Internet Traffic Analysis for Threat Detection
Download
Report
Transcript Internet Traffic Analysis for Threat Detection
Internet Traffic Analysis
for Threat Detection
Joshua Thomas, CISSP
Thomas Conley, CISSP
Ohio University
Communication Network Services
Abstract
Useful logs may already exist at your institution.
Network transaction logging is a very useful, flexible,
and inexpensive tool for network security.
Comprehensive network security relies on log
collection and analysis.
Analysis of log files can be automated, and can
provide information that can be the basis for
prevention and response procedures.
Start with what you have
The collection and analysis of network transaction
data is useful for a wide range of tasks
Security management
Network billing and accounting
Network operations management
Performance analysis
As a result, some form of network transaction logs
may already exist within your institution, even if not
specifically implemented for network security reasons.
“Pointed stick”
Low cost, high returns
Simple to implement
Nonspecific, flexible
Non-restrictive
Fundamental need
Network transaction logs are arguably the
most basic, necessary countermeasure in
network security.
Logs should form the basis for decisions
regarding other security initiatives.
Traffic analysis will be necessary to validate
the performance of other security
countermeasures.
Needs pyramid: Maslow’s Hierarchy
Self-actualization
Esteem needs
Belongingness and Love needs
Safety needs
Biological and Physiological needs
Needs pyramid: Network Security
IDS/IPS
Firewalls
Host Security
Security Staff
Network Transaction Logs
Transparent monitor
Acts as a passive device, gathering traffic and
performance statistics at appropriate places in
networks (server or client locations)
Is not necessarily a point of failure in your
network
Cannot alter network traffic, as active devices
such as firewalls or IDS/IPS systems.
However, monitoring can co-exist with other
network security devices, such as IPS/IDS
Transparent monitor: Simple setup
Upstream Provider
Hub
Network
Network Monitor
Scalable
Mirroring traffic is relatively inexpensive.
Institutions may choose to capture as much data as
possible and only perform limited analysis as needed.
There are appropriate solutions for implementing
network transaction monitoring at just about every
level of a network.
Small lab environment
Single department
University border
Transparent monitor: Large-scale
ISP 1
Network
Monitor
ISP 2
Selective memory
In order to be able to store and analyze high
volumes of traffic, the memory demands must
be reduced in some way.
Selective memory: Depth
IPS/IDS systems generally select certain
transactions (via signature matching, etc.) for
storage and analysis. In other words, only
communications that match a selection criteria
are recorded, and all other data is ignored.
!
!
Selective memory: Breadth
Flow monitoring accounts for every transaction, but
does not retain the content of the transactions.
Transactions contain both routing information and
content. Only routing information is retained.
Applications that can capture this sort of transaction
data include Argus, tcpdump, Ethereal, cflowd, etc.
Flow metrics
Metrics generally captured in network
transaction logs include:
Source, destination IP addresses (for IP traffic)
Beginning, end times
Packet count
Byte count
TTL (for IP traffic)
TCP flags (for TCP/IP traffic)
TCP state progression (for TCP/IP traffic)
Base sequence numbers (for TCP/IP traffic)
Inference
Certain traffic characteristics are very useful in
making inferences about the nature of the
traffic.
Examples:
Amount of bandwidth consumed
Number of connection attempts
Connections to unused address ranges
Automation
Identifying problems through inference can be
automated.
Once the criteria has been clearly defined,
then the tasks that were once done by
humans can be performed by simple
programs.
Once the identification of problems is
automated, then those results can be fed into
response procedures.
Examples
Compare logs with blacklists, such as knownspyware or spam source IP lists
Examine traffic destined for non-populated
subnets
Noise-floor analysis
TCP port usage
Endless possibilities
We are constantly discovering new uses for
network transaction logs
About our institution
4,820 employees (1,069 full-time faculty)
20,143 students (18,497 full-time students)
90+ Mbps Internet bandwidth (2 ISP’s)
6,000,000,000+ packets per day
3,000,000,000+ source packets
3,000,000,000+ destination packets
2,400+ GB per day (500+ DVD-ROMs)
727 source GB per day
1,675 destination GB per day
~12 GB Argus log files generated per day, on average
(0.6% of the total bytes represented)
References/Resources
RFC 2724, “RTFM: New Attributes for Traffic
Flow Measurement.” (http://www.rfceditor.org/rfc/rfc2724.txt)
Argus: http://www.qosient.com/argus