Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Similar documents
Situational Awareness Metrics from Flow and Other Data Sources

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Modeling the Implementation of Stated-Based System Architectures

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Engineering Improvement in Software Assurance: A Landscape Framework

2013 US State of Cybercrime Survey

Smart Grid Maturity Model

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

Analyzing 24 Years of CVD

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Encounter Complexes For Clustering Network Flow

Cyber Threat Prioritization

Cyber Hygiene: A Baseline Set of Practices

Information Security Is a Business

Denial of Service Attacks

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Julia Allen Principal Researcher, CERT Division

Panel: Future of Cloud Computing

The CERT Top 10 List for Winning the Battle Against Insider Threats

Inference of Memory Bounds

ARINC653 AADL Annex Update

Using CERT-RMM in a Software and System Assurance Context

Defining Computer Security Incident Response Teams

Strip Plots: A Simple Automated Time-Series Visualization

SEI/CMU Efforts on Assured Systems

Providing Information Superiority to Small Tactical Units

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

OSATE Analysis Support

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

Prioritizing Alerts from Static Analysis with Classification Models

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Components and Considerations in Building an Insider Threat Program

Automated Provisioning of Cloud and Cloudlet Applications

Open Systems: What s Old Is New Again

Evaluating a Partial Architecture in a ULS Context

Design Pattern Recovery from Malware Binaries

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

Passive Detection of Misbehaving Name Servers

Roles and Responsibilities on DevOps Adoption

Software Assurance Education Overview

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Secure Coding Initiative

Report Writer and Security Requirements Finder: User and Admin Manuals

The Insider Threat Center: Thwarting the Evil Insider

Researching New Ways to Build a Cybersecurity Workforce

Elements of a Usability Reasoning Framework

Architectural Implications of Cloud Computing

Foundations for Summarizing and Learning Latent Structure in Video

! CSMIC SMI Tool. User s Guide. !!! July 30, 2014!!!!!!!!!!!!!!! CSMIC Carnegie Mellon University Silicon Valley Moffett Field, CA USA

SAME Standard Package Installation Guide

The Priority Ceiling Protocol: A Method for Minimizing the Blocking of High-Priority Ada Tasks

Safety- and Security-Related Requirements for

Netflow in Daily Information Security Operations

Fall 2014 SEI Research Review Verifying Evolving Software

Current Threat Environment

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

Semantic Importance Sampling for Statistical Model Checking

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Verifying Periodic Programs with Priority Inheritance Locks

The Confluence of Physical and Cyber Security Management

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Measuring the Software Security Requirements Engineering Process

Architecture Reconstruction to Support a Product Line Effort: Case Study

CSIRT SERVICES. Service Categories

The Need for Operational and Cyber Resilience in Transportation Systems

An Incident Management Ontology

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Doing Analysis Carnegie Mellon University

End User Licence. PUBLIC 31 January 2017 Version: T +44 (0) E ukdataservice.ac.uk

Pharos Static Analysis Framework

Improving Software Assurance 1

DOS AND DON'TS OF DEVSECOPS

Scheduling Sporadic and Aperiodic Events in a Hard Real-Time System

Denial of Service Protection Standardize Defense or Loose the War

Privacy Policy for Trend Micro Products and Services for the European Union, the European Economic Area (EEA) and the United Kingdom

Building Security Into Closed Network Design

Prevent Network Attacks

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Carnegie Mellon University Notice

Automated Code Generation for High-Performance, Future-Compatible Graph Libraries

GraphBLAS: A Programming Specification for Graph Analysis

The CERT Survivability and Information Assurance Curriculum Building Enterprise Networks on a Firm Educational Foundation

Biological Material Transfer Agreement. between (PROVIDER) and. Date: A. Specific Terms of Agreement (Implementing Section)

E-guide Getting your CISSP Certification

IxLoad. Determine Performance of Content-Aware Devices and Networks

Architecture Reconstruction of J2EE Applications: Generating Views from the Module Viewtype

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Ecma International Policy on Submission, Inclusion and Licensing of Software

RTA Gateway N34 Hardware Jumper Configuration

Introducing Cyber Observer

Copyright 1998, 2009, Oracle and/or its affiliates. All rights reserved.

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

IBM Next Generation Intrusion Prevention System

Installing and Operating the CERT Forensic Appliance DRAFT

Transcription:

Flow Analysis for Network Situational Awareness Tim Shimeall January 2010

NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C- 0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 2

What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working Together Network dependencies Analysis Summary 3

What this class is Approaches, methods, trends of interest in building network situational awareness Big picture view of analysis Assumes you have good handle on analysis tool suites 4

What this class is not Cool tricks with SiLK Installing and using SiLK Everything you need to do analysis Bits and bytes on the wire 5

A couple of rules ASK! No smoking/chewing Cell phones on stun No smelly food 6

Recognition Stances 7

Definition The systematic gathering, analysis and interpretation of data from local and remote networks regarding structure, applications, traffic and resources to produce actionable information for decision making in network operations and defense. (Shimeall, 2008) Network Situational Awareness 8

Alternate Definitions Situation Awareness (SA): The perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future." (Endsley, 1988) Network SA: the operational picture that consolidates all available information that is actually needed for identifying attacks and for selecting and applying appropriate countermeasures. (Kemmerer et. al., 2008) 9

Network Situational Awareness Practice Know your network Know current external events and trends Know how they fit together 10

How these Definitions Apply Know Network Know Events/Trends Know How They Fit 11

Vulnerability Note VU#800113 Multiple DNS implementations vulnerable to cache poisoning http://www.youtube.co m/watch?v=xdkw8ny 6IcM# July 2008 12

Cable Cuts, January 2008 13

Estonia, April 2007 14

The 2008 Olympics 15

Questions of Interest Is my bandwidth increasing from business-related activity, or from non-work related activity? How will my business be impacted by implantation of more stringent security policy? If my backbone Internet Service Provider chooses to de-peer with another backbone provider, how will I be affected? How will socio-political uprisings impact my network? What are the most important dependencies my network has with external resources? Do computers on my network follow policy? Can my network survive a distributed denial-of-service attack? How can I prioritize resources during a bandwidth-limiting attack? 16

Building Understanding Operators/Groups Victims/ Bystanders Internet Behavior Opportunities/ Vulnerabilities Status Attributes Dynamics Stimuli/Motives 17

Challenges to Analysis Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyberanalysis Overcoming organizational bias against sharing information 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback