

Parameters processing

JDBC driver loading & connection

Building and executing the SQL query

Displaying the results
19
Web interface (Answer)
20
Graphic generation

A zoom of a network on demand.

A supervision of a determined services
21
Graphic generation: HTTP
22
Functioning

Database system provides data

Querying database (with SQL queries)

Returning results to MRTG for displaying

MRTG Graphics building
23
Graphic generation: SSH
24
Data mining

Produce unknown information



non trivial
Useful
Produce association rules

A and B => C
25
Association rules process
Explanation
Association
Rules
Generation
Corn flakes and sugar  milk
Association
rules
Large
Itemsets
Research
Data
Selection
Knowledge
Large
Itemsets
Set of
Transactions
Database
26
Association rule example
"] 14h-19h]"
AND
"SCAN/REGULAR_SERV"
AND
"[0-1KB]"
AND
53
 "TUESDAY"
(14.8%, 90.4%)
27
Conclusion



A contribution to improve security
A metrology based-application
 Built on a database
 Open & Modular
Who would like to participate?
E-mail : [email protected] 
28
TIGRE
29