Embed Size (px)
DESCRIPTION
Summarizing Network Security Data (presentation includes notes). Dave DeBarr [email protected] December 9, 2002. Overview. Network Layout Event Descriptions OLAP Support Meta-Session Aggregations Scan Detection (a sample application) Frequent Meta-Sessions - PowerPoint PPT Presentation
Citation preview
© 2002 The MITRE Corporation. All rights reserved.
SummarizingSummarizingNetwork Security DataNetwork Security Data
(presentation includes notes)(presentation includes notes)
Dave DeBarr
December 9, 2002
2 © 2002 The MITRE Corporation. All rights reserved.
OverviewOverview
Network Layout
Event Descriptions
OLAP Support
Meta-Session Aggregations
Scan Detection (a sample application)
Frequent Meta-Sessions
Infrequent Meta-Session Groupings
Cluster Analysis
3 © 2002 The MITRE Corporation. All rights reserved.
ACME Corporate Network LayoutACME Corporate Network Layout
4 © 2002 The MITRE Corporation. All rights reserved.
Event DescriptionsEvent Descriptions
ATTRIBUTE NAME POSSIBLE VALUES
Sensor_Location Internet, DMZ, Intranet
Sensor_Type NIDS, Firewall, Logger
Priority { 1, 2, 3, 4 } [1 is highest]
Start_Time Year-Month-Day Hour:Minute:Second
End_Time Year-Month-Day Hour:Minute:Second
Protocol Internet Control Message Protocol (ICMP)
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Other
Source_Address Internet Protocol (IP) Address { 0, 1, ..., 4294967295 }
Destination_Address IP Address { 0, 1, ..., 4294967295 }
Source_Port_or_ICMP_Type { 0, 1, ..., 65535 } or { 0, 1, ..., 255 }
Destination_Port_or_ICMP_Type
{ 0, 1, ..., 65535 } or { 0, 1, ..., 255 }
Event_Name <NIDS_Signature>, Drop, Reject, TCP connect, UDP exchange
Additional_Information <Signature Class>, <Firewall Rule>, <TCP Flags>, <Packet Count>
5 © 2002 The MITRE Corporation. All rights reserved.
Derived AttributesDerived Attributes
DERIVED ATTRIBUTE POSSIBLE VALUES
Source_Zone Internet, DMZ, Intranet
Destination_Zone Internet, DMZ, Intranet
Source_Port “Common” or “Not Common”
Destination_Port “Common” or “Not Common”
COMMON PORTS
TCP/7 Echo TCP/19 Char Gen TCP/20 FTP Data TCP/21 FTP Control TCP/22 SSH
TCP/23 Telnet TCP/25 SMTP TCP/53 DNS TCP/79 Finger TCP/80 HTTP
TCP/110 POP3 TCP/111 RPC TCP/119 NNTP TCP/139 NetBIOS Session TCP/143 IMAP
TCP/179 BGP TCP/389 LDAP TCP/443 HTTPS TCP/445 Microsoft Domain TCP/1080 Socks Proxy
UDP/7 Echo UDP/19 Char Gen UDP/37 Time UDP/53 DNS UDP/67 BootP Server
UDP/68 BootP Client UDP/69 TFTP UDP/137 NetBIOS Name UDP/138 NetBIOS Datagram UDP/161 SNMP
UDP/162 SNMP Trap UDP/500 ISAKMP UDP/514 Syslog UDP/520 RIP UDP/33434 TraceRoute
6 © 2002 The MITRE Corporation. All rights reserved.
OLAP Visualization ExampleOLAP Visualization Example
7 © 2002 The MITRE Corporation. All rights reserved.
Meta-Session AggregationsMeta-Session AggregationsTime Priorit
ySensor Src IP Dst IP Protocol Dst Port Event
MM/DD/2002 07:49
3 Logger Internet X.X.X.130
DMZ Y.Y.Y.4 TCP 53 TCP connect
... ... ... ... ... ... ... ...
MM/DD/2002 07:54
2 NIDS Internet X.X.X.130
DMZ Y.Y.Y.242
UDP 53 DNS named version attempt
MM/DD/2002 07:54
2 NIDS Internet X.X.X.130
DMZ Y.Y.Y.242
UDP 53 DNS named iquery attempt
MM/DD/2002 07:54
2 NIDS Internet X.X.X.130
DMZ Y.Y.Y.242
UDP 53 RPC EXPLOIT statdx
... ... ... ... ... ... ... ...
Src IP Time Count
Records
Dst IP Count
Dst IP
Events
[ Count Pri : Event : Proto/Port(s) ]
Internet
X.X.X.130
MM/DD/2002
07:49 – 07:54
446 DMZ
Y.Y.Y.0 – Y.Y.Y.254
255 4 1:RPC EXPLOIT statdx:UDP/53
6 2:DNS named iquery attempt:UDP/53
8 2:DNS named version attempt:UDP/53
428 3:TCP connect:TCP/53
8 © 2002 The MITRE Corporation. All rights reserved.
