autom atic anom aly detection using nfsen
play

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet - PowerPoint PPT Presentation

May 22, 2023 •323 likes •594 views

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/ 2007 Autom atic anom aly detection using NfSen - SURFnet and netflow anomaly detection - NERD - NfSen - PeakFlow SP - Currently used detection

  1. Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/ 2007

  2. Autom atic anom aly detection using NfSen - SURFnet and netflow anomaly detection - NERD - NfSen - PeakFlow SP - Currently used detection methods - DDos - Botnet - Holt-Winters aberrant behavior 1 SURFnet – Automatic anomaly detection using NfSen

  3. SURFnet and netflow anom aly detection - NERD v1 - Developed by TNO - Based on cflowd - cflowd is no longer supported - NERD v2 - Initially developed by TNO - Has serious performance problems - NfSen can do the same but without the performance problems 2 SURFnet – Automatic anomaly detection using NfSen

  4. NfSen - Netflow Sensor (NfSen) is a - network statistics tool - Developed by Peter Haag - Currently in active development - Alert plug-in system - Generic plug-in system - Some plug-ins already available 3 SURFnet – Automatic anomaly detection using NfSen

  5. NfSen 4 SURFnet – Automatic anomaly detection using NfSen

  6. DDos detection - Simple flow analysis - based on NERD v1 DDos detection - using a low threshold and a high threshold - Rules for traffic between those thresholds - Custom thresholds for high load services 5 SURFnet – Automatic anomaly detection using NfSen

  7. Expected traffic 6 SURFnet – Automatic anomaly detection using NfSen

  8. Definitively Conspicuous Traffic 7 SURFnet – Automatic anomaly detection using NfSen

  9. Border cases 8 SURFnet – Automatic anomaly detection using NfSen

  10. High load servers 9 SURFnet – Automatic anomaly detection using NfSen

  11. Custom thresholds 10 SURFnet – Automatic anomaly detection using NfSen

  12. DDos interface: report 11 SURFnet – Automatic anomaly detection using NfSen

  13. DDos interface: Details 12 SURFnet – Automatic anomaly detection using NfSen

  14. Botnet detection - Hosts infected by viruses connect to hosts known as botnet controllers - List of botnet controllers are available, for example: http: / / www.bleedingthreats.net/ rules/ bleeding-botcc.rules - Our plug-in logs all hosts that connect to known botnet controllers - Automatically reports to incident report system using IODEF 13 SURFnet – Automatic anomaly detection using NfSen

  15. Botnet I ODEF reports <?xml version="1.0" encoding="iso-8859-1"?> <io:IODEF-Document xmlns:io="urn:ietf:params:xml:ns:iodef-1.0” lang="en"> <io:Incident purpose="reporting"> <io:IncidentID name="overflow.surfnet.nl&#10;">#33408</io:IncidentID> <io:StartTime> 2007-08-13T15:07:47+02:00 </io:StartTime> <io:EndTime> 2007-08-13T21:06:12+02:00 </io:EndTime> <io:ReportTime> 2007-08-13T21:12:07+02:00 </io:ReportTime> <io:Assessment> <io:Impact type="user"/> </io:Assessment> <io:Contact> <io:ContactName>Werner Schram</io:ContactName> </io:Contact> <io:EventData> <io:Method> <io:Reference> <io:ReferenceName> botnet </io:ReferenceName> </io:Reference> </io:Method> <io:Flow> <io:System category="source"> <io:Node> <io:Address category="ipv4-addr"> 192.168.1.1 </io:Address> <io:Counter type="flow"> 20 </io:Counter> </io:Node> </io:System> <io:System category="target"> <io:Node> <io:Address category="ipv4-addr"> 192.168.1.2 </io:Address> </io:Node> <io:Service ip_version=" 4 " ip_protocol=" 6 "> <io:Port> 80 </io:Port> </io:Service> </io:System> </io:Flow> </io:EventData> <io:AdditionalData dtype="string">Generated by NFSen</io:AdditionalData> </io:Incident> </io:IODEF-Document> 14 SURFnet – Automatic anomaly detection using NfSen

  16. Holt-W inters aberrant behavior detection - Uses information about periodic data to predict aberrant behavior. 15 SURFnet – Automatic anomaly detection using NfSen

  17. Holt-W inters: Exam ple 16 SURFnet – Automatic anomaly detection using NfSen

  18. Holt-W inters: Original im plem entation Trend Periodic information Noise Prediction 17 SURFnet – Automatic anomaly detection using NfSen

  19. Lim itations of the original im plem entation - The original algorithm has three parameters which define: - the weight of historical data - the weight of the trend - the amount of expected noise - The original algorithm has a constant learning rate - If a low learning rate is used, the selection of the initial values is critical. This will introduce false positives for a long time. - With a high learning rate, the model will likely be overfitted. This will introduce false negatives - The trend parameter has no significant influence with the resolution we are using 18 SURFnet – Automatic anomaly detection using NfSen

  20. Holt-W inters: Multiple trends Network traffic time series often show multiple recurring patterns, for example a weekly trend: 19 SURFnet – Automatic anomaly detection using NfSen

  21. Holt-W inters: Multiple periods Daily Period Weekly period Noise 20 SURFnet – Automatic anomaly detection using NfSen

  22. Learning rate Fixed learning rate: The first pattern is overweighted Adaptive learning rate: The weight of the first pattern is relative to the rest 21 SURFnet – Automatic anomaly detection using NfSen

  23. Real data exam ple SURFnet – Automatic anomaly detection using NfSen 22

  24. Holt W inters: Usage Exam ple Normal ICMP Traffic Aberrant ICMP Traffic: Caused by DDos attack by Stormworm botnet 23 SURFnet – Automatic anomaly detection using NfSen

  25. Holt W inters: Other possible uses Common SMTP Traffic Last week SMTP Traffic 24 SURFnet – Automatic anomaly detection using NfSen

  26. Wim Biemolt Wim.Biemolt@surfnet.nl www.surfnet.nl Werner Schram Werner.Schram@surfnet.nl www.surfnet.nl 25 SURFnet – Automatic anomaly detection using NfSen

Recommend

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of

WIDE Kick-off Meeting Partner presentation of the Autom atic Control Laboratory School of Electrical Engineering KTH, Stockholm , Sw eden Attending the kick-off: Mikael Johansson Henrik Sandberg Pablo Soldati Bo Wahlberg 1 Outline

280 views • 23 slides
I nitial discussion to help inform evidence base Autom atic fire suppression system s for

I nitial discussion to help inform evidence base Autom atic fire suppression system s for

I nitial discussion to help inform evidence base Autom atic fire suppression system s for existing high rise dom estic residential buildings ( sprinkler system s) Building Standards Division 9 August 2017 Holistic overview of fire safety

500 views • 17 slides
Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed

Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed

Autom atic m ould level control in Bokaro Steel Plant In Bokaro steel plant, we are committed to continuously build a culture of automation, innovation and being updated. Bokaro Caster overview Tw o identical tw in strand slab casters

439 views • 19 slides
Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from

Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from

Autom ated, per pixel Autom ated, per pixel Cloud Detection from High- - Cloud Detection from High Resolution VNI R Data Resolution VNI R Data Dm itry L. Varlyguin GDA Corp. JACI E Presentation March 1 4 -1 6 , 2 0 0 6 Cloud And Shadow

1.32k views • 15 slides
Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code

Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Autom atic code inspection Automation of code reviewing Possible bugs Code convention violations Dead code Duplicated code Suboptimal

227 views • 12 slides
An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 ,

An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 ,

An Embedding A Approac ach t to Anom omal aly D Detection Renjun Hu 1 , Charu Aggarwal 2 , Shuai Ma 1 , and Jinpeng Huai 1 1 SKLSDE Lab, Beihang University, China 2 IBM T. J. Watson Research Center, USA 1 Motiv tivatio tion Anomaly

802 views • 27 slides
Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W

Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W

Developing the autom atic m easurem ent of surface condition on local roads Alex W right Alex W right TRL I nfrastructure Division TRL I nfrastructure Division Group m anager, Technology Technology Developm ent Developm

544 views • 29 slides
The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2

The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2

The transition from Galactic to extragalactic cosmic-rays ATIC-1 KASCADE QGSJet II ATIC-2 K-Grande QGSJet II-4 20 RunJob K-Grande electron poor Jacee K-Grande electron rich Tibet-III Auger (ICRC 2013) PAMELA PAMELA-CALO log 10 E 2.7

1.29k views • 84 slides
Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on

Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on

Det Detec ectin ing An Anom omal alou ous Com omputat ation ion wit ith RN RNNs on on GP GPU-Ac Accel eler erat ated ed HPC PC Mac Machin ines es Pengfei Zou, Ro Rong Ge Clemson University Ang Li, Kevin Barker Pacific

240 views • 12 slides
YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! The GCSE Drama specification allows for much freedom in the curriculum in terms of Group sizes, Topics and

973 views • 86 slides
Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen,

Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen,

Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen, bnielsen@cs.aau.dk 3 Script Based Testing 3. Script-Based Testing + / - test impl. = programming + automatic execution + auto regression testing + auto

285 views • 14 slides
Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern

Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern

Autom atic Test Pattern Generation Rolf Drechsler, Grschwin Fey University of Bremen drechsle@informatik.uni-bremen.de Outline Introduction/ Motivation Preliminaries Circuit, Fault Model, Test Pattern Generation Proof

