Getting started with network security monitoring

Network Security Monitoing (NSM) can be broadly classified into three areas being collection, detection and analysis [11]. There are plenty of tools that are designed exclusively for each field. Tools like tcpdump [14], wireshark [13], tshark[16], DNSstats [15], Bro [17], Chaosreader [18] come under collection tools. Their main job is to collect data from an interface and save as a dump. They are also called sensor tools. The next category is detection, which consists of two categories: signature based as well as behaviour based detections. These are tools that are used for detecting malicious behaviours/signatures in pcaps. Snort [19] and suricata [20] are the main signature based detection tools available. They work mainly based on the signature hashes developed by analysing a malware. The main inefficiency with this approach is that only ‘known’ malwares are detected. Zero days and new versions of previous malwares can easily evade such detections. Behaviour based detection are discussed in detail in the following sections. The third category analysis comes to play after an incident (security breach) is reported. These tools allows more deep packet analysis and wide inspection of packet data allowing marking, easy traversal and so on. Sguil [21], squert [22], wireshark and ELSA [23] are examples in this category. In total an NSM tool should contain a collector, a detector and then an analysis interface that allows to analyse the data. The research problems associated with each category is different. My analysis was mainly on collection and detection.

Collection

The two main questions to ask here is 1) What data needs to be collected (indexing, filters used), 2) What line rate is supported.  Some of the important libraries to consider in this area are libpcap [24] (winpcap for windows) used in Tcpdump & tcpdump-netmap, n2disk10g [25] from ntop, and FloSIS [2].  FloSIS [2] and n2disk10g [25] follow a different approach compared to libpcap. The first two are designed to keep up with multi-Gigabit speeds on commodity hardware (10Gbps). The design make efficient use of  parallelism capabilities in CPUs, memory and NIC. They also maintain two stage indexes in real time to increase query response (bloom filters). Libpcap, being the most used library is not efficient with high speed networks. (works well with 400-500 Mbps rate). But libpcap is the best library available for free and ready to use. N2disk10g [25] requires a license. FlosSIS is not open source and is not available.

Detection

There are plenty of research based on statistical data and session data. Below I am discussing only those areas that are relevant to HTTP protocol analysis and corresponding detection mechanisms.  This is related to HTTP headers and payload analysis without deep packet inspection.

There are correlation techniques where length of URL, request type (GET/POST), average amount of data in payload, hosts that rely on the same Web-based application (which could be the C2 server) etc are used for clustering malware based on HTTP. TAMD [5] (traffic aggregation for malware detection) talks about a technique on hashing blocks of payload and performing matches to identify correlations. Also capturing syntactic similarities in the payload. But this is applied in spam emails and not application data bytes.  PAYL [6] describes about a payload inspection technique based on profiling normal payloads. It calculates deviation distance of a test payload from the normal profile using a simplified Mahalanobis distance. A payload is considered as anomalous if this distance exceeds a predetermined threshold. A very similar approach is by SLADE: Statistical PayLoad Anomaly Detection Engine as used in BotHunter [7]. Here they use n-byte sequence information from the payload, which helps in constructing a more precise model of the normal traffic compared to the single-byte as used in PAYL [6]. Another approach is where the payload of each HTTP request is segmented into a certain number of contiguous blocks, which are subsequently quantized according to a previously trained scalar codebook [3].

I hope you enjoyed the reading. More on network security monitoring later.

References

[1] Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces

http://static.usenix.org/event/nsdi10/tech/full_papers/perdisci.pdf

[2] FloSIS: A Highly Scalable Network Flow Capture System for Fast Retrieval and Storage Efficiency

http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/20535-atc15-paper-lee-jihyung.pdf

[3] Measuring normality in HTTP traffic for anomaly-based intrusion detection

http://www.sciencedirect.com/science/article/pii/S1389128604000064

[4]  http://perso.uclouvain.be/marco.canini/papers/http.p-sigcomm08.pdf

[5] Classifying HTTP Traffic in the New Age

http://link.springer.com/chapter/10.1007/978-3-540-70542-0_11

[6] K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.

[7] BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

http://static.usenix.org/legacy/events/sec07/tech/full_papers/gu/gu_html/

[8] Know your digital enemy

http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf

[9] Comparison on dump tools:

https://docs.google.com/document/d/1mTzm2ybMXkxWk4hf9pYxswqDEqcWFlnWZhKv-CMuxk0/edit?usp=sharing

[10] http://libtins.github.io/

[11] Sanders. Chris, Smith. Jason,  Applied network security monitoring- collection, detection, and analysis.

[12] Bejtlich. Richard, The practise of network security monitoring.

[13] Wireshark: https://www.wireshark.org/

[14] Tcpdump: http://www.tcpdump.org/tcpdump_man.html

[15] Dnstats: https://dnstats.net/

[16] Tshark: http://linux.die.net/man/1/tshark

[17] Bro: https://www.bro.org/

[18] Chaosreader: http://chaosreader.sourceforge.net/

[19] Snort: https://www.snort.org/

[20] Suricata: ttps://suricata-ids.org/

[21] Sguil: http://bammv.github.io/sguil/index.html

[22] Squert: http://www.squertproject.org/

[23] ELSA: https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSA

[24] Libpcap: http://www.linuxfromscratch.org/blfs/view/svn/basicnet/libpcap.html

[25] n2disk: http://www.ntop.org/products/traffic-recording-replay/n2disk/

[26] TRE: http://laurikari.net/tre/

[27] A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: a review. ACM Comput. Surv., 31(3):264–323, 1999

Advertisements