Sample Application: Identifying ScansSample Application: Identifying Scans
9 © 2002 The MITRE Corporation. All rights reserved.
Scans: Clustering ApproachScans: Clustering Approach
Agglomerative hierarchical clustering using Ward’s method to generate initial centroids
K-means for iterative relocation– Assigning each observation to the cluster for its nearest centroid– Recomputing the mean for each cluster– No concept of variance, but it’s quick
Calinski-Harabasz index for evaluating models built using different values for K (the number of clusters)
KNSSWKSSB
1
10
© 2002 The MITRE Corporation. All rights reserved.
Scans: Heuristic-Based Density EstimationScans: Heuristic-Based Density Estimation
11
© 2002 The MITRE Corporation. All rights reserved.
Summaries for 10 Common ScansSummaries for 10 Common Scans
Num_Src_Hosts
Num_Scans
Avg_Num_Events
Per Scan
Avg_Duration
Per Scan (secs)
Avg_Num_Tgt_Hosts
Per Scan
Set of
Target Ports
2,720 6,939 683 9,519 662 TCP/80
1,192 1,995 253 72 149 TCP/27374
242 338 14,116 746 8,260 TCP/21
234 311 17,221 1,367 13,473 TCP/1433
157 295 2,238 3,161 1,891 TCP/139
201 221 789 216 233 TCP/12345, TCP/27374
49 171 516 324 308 UDP/38293
8 136 469 3,033 122 TCP/53, UDP/53
52 122 919 24,819 880 TCP/80, TCP/139, TCP/445, UDP/137
80 119 12,149 670 8,383 TCP/22
12
© 2002 The MITRE Corporation. All rights reserved.
Frequent Meta-SessionsFrequent Meta-Sessions
Num_Src_Hosts
Num_Meta_Sessions
Avg_Num_Events
Per Meta-Session
List_of_Events
[ Pri : Event : Proto/Port ]
246,437 1,738,466 5 2:Drop:TCP/80
73,160 680,283 3 3:TCP connect:TCP/53
40,203 314,774 2 3:TCP connect:TCP/25
.
.
.
.
.
.
.
.
.
.
.
.
1,138 1,747 314 2:Drop:TCP/27374
3:TCP connect:TCP/27374
13
© 2002 The MITRE Corporation. All rights reserved.
Infrequent Meta-Session GroupingsInfrequent Meta-Session Groupings
Num_
Meta_
Sessions
Avg_
Num_
Events
List_Of_Events
1 446 RPC EXPLOIT statdx, DNS named iquery, DNS named version, Drop, TCP connect
3 6,684 DNS named iquery, DNS named version, Drop, TCP connect
1 4 DNS named iquery, DNS named version, TCP connect
119 3 DNS named version TCP connect
31 1 DNS named version
Num_
Meta_
Sessions
Avg_
Num_
Events
List_Of_Events
4 257 WEB-IIS cmd.exe, WEB-IIS CodeRed v2 root.exe, Drop, TCP Connect
69 1,014 WEB-IIS cmd.exe, WEB-IIS CodeRed v2 root.exe, Drop
37 6 WEB-IIS cmd.exe, WEB-IIS CodeRed v2 root.exe
216 27 WEB-IIS cmd.exe, Drop
146 2 WEB-IIS cmd.exe
66 573 WEB-IIS CodeRed v2 root.exe, Drop
35 2 WEB-IIS CodeRed v2 root.exe
14
© 2002 The MITRE Corporation. All rights reserved.
Cluster Prototypes forCluster Prototypes for2:Drop:TCP/27374,3:TCP Connect:TCP/273742:Drop:TCP/27374,3:TCP Connect:TCP/27374
Cluster Num of Meta-Sessions
Prototype: Duration in Seconds
Prototype: Num of Intranet Firewall Drop Events
Prototype: Num of DMZ Firewall Drop Events
Prototype: Num of DMZ Logger Events
Prototype: Num of Destination Addresses
1 1,100 80 79 0 0 79
2 17 1,308 288 0 0 256
3 568 91 256 0 0 256
4 4 527 0 1,992 40 2,032
5 42 58 0 255 0 255
6 5 376 0 254 254 508
7 11 309 0 221 34 255
15
© 2002 The MITRE Corporation. All rights reserved.
Cluster Visualization ExampleCluster Visualization Example
16
© 2002 The MITRE Corporation. All rights reserved.
Tiers to Support Drill-Down OperationsTiers to Support Drill-Down Operations
Summary for all events
Summaries for inbound and outbound events
Summaries for frequent and infrequent meta-sessions
Summaries/prototypes for meta-session clusters
Summaries for meta-sessions
Lists of events for a particular meta-session