722 views • 35 slides
SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris

SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris

SRP Telecom SRP Telecom Presentation to the ATIC Board Presentation to the ATIC Board Chris Forsyth Chris Forsyth March 8, 2006 March 8, 2006 Agenda Agenda Wireless Division Overview Wireline Division Overview SRP &amp; SRP

526 views • 24 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent

Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent

Aut utom omat atic ic Cor orrecti ection on of of Adv dver erb Pl Plac acem emen ent t Er Error ors s for or CAL ALL Marie Garnier CAS/IRIT, Universit de Toulouse, France EuroCALL 2012, 22-25 August, Gothenburg Background

573 views • 22 slides
Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve

Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve

Cyber Security support to the HumanDrive Project th Dec 2018 13 th 13 SBD Autom omot otive ve Ltd Busin iness Develo lopm pment nt Manager Luigi i Bisbig iglia Grand Drive will be an end -to-end journey of around 200 miles

428 views • 15 slides
Observations of High Energy Cosmic Ray Electrons by the ATIC Balloon Experiment J. Isbert 1 , J.

Observations of High Energy Cosmic Ray Electrons by the ATIC Balloon Experiment J. Isbert 1 , J.

Observations of High Energy Cosmic Ray Electrons by the ATIC Balloon Experiment J. Isbert 1 , J. Chang 5,6 , J.H. Adams Jr 2 , H.S. Ahn 3 , G.L. Bashindzhagyan 4 , M. Christl 2 , T.G. Guzik 1 , Y.Hu 6 , K.C. Kim 3 , E.N. Kuznetsov 4 , M.I. Panasyuk

557 views • 17 slides
Pancreat atic ic C Canc ncer Beyond F FOLF LFIR IRINO INOX: Novel St Strat ategies f

Pancreat atic ic C Canc ncer Beyond F FOLF LFIR IRINO INOX: Novel St Strat ategies f

Pancreat atic ic C Canc ncer Beyond F FOLF LFIR IRINO INOX: Novel St Strat ategies f for or Sy Systemic Dis Diseas ase ISGIO 2019 Davendra P. S. Sohal, MD, MPH Associate Professor, Hematology/Oncology Director of Experimental

575 views • 18 slides
Re Recent nt trends nds in n Aut Autom omated ed Machi chine ne Le Lear arni ning ng

Re Recent nt trends nds in n Aut Autom omated ed Machi chine ne Le Lear arni ning ng

Re Recent nt trends nds in n Aut Autom omated ed Machi chine ne Le Lear arni ning ng (AutoML) L) Su Summer r semester r 201 019 Ti Tim Meinhardt rdt and d Pro rof. Dr. r. Laura ra Leal-Ta Taix Ou Outline ne What

830 views • 18 slides
PER PERFO FORM RMANCE AUT ANCE AUTOM OMOBILI OBILITY TY DEEP P LEARNING ING MEETS TS

PER PERFO FORM RMANCE AUT ANCE AUTOM OMOBILI OBILITY TY DEEP P LEARNING ING MEETS TS

PER PERFO FORM RMANCE AUT ANCE AUTOM OMOBILI OBILITY TY DEEP P LEARNING ING MEETS TS MOTO OTORSP SPOR ORTS TS AT ROBORA RACE E NVIDIA IDIA GLOBA BAL L TECHNOL HNOLOG OGY Y CONFE FERE RENCE NCE SILCON N VALLLE LEY, Y,

494 views • 8 slides
Beyond RPA: Impact of AI for End- User Application &amp; Device Support Sam Gross, Founder &amp;

Beyond RPA: Impact of AI for End- User Application &amp; Device Support Sam Gross, Founder &amp;

Beyond RPA: Impact of AI for End- User Application &amp; Device Support Sam Gross, Founder &amp; CEO, ChoiceWORX Definitions: RP RPA Au Autom omation on v vs. In Intel elligen ent Au Autom omation on RPA Automation - Smart software

815 views • 13 slides
Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
Polyarom atic hydrocarbons ( PAHs) John W atterson ( w ith thanks to Peter Colem an, Chris

Polyarom atic hydrocarbons ( PAHs) John W atterson ( w ith thanks to Peter Colem an, Chris

Polyarom atic hydrocarbons ( PAHs) John W atterson ( w ith thanks to Peter Colem an, Chris Conolly, Mike W oodfield, Chris Dore and Geoff Dollard) W hats in this presentation What are PAHs EU Directive UK position

677 views • 29 slides
A P A Program m atic Approach ti A h to Debt Managem ent g Capacity Building in LI Cs

A P A Program m atic Approach ti A h to Debt Managem ent g Capacity Building in LI Cs

A P A Program m atic Approach ti A h to Debt Managem ent g Capacity Building in LI Cs Sudarshan Gooptu Sudarshan Gooptu Sector Manager, Economic Policy and Debt Department (PRMED) The World Bank October 26, 2010. 1 Outline Outline I

423 views • 19 slides

More recommend