Network Security Monitoring and Behavior Analysis Pavel Čeleda celeda@ics.muni.cz Workshop on Campus Network Monitoring, 24-25 April 2012, Brno, Czech Republic Part I Introduction Pavel Čeleda Network Security Monitoring and Behavior Analysis 2 / 35 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation Pavel Čeleda Network Security Monitoring and Behavior Analysis 3 / 35 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation NetFlow collector NetFlow v5/v9 NetFlow�data collection Pavel Čeleda Network Security Monitoring and Behavior Analysis 3 / 35 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation NetFlow collector NetFlow v5/v9 NetFlow�data collection NetFlow�data analyses SPAM detection worm/virus detection intrusion detection Pavel Čeleda Network Security Monitoring and Behavior Analysis 3 / 35 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation NetFlow collector NetFlow v5/v9 NetFlow�data collection NetFlow�data analyses SPAM detection worm/virus detection intrusion detection http mail syslog incident� reporting mailbox WWW syslog server Pavel Čeleda Network Security Monitoring and Behavior Analysis 3 / 35 Traffic Monitoring System Internet LAN LAN LAN LAN LAN Firewall Network without any flow monitoring system. Pavel Čeleda Network Security Monitoring and Behavior Analysis 4 / 35 Traffic Monitoring System Internet LAN LAN LAN LAN LAN Firewall FlowMon Probe FlowMon Probe FlowMon probe connected to in-line TAP. Pavel Čeleda Network Security Monitoring and Behavior Analysis 4 / 35 Traffic Monitoring System Internet LAN LAN LAN LAN LAN Firewall FlowMon Probe FlowMon Probe SPAN SPAN TAP FlowMon Probe FlowMon observes data from TAP and SPAN ports. Pavel Čeleda Network Security Monitoring and Behavior Analysis 4 / 35 FlowMon Probe Architecture FlowMon Exporter NetFlow Data Storage NFDUMP Toolset Web Interface NfSen Collector Flow Collection Flow Presentation Flow Generation Network Data FlowMon Exporter FlowMon Exporter packets packets packets flows flows flows FrontendBackend Plugins FlowMon Probe 4000 Fiber TAP Fiber TAP Fiber TAP Pavel Čeleda Network Security Monitoring and Behavior Analysis 5 / 35 [...]... Čeleda Network Security Monitoring and Behavior Analysis 16 / 35 Worm Detection And Analysis With CAMNEP - I Threat Milions of Flows per Day Network Behavioral Analysis CAMPUS Network Pavel Čeleda CSIRT Early Action Network Security Monitoring and Behavior Analysis 17 / 35 Worm Detection And Analysis With CAMNEP - II Pavel Čeleda Network Security Monitoring and Behavior Analysis 18 / 35 Worm Detection And. .. Čeleda Network Security Monitoring and Behavior Analysis 11 / 35 Part III Anomaly Detection – Use Case I Conficker Worm Pavel Čeleda Network Security Monitoring and Behavior Analysis 12 / 35 Conficker Worm Spreading Phase II Phase I Victim Internet Phase III Pavel Čeleda Network Security Monitoring and Behavior Analysis 13 / 35 Traditional NetFlow Analysis Using NFDUMP Tool Pavel Čeleda Network Security Monitoring. .. Interface Network Security Monitoring and Behavior Analysis 8 / 35 Part II Anomaly Detection and Behavior Analysis Pavel Čeleda Network Security Monitoring and Behavior Analysis 9 / 35 Network Behavior Analysis NBA Principles identifies malware from network traffic statistics watch what’s happening inside the network single purpose detection patterns (scanning, botnets, ) complex models of the network behavior. .. 09 / 07 Campus Network Removed from Botnet Scanning List 05 100000 03 Chuck Norris Botnet Version 2 01 200000 11 TELNET Scans per Day 400000 Date Pavel Čeleda Network Security Monitoring and Behavior Analysis 22 / 35 Detection of CNB Scanning Incoming and outgoing TCP SYN scans on port 22 and 23 infected device NFDUMP detection filter Pavel Čeleda Network Security Monitoring and Behavior Analysis 23 /... 155.59.237.22 [ ] 40.15.162.105 40.127.21.51 40.72.221.37 and more (5016 in total) Ports: 53,80,137,139,445,1900,2048,3702,5355,52358 Protocol: UDP, ICMP, TCP Pavel Čeleda Network Security Monitoring and Behavior Analysis 19 / 35 Part IV Anomaly Detection – Use Case II Chuck Norris Botnet Pavel Čeleda Network Security Monitoring and Behavior Analysis 20 / 35 Chuck Norris Botnet in Nutshell Linux malware... the network behavior statistical modeling, PCA – Principal Component Analysis NBA Advantages good for spotting new malware and zero day exploits suitable for high-speed networks should be used as an enhancement to the protection provided by the standard tools (firewall, IDS, AVS, ) Pavel Čeleda Network Security Monitoring and Behavior Analysis 10 / 35 NBA Example - MINDS Method Features: Flow counts from/to...NfSen/NFDUMP Collector Toolset Architecture Web Front-End User Plugins Periodic Update Tasks and Plugins NetFlow v5/v9 Command-Line Interface NFDUMP Backend NfSen – NetFlow Sensor – http://nfsen.sf.net/ NFDUMP – NetFlow display – http://nfdump.sf.net/ Pavel Čeleda Network Security Monitoring and Behavior Analysis 6 / 35 NetFlow Processing with NFDUMP Available Flow Statistics Raw NetFlow data Top... 172.16.92.1:53 -> 172.16.96.48:63820 Flags Packets Bytes Flows 25 3028 1 3 662 1 14 2254 1 1 50 1 1 125 1 1 62 1 1 256 1 A.RS 4 172 1 AP.SF 3 510 1 1 62 1 1 256 1 Network Security Monitoring and Behavior Analysis 14 / 35 Traditional NetFlow Analysis Using NFDUMP Tool Flow start Duration Proto Src IP Addr:Port 09:41:14.446 30.150 ICMP 172.16.92.1:0 09:41:24.470 0.049 UDP 172.16.96.48:138 09:41:26.069... 172.16.92.1:53 -> 172.16.96.48:63820 Flags Packets Bytes Flows 25 3028 1 3 662 1 14 2254 1 1 50 1 1 125 1 1 62 1 1 256 1 A.RS 4 172 1 AP.SF 3 510 1 1 62 1 1 256 1 Network Security Monitoring and Behavior Analysis 14 / 35 Traditional NetFlow Analysis Using NFDUMP Tool Flow start Duration Proto Src IP Addr:Port 09:41:14.446 30.150 ICMP 172.16.92.1:0 09:41:24.470 0.049 UDP 172.16.96.48:138 09:41:26.069... ADSL modems and routers Uses TELNET brute force attack as infection vector Users are not aware about the malicious activities Missing anti-malware solution to detect it Discovered at Masaryk University on 2 December 2009 The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris ! Pavel Čeleda Network Security Monitoring and Behavior Analysis . Network Security Monitoring and Behavior Analysis 8 / 35 Part II Anomaly Detection and Behavior Analysis Pavel Čeleda Network Security Monitoring and Behavior. Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation Pavel Čeleda Network Security Monitoring and Behavior Analysis 3 / 35 Security Monitoring and Behavior Analysis Toolset FlowMon probe FlowMon probe FlowMon probe �NetFlow�data� generation NetFlow collector NetFlow v5/v9 NetFlow�data collection Pavel