collecting and analysing traffic profiles within a
play

Collecting and Analysing Traffic Profiles within a Commercial - PowerPoint PPT Presentation

Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P. Sandford High Speed Networks Group Loughborough University Presentation Summary Overview of the Detecting and Preventing Criminal Activities on


  1. Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P. Sandford High Speed Networks Group Loughborough University

  2. Presentation Summary � Overview of the ‘Detecting and Preventing Criminal Activities on the Internet’ project � Discussion of Architecture � Example Network Patterns and Anomalies

  3. Overview of the Network Abuse Detection Project � EPSRC Funded � Partnered by NTL, CESG and SPSS � 3 Years, starting April 2004

  4. Project Objectives � Identify illegal activity inside the network core � Sometimes Necessary � Some prevention best done here � Use statistical traffic summaries of headers to identify anomalies � Processing Overhead � High Throughput � No user data � Cheap Equipment

  5. Approach Summary � Anomaly Based � Describing Normality � Classifying Deviation � DataMining � Identify Relationships � Update view of normality

  6. Approach Summary (Cont.) Loughborough Controller Gatherer Gatherer Broadband Broadband Network Network Gatherer Gatherer Broadband Central Broadband Network Processor Network Gatherer Gatherer Broadband Broadband Network Network

  7. Current Status � Hardware/Basic software installed � 6 Monitored PoPs � 1 Data-Mining Engine � Control from Loughborough/NTL � Modules In Place For � Summary Gathering � Base lining data � Simple Signature Detection � Basic Alerting � Outgoing spam email detection

  8. PoP Software Summary Shared Capture Memory Signature Process Block 1 Detection & & Shared Statistic Summary Memory Gatherer Generator Block 2 Kernel Space

  9. PoP Software Summary � Fast Packet Processing � Purely Counter Increments � Pseudo Real-Time Statistics � Processing Time Constant � Variable Statistic Window Size

  10. Note on Capture Interfaces � Dealing With Interrupts � Poll � Buffer � Context Switching � Memory Mapping

  11. Signature Detection Without Data TCP Header Checksum TCP Original Payload TCP Checksum TCP Header Checksum TCP Known Payload New Checksum

  12. Data Mining - Example � TTL Field � Initially Thought to be Limited Use � Data Mining Highlighted TTL in Lab Tests

  13. Data Mining - Example � TTL Field � Default Values (Depending on OS) � Consistent by Default � Can be used to Identify Spoofing � Shows Daily Pattern (Windows / Linux, File Sharing / Web Browsing)

  14. Patterns � Data Rates � Port Numbers (Applications) � An Anomaly Example

  15. Data Rates

  16. Data Rates (Cont.) � Time of Day Variation � Peak Times � Late evening (8pm) � Low Times � Early Morning (5am)

  17. Model of Data Rate 600 MBit Data Rate 400 MBit 200 MBit Day 0 Day 20 Time

  18. Port Numbers Percentage of All Packets Common Port Application June 05 January 05 80 HTTP 8.8% 6.5% 6346 Gnutella 7.9% 4.893% 4662 eMule 6.4% 10.269% 119 NNTP / UseNet 5.9% 5.3% 6881 BitTorrent 4.1% 3.55% 6699 WinMX 2.3% 7.178% Gnutella 6348 (Secondary 0.1% 0.01% Port)

  19. Port Numbers (Cont.)

  20. Anomaly Example

  21. Anomaly Example – Data Rate

  22. Anomaly Example – Average Packet Size

  23. Anomaly Example – TCP Packet Count

  24. Anomaly Example – Destination Count

  25. Anomaly Example – FIN Count

  26. Anomaly Example – Ack Count

  27. Anomaly - Conclusion � Large Traffic Amounts � Synchronised � TCP from many sources � Small number of destinations � FIN/ACK Packets

  28. Anomaly TTL

  29. Anomaly TTL - 63

  30. Summary � System in Place � Monitoring High Data Rates � Modelling Network Patterns � Discovering Deviations from ‘Normal’ � Architecture Design � Scalable � Functional

  31. Future Work � Cross-site Correlation � Automated Alerting � Investigation of Mitigation Techniques

  32. Questions

Recommend


More recommend