An Introduction to Monitoring Encrypted Network Traffic with "Joy"

Similar documents
NXOS in the Real World Using NX-API REST

CloudCenter for Developers

Hands-On with IoT Standards & Protocols

Your API Toolbelt Tools and techniques for testing, monitoring, and troubleshooting REST API requests

Classifying Encrypted Traffic with TLSaware

Cisco UCS Agentless Configuration Management Ansible or Microsoft DSC

TRex Realistic Traffic Generator

DEVNET Introduction to Git. Ashley Roach Principal Engineer Evangelist

Automation with Meraki Provisioning API

DevNet Workshop-Hands-on with CloudCenter and Jenkins

Machine Learning with Python

Get Hands On With DNA Center APIs for Managing Intent

BGP in the Enterprise for Fun and (fake) Profit: A Hands-On Lab

Hybrid Cloud Automation using Cisco CloudCenter API

Managing Cisco UCS with the Python SDK

Understanding network traffic through Intraflow data

DevOps CICD for VNF a NetOps Approach

Finesse APIs: Getting started with the REST APIs and XMPP events

Deploying Cloud-Agnostic Applications with Cisco CloudCenter

Demystifying Machine Learning

Git, Atom, virtualenv, oh my! Learn about dev tools to live by!

Consuming Model-Driven Telemetry

WORKSHOP: from Zero to a Network Application with #golang

NetDevOps Style Configuration Management for the Network

An Introduction to Developing for Cisco Kinetic

Understanding HTTPS to Decrypt it

Applied Advanced Network Telemetry: ETA and Beyond

Cisco Spark Messaging APIs - Integration Platforms as a Service Real World Use-Cases

Cisco SD-Access Hands-on Lab

Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing

ICE / TURN / STUN Tutorial

Who wants to be a millionaire? A class in creating your own cryptocurrency

The Transformation of Media & Broadcast Video Production to a Professional Media Network

Cloud Mobility: Meraki Wireless & EMM

Insights into your WLC with Wireless Streaming Telemetry

Automation and Programmability using Cisco Open NXOS and DevOps Tools

Coding Getting Started with Python

Introduction to OpenConfig

PSOACI Tetration Overview. Mike Herbert

Privacy Requirements Scoping

Stateless Multicast with Bit Indexed Explicit Replication

Cisco Firepower NGIPS Tuning and Best Practices

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Getting Started With Containers

Hands On Exploration of NETCONF and YANG

Cisco Enterprise Agreement

Magical Chatbots with Cisco Spark and IBM Watson

Coding Intro to APIs and REST

Creating a custom gadget using the Finesse JavaScript Library API

Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers

NSO in Brownfield: Fully Automated One-Click Reconciliation

BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

Serviceability of SD-WAN

Cisco Container Platform

Catalyst 9K High Availability Lab

PnP Deep Dive Hands-on with APIC-EM and Prime Infrastructure

Cisco Spark Widgets Technical drill down

Tetration Hands-on Lab from Deployment to Operations Support

Empower your testing with Cisco Test Automation Solution Featuring pyats & Genie

Customer s journey into the private cloud with Cisco Enterprise Cloud Suite

Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN

Cisco Spark. Questions? Use Cisco Spark to communicate with the speaker after the session. How

Cisco UCS Director and ACI Advanced Deployment Lab

VXLAN EVPN Fabric and automation using Ansible

Routing Underlay and NFV Automation with DNA Center

Enterprise Recording and Live Streaming Architecture with VBrick

Contiv installation and integration with ACI. LTRCLD-2003

Contiv installation and integration with ACI

Introducing Cisco Network Assurance Engine

Hidden Figures: Securing what you cannot see

Cisco SD-Access Building the Routed Underlay

European DevNet Pros Panel

Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab

Internet of Things Field Network Director

PSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco

Using Workload Automation to Optimize Hybrid Cloud Estates

Orange: Cisco & Orange: a human touch for a digital experience

Spark SDK Video - Overview and Coding Demo

Encrypted Traffic Security (ETS) White Paper

Building Applications with IOx

Cisco DNA Center and Italtel Netwrapper Evolution: Network and Applications come together

Inside Cisco IT: Automated end user services via Cisco Prime Service Catalog, Process Orchestrator and AppDynamics

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Encrypted Traffic Analytics

Managing The Digital Network Workforce Transformation

Simplifying Collaboration Deployments with Prime Collaboration

Getting Started with OpenStack

Detecting malware even when it is encrypted

Delivering HCI with VMware vsan and Cisco UCS

Radware: Anatomy of an IoT Botnet and Economics of Defense

Introduction to Python Network Programming for Network Architects and Engineers

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Threat Centric Network Security

Intelligent WAN (IWAN) Design and Deployment

VRF, MPLS and MP-BGP Fundamentals

Push straight to prod

NetBrain Technologies: Achieving Agile Network Operations: How Automation Can Improve Visibility Across Hybrid Infrastructures

Real time Location Services Overview and Use cases

Cryptully Documentation

Is your IT Infrastructure Ready for Machine Learning & Artificial Intelligence?

Transcription:

An Introduction to Monitoring Encrypted Network Traffic with "Joy" Philip Perricone (SE) Bill Hudson (TL) Blake Anderson (TL) David McGrew (Fellow)

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

Agenda Obtaining Joy Running Joy Inspecting Traffic with Sleuth Learning Classifiers Conclusions

Obtaining Joy

Dependencies sudo apt-get install build-essential libssl-dev libpcap-dev libcurl4-openssl-dev sudo apt-get install python-dev python-numpy pythonsetuptools python-scipy sudo easy_install -U scikit-learn 6

Download, Build, Run, Install Download git clone https://github.com/cisco/joy Build cd joy./config make Run./bin/joy [options] (Optional) Install make install 7

Running Joy

Components joy Offline pcap joy json sleuth Online joy json model.py exporter collector 9

Processing Pcaps Run the executable: Joy:~/joy$ bin/joy bidir=1 http=1 dns=1 tls=1 dist=1 \../benign/capture.pcap > capture.gz View the compressed JSON output: Joy:~/joy$ zless capture.gz 10

Inspecting Traffic with Sleuth

Sleuth Overview Sleuth is a tool designed for users to make SQL-like queries on JSON data. It reads a stream of flow (json) objects, processes each one in sequence, and writes out the resulting objects. The python script named sleuth located within the Joy repository provides many useful commands. On the remaining slides of this section, short descriptions of the commands and simple examples are presented. More technical, in-depth guides can be found in the wiki: https://github.com/cisco/joy/wiki 12

Sleuth Basic Options No options: Joy:~/joy$./sleuth capture.gz less --stitch Joy:~/joy$./sleuth capture.gz --stitch less --select <fields> Joy:~/joy$./sleuth capture.gz --stitch --select "sa, da, dp" --where <condition> Joy:~/joy$./sleuth capture.gz --stitch --select "sa, da, dp" --where "pr=17" 13

Sleuth --dist <fields> Calculate the distribution of each unique value for the selected field elements. Show the distribution of HTTP User-Agent and Accept-Encoding headers: Joy:~/joy$./slueth capture.gz --stitch --select "ohttp{user-agent,accept-encoding}" --dist 14

Sleuth --groupby <fields> Split the output into multiple streams, grouping by the field elements specified. Create a separate stream for each destination address: Joy:~/joy$./sleuth capture.gz --stitch --select "sa, da, dp" --groupby da Create a stream for each distinct (destination address, destination port) tuple: Joy:~/joy$./sleuth capture.gz --stitch --select "sa, da, dp" --groupby "da, dp" 15

Sleuth --sum <fields> For each field element specified, compute the sum of their values. Find which destinations had the most data sent to them (outbound bytes): Joy:~/joy$./sleuth capture.gz --stitch --select "da, ob" --groupby "da" --sum "ob" 16

Learning Classifiers

Identify malware flows based upon SPLT and BD Run Joy with the classify option on: Joy:~/joy$ bin/joy bidir=1 dist=1 classify=1../benign/capture.pcap > capture.gz Use Sleuth to show flows with probability of malware greater than 1%: Joy:~/joy$./sleuth capture.gz --select "da, dp, p_malware" --where "p_malware > 0.01" Example output: { "name": [ { "da": "151.101.1.69", "dp": 80, "p_malware": 0.084 }, { "da": "172.217.1.195", "dp": 443, "p_malware": 0.021 } ] } 18

Identify malware flows based upon SPLT and BD Run Joy with the classify option on: Joy:~/joy$ bin/joy bidir=1 dist=1 classify=1 \../malware/133d773a8ca64c24bd81b594cf5240dd.pcap > malware.gz Use Sleuth to show flows with probability of malware greater than 99%: Joy:~/joy$./sleuth malware.gz --select "da, dp, p_malware" --where "p_malware > 0.99" Example output: { "name": [ { "da": 86.59.21.38, "dp": 443, "p_malware": 0.997 }, { "da": 108.61.179.216, "dp": 443, "p_malware": 0.995 }, { "da": 5.9.123.81, "dp": 9001, "p_malware": 0.999 }, { "da": 109.238.6.25, "dp": 443, "p_malware": 0.992 }, { "da": 176.31.159.231, "dp": 443, "p_malware": 0.998 },... 19

Build a malware classifier Create the positive (malware) dataset: Joy:~/joy$ bin/joy bidir=1 dist=1../malware/*.pcap >../malware_train/malware.gz Create the negative (benign) dataset: Joy:~/joy$ bin/joy bidir=1 dist=1../benign/*.pcap >../benign_train/benign.gz Finally, generate the classifier model using the datasets: Joy:~/joy$ python saltui/model.py -m -l -t -p../malware_train/ \ -n../benign_train/ -o params.txt 20

Using the new classifier Run Joy with the model option to specify the new classifier: Joy:~/joy$ bin/joy bidir=1 dist=1 classify=1 model="params.txt:params_bd.txt" \../everything > new_class.gz Use Sleuth to show flows with probability of malware greater than 99%: Joy:~/joy$./sleuth new_class.gz --select "da, dp, p_malware" --where "p_malware > 0.99" Example output: { "name": [ { "da": "239.255.255.250", "dp": 1900, "p_malware": 1.000 }, { "da": "172.16.255.255", "dp": 137, "p_malware": 0.995 }, { "da": "104.237.132.39", "dp": 443, "p_malware": 0.996 },... 21

Conclusions Machine learning and rules applied to passively obtained network traffic can: Detect malware communication Detect misused cryptography SPLT, Byte Distribution and TLS handshake data are valuable. Training classifiers is key. Better than MITM (Man in the middle) with respect to security and privacy. 22

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 25

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback