StreamWorks – A System for Real-Time Graph Pattern Matching on Network Traffic GEORGE CHIN, SUTANAY CHOUDHURY AND KHUSHBU AGARWAL Pacific Northwest National Laboratory January 21, 2015 Unclassified 1
Emerging Graph Patterns Goal: Detect and identify precursor events and patterns as they emerge in complex networks such that events or threats may be mitigated or acted upon before they are fully realized Capture evolution of critical graph patterns Devise optimal search strategy to identify emerging pattern Consider cases where target subgraph patterns may or may not be known Subgraph pattern matching is a well-studied NP-hard problem. Some work on scalable algorithms Limited work on subgraph matching in dynamic networks Application areas: Computer network intrusions and threats Social media and network analysis Financial and stock market analysis Distributed sensor networks January 21, 2015 Unclassified 2
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Host Host Host DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 3
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Host Host Host DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 4
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 5
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 6
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 7
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 8
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 9
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 10
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 11
Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 12
Detecting Emerging Cyber Attacks Developing emerging subgraph pattern algorithm in a package we call StreamWorks to detect cyber intrusions and attacks in computer network traffic Constructing set of cyber attack graph patterns related to network scans, reflector attacks, flood attacks, viruses, worms, etc. in collaboration with PNNL cybersecurity analysts Utilizing anonymized internet traces data curated by CAIDA (The Cooperative Association for Internet Data Analysis) at SDSC/UCSD and simulated intrusion detection datasets from the University of New Brunswick’s Information Security Centre of Excellence January 21, 2015 Unclassified 13
Witty Worm Host Host Host Host Host Host 796<=Packet Len<=1307 Port 4000 796<=Packet Len<=1307 796<=Packet Len<=1307 796<=Packet Len<=1307 Port 4000 Port 4000 Port 4000 Host Host Host Host 796<=Packet Len<=1307 Port 4000 Host Host Host Host Host Host Internet worm that began to spread on March 19, 2004 Targeted buffer overflow vulnerability in internet security systems (ISS) products Payload contained phrase “(^.^) insert witty message here (^.^)” Attacked port 4000 with packets of sizes between 796 and 1307 January 21, 2015 Unclassified 14
Distributed Denial-of-Service Smurf Attack Host ICMP Echo Request ICMP Echo Reply ICMP Echo Request ICMP Echo Request ICMP Echo Reply Hacker Router Host Victim ICMP Echo Request ICMP Echo Reply Host ICMP Echo Request Attacker sends packets to broadcast IP address with spoofed source address of victim’s Packets delivered to intermediate hosts Intermediate hosts reply to return address of victim January 21, 2015 Unclassified 15
Distributed Denial-of-Service DNS Amplification Attack Agents or zombies DNS Zombie DNS Query Response generate large number Server DNS Query | ICMP Dest Unreachable | Frag IP Address of DNS requests with DNS Query spoofed source address DNS Query Response | ICMP Dest Unreachable DNS servers send 3 | Frag IP Address DNS Zombie Victim different types of Server DNS Query DNS Query responses to victim DNS Query Response | ICMP Dest Unreachable DNS response packets | Frag IP Address may be significantly DNS Query larger than DNS DNS Zombie request packets Server DNS Query January 21, 2015 Unclassified 16
Subgraph Join Tree for DDoS Smurf Attack Cyberattack Pattern Subgraph Join Tree (Breadth-First) 100% Host Host Time < E1 ICMP Echo Request ICMP Echo Reply Router Host Victim Time < E1 ICMP Echo Request ICMP Echo Request ICMP Echo Reply Hacker Router Host Victim Host Time < E1 E1 ICMP Echo Request ICMP Echo Reply Host 86% 14% Host ICMP Echo Request Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 43% 43% Host Host ICMP Echo ICMP Echo Reply Request Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Reply Request January 21, 2015 Unclassified 17
DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 48:06 January 21, 2015 Unclassified 18 18
DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 51:39 January 21, 2015 Unclassified 19 19
DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 53:11 January 21, 2015 Unclassified 20 20
Recommend
More recommend