• Nenhum resultado encontrado

Behaviour Analysis and Anomaly Detection

N/A
N/A
Info
Descarregar agora
Protected

Academic year: 2024

Share "Behaviour Analysis and Anomaly Detection"

Copied!
56
0
0

Carregando.... (Ver texto completo agora)

Descarregar agora ( 56 páginas )

Texto

(1)

Andrej Vnuk

Behaviour Analysis and Anomaly Detection

Andrej.Vnuk@alef.com

Regional Coordinator for Network and Security solutions

Conference HEK.SI, 6th – 7th April 2017, Ljubljana

(2)

Technology Approaches

Network Visibility

& Security

Perimeter Security

Endpoint Security

(3)

• Firewalls

• IPS/IDS

• Mail Filtering

• AntiMalware + AntiSpyware

• Web Gateway

• Web Application Firewall

• Application Delivery Controllers

• APT

• Vulnerability management

• SIEM

Traditional solutions

(4)

• SNMP based tools (Nagios, Cacti, Zabix, ...)

• Agent based tools (PRTG)

• Packet capturing (Wire Shark)

• Full blown network monitoring (OpenView, ...)

• SIEM

• Still missing real insight into network traffic:

Statistical collection of all traffic with automatic network behavior analysis in (near) real time !

Network monitoring

(5)

NBA Recommendation

Neil MacDonald

VP Distinguished Analyst

Gartner Security & Risk Management Summit

Detection and response are more important than blocking and prevention.

Monitoring and analysis should be at the core of all next-generation security platforms.

(6)

Importance of Flow Analysis

Flowmon: „Flow + L7 covers 95% of issues“

(7)

Teaser

• Experience from PoC in internal network to test the solution on customer data

• The Customer

• Significant financial institution

• Separate infrastructure, operations and security departments

• Firewall, IPS, Antivirus

• Results of the testing

• Two thirds of data traffic was generated by infected devices

(8)

Teaser

(9)

• Covers security gap between end-points and perimeter

• Automatically identifies threats, attacks, incidents and

configuration issues

• Complements traditional security tools based on signatures

• Alerts proactively on unexpected behavior in the network

NBA

(10)

• How is NBA different from other tools?

Anomaly Detection

Common tools use statistical methods to detect traffic

spikes and deviations

NBA analyzes each flow and goes beyond the traditional

statistical algorithms

(11)

Ne tflow Base d NB A Machine Learning Adaptive

Baselining Heuristics

Behavior Patterns Reputation

Databases

NBA Principles

(12)

• Network behavior patterns

• Behavior patterns for SIP traffic

• Advanced (long term) network behavior patterns

• Derived behavior patterns for

characteristics of individual devices

• Behavior changes of network statistics

• Aggregated methods

Detection Methods

(13)

Attacks on network services

Infected devices and communication botnet C&C, attackers, …

Anomalies of DNS or DHCP traffic

Port scanning and similar symptoms of infected devices

Applications like P2P networks or on-line messengers

PROXY bypass, TOR

Outages of network services or improper configurations

Potential data leakage and usage of data sharing on internet

Attacks against VoIP, PBX, …

Unexpected mail traffic and SPAM

Detection Capabilities

(14)

• IP and host-based reputation feeds

• Detection of C&C domains, P2P botnets, phishing

 IP addresses

 HTTP host names

 Domain names

Threat Intelligence

(15)

Examples from real traffic

Path traversal attack (full visibility)

(16)

Example attack

Use-case: path traversal attack

(17)

Example attack

• Use-case: path traversal attack

 Collect and analyse Flows

 Automatic detection of anomaly/attack

 Detailed insight thanks to application monitoring

 Full forensics based on content

Flow ADS APM Packet

capture

(18)

Netflow

• Obvious anomaly in data traffic

(19)

Netflow

• Obvious anomaly in data traffic

(20)

Netflow

• Obvious anomaly in data traffic

(21)

Anomaly detection

• Automatic detection and interpretation

(22)

Application monitoring

• Full visibility into the application traffic

 Full URL, UserAgent, …

(23)

Packet analysis

• Automated trigger of packet capture for further

forensic analysis

(24)

Use Case: Anomaly Detection in Enterprise

(25)

Advanced malware

• Malware infected device in the internal network

78 port scans?

DNS anomalies?

(26)

Advanced malware

Let’s see the scans first

Ok, users cannot access web Are the DNS anomalies related?

(27)

Advanced malware

Ok, which DNS is being used?

192.168.0.53? This is notebook!

How did this happen?

(28)

Advanced malware

Let’s look for the details…

Laptop 192.168.0.53 is doing DHCP server in the network

(29)

Advanced malware

Malware infected device

Trying to redirect and bridge traffic Probably to get sensitive data

(30)

Use Case: Advanced Malware Activity

(31)

Traffic overview, anomalies detected

(32)

Attacker activity (port scan, SSH authentication attack)

(33)

Victim of the attack, source of anomalies

(34)

Attacker is looking for potential victims

And starts SSH attack

That turns out to be successful

(35)

Few minutes after that breached device starts to communicate with botnet C&C

(36)

Botnet identification using Flowmon Threat Intelligence

(37)

Flow data on L2/L3/L4

(38)

Including L7 visibility

(39)

Full packet capture and packet trace

(PCAP file)

(40)

Analysis of PCAP file with botnet C&C communication in

Wireshark

(41)

Data exfiltration command via ICMP

(42)

Command to discover RDP servers

(43)

ICMP anomaly traffic with payload present

(44)

PCAP available, what is the ICMP payload?

(45)

Linux /etc/passwd file with user accounts and hash of passwords

(46)

Looking for Windows servers with RDP

Attack against RDP services

(47)

Network Analysis + Forensics

Flow monitoring including L7 Network Behavior Analysis

Full packet capture Triggered by detection

(48)

• Configuration wizard for initial setup

• Configuration templates for various environments

• False positives adjustment for tuning

Configuration

(49)

• Perspectives to setup event priorities

• E-mail reports

 Based on perspectives

 Various formats

• PDF reports

 Predefined and user-defined

• SIEM/log management

 Syslog (native CEF format)

 SNMPv2 traps

• Triggered capture or script

Alerting and Integration

(50)

Identity source – syslog export

User Identity Awareness (1)

authentication

Time, login, IP address

NetFlow (Time, IP, …)

(51)

• Detected events are related to users

• User identity is part of event details

User Identity Awareness (2)

(52)

Flowmon Architecture

Network traffic monitoring

Collection of traffic statistics

Visualization and detection of

anomalies

Flowmon Probes

• Passive source of network statistics - NetFlow / IPFIX data

Flowmon Collectors

• NetFlow evidence, reporting, analysis Flowmon Modules

• Anomaly detection + behavior analysis

• Application performance monitoring

• DDoS detection and mitigation

• Full packet capture

(53)

• Versatile and flexible network appliance

 Monitoring ports convert packets to flows

 Un-sampled export in NetFlow v5/v9 or IPFIX

 Wire-speed, L2-L7 visibility, PCAPs when needed

Flowmon Probe

L2

• MAC

• VLAN

• MPLS

• GRE tunnel

L3/L4

• Standard items

• NPM metrics

• RTT, SRT, …

• TTL, SYN size, …

• ASN

• Geolocation

L7

• NBAR2

• HTTP

• DNS

• DHCP

• SMB/CIFS

• VoIP (SIP)

(54)

Toolset to consider

(55)

Next Generation Network Security -

Behavior Analysis & Anomaly Detection

 Detects and alerts on abnormal behaviors

 Reports anomalies and advanced persistent threats

 Detect intrusions and attacks not visible by standard signature based tools

Value Proposition – Security

Paul E. Proctor, VP at Gartner: “NBA is about higher visibility in the behavior of your network to cover gaps left by signature based

mechanism.”

(56)

Andrej Vnuk

ALEF distribucija SI, d.o.o.

www.alef.com

Andrej.vnuk@alef.com

DEMO ???

Visit us at our booth in the lobby !

Referências

Descarregar agora ( PDF - 56 páginas - 4.06 MB )

Documentos relacionados

Computer vision for driving support systems: automatic traffic signs detection and proximity analysis

Traffic Sign Recognition Stage: Receive the detected objects from the previous module and identify the type of traffic signs using machine learning technique(CNN classifier).. The

Corrigendum to "Detection of dust aerosol by combining CALIPSO active lidar and passive IIR measurements" published in Atmos. Chem. Phys., 10, 4241–4251, 2010

“Detection of dust aerosol by combining CALIPSO active lidar and passive IIR measurements” published in Atmos..

Identification of source applications for enhanced traffic analysis and anomaly detection

1) Given a process identifier (PID), provided by the packet tagging application, the SAR begins by finding the path to the binary of the related process and reads its last

Learning from Data Streams: Synopsis and Change Detection

The Cumulative Windows Model for change detection proposed in this thesis, is based on online monitoring of the distance between data distributions (provided by the histograms

Complex Network Analysis of CA3 Transcriptome Reveals Pathogenic and Compensatory Pathways in Refractory Temporal Lobe Epilepsy

Here we developed a methodology for complex network visualization (3D) and analysis that allows the categorization of network nodes according to distinct hierarchical levels

Analysis and visualization of chromosome information J.A. Tenreiro Machado, António C. Costa, Maria Dulce Quelhas

The synergies of associating Gray code, histogram characterization and multidimensional scaling visualization lead to a collection of plots with a

Learning and transfer of feature extractors for automatic anomaly detection in surveillance videos

• to propose a Transfer Learning approach for feature extraction in the context of video anomaly detection; • to learn a model for extracting features from videos using

PDF System-on-Chip Based Driver Drowsiness Detection and Warning System - MEF

Comparison of Driver Drowsiness Applications In the Driver's Fatigue and Drowsiness Detection to Reduce Traffic Accidents on Road study, an accuracy of 81% was obtained with the