netflow analysis detecting covert channels on the network
play

NetFlow Analysis: Detecting covert channels on the network Detecting - PowerPoint PPT Presentation

Nov 03, 2022 •176 likes •346 views

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

  1. NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1

  2. NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data Introduction Research  Router/Switch sends flow stats to external collector  Collector receives and stores flow details Tooling  Parser/interface reads flow from collector dump Detection Demo Demo NetFlow Conclusion packet(s) Switch / Collector Router Read NetFlow dumps Traffic generated by Console hosts 05-07-14 5-07-14 2 Joey Dreijer, student OS3/UvA

  3. NetFlow Analysis: Detecting covert channels on the network NetFlow in short Introduction Research  NetFlow data not just a 'term'  NetFlow (v9) specified in RFC3954 Tooling  NetFlow commonly used from v5 and up Detection Demo Demo  NetFlow standardized to sent 'flow' characteristics Conclusion  Stats such as bytes, packet number, port, session timer  Implemented in different (multi-vendor) routers/switches  Does not include packet content  Request and response two different flows  Often used for network performance measurement 05-07-14 5-07-14 3 Joey Dreijer, student OS3/UvA

  4. NetFlow Analysis: Detecting covert channels on the network Data required for research Introduction Research  NetFlow collector stored the following details (using v5): Tooling  (TCP Flags)  Source Address Detection  Bytes send  Destination Address Demo Demo  Packets send  Source Port  Time  Destination Port Conclusion Note: NetFlow v5 is dinosaur old. Use v9 or IPFIX instead for more stats. 05-07-14 5-07-14 4 Joey Dreijer, student OS3/UvA

  5. NetFlow Analysis: Detecting covert channels on the network Data required for research Introduction Research  Combining request/response to get the following data: Tooling  Source Address  Bytes Incoming Detection  Destination Address  Bytes outgoing Demo Demo  Source Port  Packets incoming  Destination Port  Packets outgoing Conclusion  (TCP Flags)  Average session time 05-07-14 5-07-14 5 Joey Dreijer, student OS3/UvA

  6. NetFlow Analysis: Detecting covert channels on the network Collecting NetFlow data Introduction Research  SoftFlowd sends NetFlow data to collector (nfcapd). Optional: Pcap or Interface as input Tooling  NetFlow data stored in binary format Detection  Format parsed by Python wrapper and nfdump (custom Demo Demo patched pynfdump_altered) Conclusion Converter Collector and Analysis PCAP NetFlow Analy- Dump ser SoftFlowd Nfcapd 05-07-14 5-07-14 6 Joey Dreijer, student OS3/UvA

  7. NetFlow Analysis: Detecting covert channels on the network Initial protocol analysis Introduction Research  Gathering 'known-good' traffic  Generating 'known-bad' traffic Tooling  Comparing differences / similarities Detection  Storing usefull comparison data Demo Demo Conclusion In Bytes In Bytes Database containing: Out Bytes Out Bytes For each: Max/min In Packets In Packets values Dst. Port Out Packets Out Packets Averages Avg Time Avg Time Standard Deviation 05-07-14 5-07-14 7 Joey Dreijer, student OS3/UvA

  8. NetFlow Analysis: Detecting covert channels on the network Comparing NetFlow data Introduction Research  Traffic analysis; comparing 'real-time' binary (nfdump) vs stored (MySQL) Tooling  'Anomaly detection' based on selected metrics/profile Detection  Maximum range via standard deviation Demo Demo  Note: Only if possible. Not all traffic can be normalized Conclusion Metrics Database Statistics NetFlow Analy- Dump ser 05-07-14 5-07-14 8 Joey Dreijer, student OS3/UvA

  9. NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Example 1: DNS Tunnels  DNS may have 'normal behaviour' Tooling  Tunneling via DNS abnormal statistics based on metric x? Detection  Verify differentation per metric Demo Demo Conclusion Compared to +- 2 million DNS Flows 'Starting' DNS Tunnel. Not sending data yet 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 9

  10. NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Previous examples DNS done via anomaly Tooling detection Detection Demo Demo  Known-good etc Packets Out Session Time database used as Conclusion reference  Pre-defined profile (ie. alert only if anomaly = ( max difference * standard deviation ) + average packets and time mismatch by x) If anomaly is larger than current flow: If packetAnomaly and timeAnomaly: Generate Alert 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 10

  11. NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Why are multiple metrics important? (and/and policy)  NetFlow parser shows incorrect flows with much Tooling traffic Detection  True automated anomaly detection shows many FP's Demo Demo  Example: Conclusion 10.10.0.2:50001 → 8.8.8.8:53 Packets: 4, time: 4001 seconds (….?)  Actually 2 DNS requests on different times  However, identical source port and destination lets 'nfdump' think it is the same flow –> results in False Positive 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 11

  12. NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Comparing with realistic dataset  17 million flows from GuestNet Tooling  Literal flow dump, can contain 'malicious' flows Detection  Both bad and good traffic? Demo Demo Conclusion  2 million DNS responses  Results in 0,0005% hits based on combined metrics  Includes previous 'bug' with multiple sessions combined due to identical ports and destinations  Uncertain if actual tunnels inside dump 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 12

  13. NetFlow Analysis: Detecting covert channels on the network Other uses Introduction Research  Example 2: NMAP Scan  Aggregated NetFlow shows requests and response Tooling  NetFlow shows flow with no responses for filtered ports Detection Demo Demo  Probability 'x' amount of ports do not reply within 'y' amount Conclusion of time based on 'z' amount of retries/packets 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 13

  14. NetFlow Analysis: Detecting covert channels on the network Other uses Introduction Research  Small problem with portscans.... Tooling  Nfcapd holds a default 5 minute NetFlow cache Detection  Not all flows stored after cache timer Demo Demo  Waits for finished sessions before storing flow Conclusion  Half open TCP sessions will be cached untill timeout  Timeout can last 20 minutes depending on config 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 14

  15. NetFlow Analysis: Detecting covert channels on the network Introduction Research Tooling Detection Demo Demo DEMO Conclusion 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 15

  16. NetFlow Analysis: Detecting covert channels on the network Conclusion Introduction Research  NetFlow only sends limited amount of information  Does not say anything about packet contents Tooling Detection  Fairly easy to detect 'well-know' and publicly available Demo Demo tunnels and scans Conclusion  Covert Channels / tunnels always possible; attacker has all the time in the world.  Craft pingtunnel to send fixed size packets every second to conform the 'default' behaviour. 05-07-14 16 5-07-14 Joey Dreijer, student OS3/UvA

Recommend

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory - Agent Technology Center Department of

305 views • 29 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

<Your Name> Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson gdobson@andrew.cmu.edu June 2020 Center for Computational Analysis of Social and Organizational Systems

259 views • 14 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides

More recommend