less is more with intelligent packet capture
play

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON - PowerPoint PPT Presentation

Sep 12, 2023 •206 likes •581 views

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider merits of streaming analytics Expose to advanced open source tools Encourage to experiment with OpenArgus 2 2 Streaming Analytics

  1. Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020

  2. Objectives • Consider merits of streaming analytics • Expose to advanced open source tools • Encourage to experiment with OpenArgus 2 2

  3. Streaming Analytics • Increase speed at the Edge • Reduce bandwidth • Local Resources 3 3

  4. DragonFly Design Goals = Machine Incremental Sustained Single Node Bolt-On Learning Updates Performance Architecture Mindset Analyzes data Receive updates before Maintains 20Gbps+, High-performance Integrate seamlessly as it arrives the flow is complete without a cluster with other security tools 4

  5. A Practical Application of DragonFly PCAP or it didn’t happen. 5 5

  6. 100% 80% High Cost Full Packet 60% 10Gbps Network Link Capture is 30 days ~$1.2M annually 40% Ground Truth; but… Low Signal to Noise 20% Forensically relevant network data is 0% a small fraction of total network data Packet Capture No Forensic Value Forensically Relevant Data Indicators of Compromise 6

  7. Typical Packet Capture Workflow: Retrospective Capture Record Filter Analyze 7

  8. Intelligent Packet Capture Capture Record Filter Analyze 8

  9. Intelligent Packet Capture: Real-Time Capture Analyze Filter Record 9

  10. Intelligent PCAP Using Machine Learning to Capture Packets with Forensic Value Ground truth – Full packet capture has long been viewed as the “ground truth” for activity on the network, allowing analysts to identify the source of security incidents. Intelligent Packet Capture Expensive – Despite its value, full packet capture is not used to its uses threat intelligence , $$ fullest extent because lengthy retention periods are cost prohibitive advanced analytics , and and retention only shrinks as bandwidth utilization increases. Machine Learning to decide in near real-time what to Alternatives Lack Payloads – Though valuable for portions of the security workflow, alternatives to PCAP such as Flow, and Application record. Metadata cannot provide the “ground truth” payload for irregular traffic. Combine forces – Intelligent packet capture combined with augmented flow provides a powerful combination that supports a data friendly log format plus the full packets for anomalous traffic. 10

  11. Intelligent PCAP PACKETS/S Performance Requirements EVENTS/S LOW LATENCY FEEDBACK LOOP 11

  12. Intelligent PCAP Open Source Framework Argus mlpack (extraction) (training) eBPF tcpdump (filtering) (recording) 12

  13. tcpdump -i eth0 -w /cache/pcap-%m-%d-%H-%M-%S \ -W 100 -G 300 –C 1000 13

  14. eBPF for Filtering User Space Kernel reject eBPF eBPF LLVM eBPF load Verifier program Clang bytecode JIT compiler register event config eBPF native code packet data maps 14

  15. eBPF Map struct bpf_map_def SEC("maps") watchlist = { .type = BPF_MAP_TYPE_PERCPU_HASH, .key_size = sizeof(u32), /* ipv4 address */ .value_size = sizeof(u64), /* counter/timeout */ .max_entries = 100000, .map_flags = BPF_F_NO_PREALLOC, } 15

  16. Mlpack for training Scoring Training mlpack lib Model 16

  17. mlpack splitting data 1 /usr/local/bin/mlpack_preprocess_split \ --input_file data/$filename.data.csv \ --input_labels_file data/$filename.labels.csv \ --training_file data/$filename.train.csv \ --training_labels_file data/$filename.train.labels.csv \ --test_file data/$filename.test.csv \ --test_labels_file data/$filename.test.labels.csv \ --test_ratio 0.3 \ --verbose 17

  18. mlpack generating model 2 / usr/local/bin/mlpack_random_forest \ --training_file data/$filename.data.csv \ --labels_file data/$filename.labels.csv \ --num_trees 10 \ --minimum_leaf_size 3 \ --print_training_accuracy \ --output_model_file model /$filename.eval-model.bin \ --verbose 18

  19. mlpack testing model /usr/local/bin/mlpack_random_forest \ 3 --input_model_file model /$filename.eval-model.bin \ --test_file data/$filename.test.csv \ --test_labels_file data/$filename.test.labels.csv \ --probabilities_file probs.csv \ --verbose 19

  20. • Scalable • Lightweight • Flexible • Extensible Version 2.0

  21. DragonFly MLE Analyzers Engine (embedded LUA JIT) Plugins 21

  22. Fast - C/C++ DragonFly Lightweight – Small Library Engine Scriptable – Embedded LUA JIT Easy – Arduino Programming Model 22

  23. DragonFly Scriptable Analyzers function M:setup() model = config[‘module.model’] rf = RandomForest.load(model) end function M:loop (event) …. rf:classify (event) end 23

  24. DragonFly Scriptable Analyzers function M:dns (event) …. rf:classify (event) end function M:tls (event) …. rf:classify (event) end 24

  25. DragonFly Plug-ins mlpack eBPF iptree Redis cuckoo filter 25

  26. Argus ra (client) Argus Radium ratop (client) (multiplexer) (flow meter) Real-time Per Flow Updates Ramle (client) 26

  27. Argus Real-Time Flow Meter Field Overview • IP Addresses • Total Bytes • Start time Flow • Ports • Total Packets • Duration • Protocol Flow Features • MAC, VLAN, MPLS, ICMP, Extended Flow • Flow details by direction • Payload TCP flags and options • Interpacket Arrival time • Connection statistics (FIN, • Connection Setup Times and Jitter RST, SYN, Window Packet • Load and Rates (bytes and • Dropped/retransmitted advertisements, Zero Dynamics packets per second) packet statistics windows) 100+ Features Computed • Producer/Consumer Ratio • Flow Active Runtime Packet Dynamic • Key Stroke Identification Statistics • App/Byte Ratio Statistics Features Derived Fields • Country Code • MAC Manufacturer (OUI) Record • Record Cause (Start, Status, • Unique Identifier (seq) • Record Type (“flow” or Management Stop, Close, Error) • Sensor ID “management”) 27

  28. Intelligent PCAP with raml • Based on Argus client (library) • Integrated with DragonFly (library) • Able to run an instance per core 28

  29. Intelligent PCAP with raml Argus raml mlpack 29

  30. raml: DGA Analyzer function M:loop (event) local v = features(event.domain, event.ttl) score = rf:classify (v) return score end 30

  31. raml: Threat Feed Analyzer function M:setup() file = config[‘ioc.filename’] iplist = iptree(file) end function M:loop (event) local daddr = event[‘daddr’] match = iplist.lookup (daddr) return match end 31

  32. Intelligent PCAP Solutions Argus raml mlpack br0 eth0 pcap0 tcpdump 32

  33. LESSONS LEARNED >14Mpps Performance >750Keps <50 msec 33

  34. Next Steps… • Complete POCs • Publish to GitHub https://github.com/counterflow-ai/dragonfly2 • Merge raml with Argus https://openargus.org/ • Explore additional use cases… 34 34

  35. • Threat Intelligence Triage Streaming Analytics Use Cases • Encrypted Traffic Analysis • Predictive Fault Detection 35 35

  36. Questions? RANDY CALDEJON rc@counterflowai.com https://github.com/counterflow-ai/dragonfly2

Recommend

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
Outline Introduction: what is Motion Capture? History and Motion Capture technologies. Passive

Outline Introduction: what is Motion Capture? History and Motion Capture technologies. Passive

Motion Capture Introduzione e Sistemi attivi N. Alberto Borghese Laboratory of Applied Intelligent Systems (AIS-Lab) Department of Computer Science University of Milano Laboratory of Applied Intelligent Systems

494 views • 10 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/ _______

795 views • 48 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits &amp; More Info Design &amp; Implementation: Robert Edmonds &lt;edmonds@fsi.io&gt; Website:

786 views • 40 slides
Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware Fabian Schneider J org Wallerich Anja Feldmann { fabian,joerg,anja } @net.t-labs.tu-berlin.de Technische Universtit at Berlin Deutsche Telekom

415 views • 25 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data

A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data

A Method to Compress and Anonymize Packet Traces Markus Peuhkuri 2001-11-02 Abstract Data volume and privacy issues are one of problems related to large-scale packet capture. Utilizing flow nature of

375 views • 3 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of

Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of

Motion Capture Passive markers and video-based techniques N. Alberto Borghese Laboratory of Applied Intelligent Systems (AIS-Lab) Department of Computer Science University of Milano Laboratory of Applied Intelligent Systems

531 views • 30 slides
Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks. forge or decode packets, send them on the wire, capture them, and match requests and replies Handle tasks scanning, tracerouting, probing, unit

144 views • 13 slides
Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

710 views • 31 slides
Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360)

Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360)

Lecture Capture Project Powered by Much more than Lecture Capture (Replacing Echo360) Capture content All timetabled Lectures will still be automatically scheduled for capture* and transferred to Bb site (Policy

293 views • 16 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Curriculum &amp; Activities Night Class of 2020 Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #) Feeder School Name NEON GREEN sticker on front of packet = MISSING EXPLORE Appointment date

99 views • 6 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede Department of Computing Science University of Glasgow September 6, 2005- WV 1 Overview Asynchronous Packet Switch Building the PEPA Model

658 views • 26 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS &amp; Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CO 2 and SO 2 co-capture in a circulating fluidized bed carbonator reactor of CaO&quot; B.

CO 2 and SO 2 co-capture in a circulating fluidized bed carbonator reactor of CaO&quot; B.

CO 2 and SO 2 co-capture in a circulating fluidized bed carbonator reactor of CaO&quot; B. Arias, J.M. Cordero, M. Alonso, J.C. Abanades CO 2 Capture Group National Institute of Coal (INCAR-CSIC) Trondheim CO 2 Capture, Transport and Storage

456 views • 13 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber Security Practice 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

593 views • 14 slides
Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science Contents Introduction

Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science Contents Introduction

Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science Contents Introduction What is a network trace? What is Wireshark? Basic UI Some of the most useful parts of the UI. Packet Capture How do we capture

1.05k views • 27 slides

More recommend