Professional Documents
Culture Documents
Hiroshi TSUNODA
Tohoku Institute of Technology 35-1, Yagiyama Kasumi-cho, Taihaku-ku, Sendai, Miyagi, Japan +81-22-305-3411
tsuno@m.ieice.org
glenn@cysols.com
ABSTRACT
In this work we show how data vital to information and network security management can be obtained, relatively easily by basic traffic monitoring and analysis. We introduce a new traffic analysis technique, category transform, to extract more useful information from available data and show the means and significance of looking at traffic characteristics at greater detail.
companies prohibit use of devices not registered in the company. Yet, in a survey of the companies that prohibit use of private devices in the intranet, staff in 55% of the companies reported that they breached the policy without detection. This points to lack of monitoring of devices used in the intranet. In the following sections we show how network device monitoring can be done relatively easily by network traffic analysis.
General Terms
Management, Measurement, Security
Keywords
Traffic monitoring, Network security, Category transform
1. INTRODUCTION
For information and network security management, it is necessary to monitor and vet everything that happens on a network and on the connected devices. A surprising amount of information, vital to information and network security management, can be obtained, relatively easily by basic traffic monitoring and analysis. A large part of this analysis can be passive which means zero additional load on the network. More often than not, it does appear that this information is overlooked or not utilized. In this work we discuss these information components. We show how they can be obtained in a network which uses the TCP/IPv4/IPv6 suite of protocols. We introduce a new traffic analysis technique, category transform, to extract more useful information from available data and show the means of looking at traffic characteristics at greater detail. We show the significance of these information components in the security context.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN12, October 25-27, 2012, Jaipur, India Copyright 2012 ACM 978-1-4503-1668-2/12/10 ...$15.00.
201
volume is difficult. But if we can look at the traffic characteristics in greater detail i.e. smaller intervals, the sharp short-lived bursts may manifest themselves. Figure 2 shows an example of high resolution monitoring. When we look at the number of packets per second, the variation is relatively stable. However, the number of packets per 10 milliseconds shows that there are several peaks. Such peaks indicate that short bursts of traffic existed. These bursts may cause instantaneous congestion in the network.
It is important that the administrator be aware of the encrypted traffic flowing in and out of the network. In particular, ssh and https are often used to build tunnels to bypass firewalls. If the administrator is not aware of unauthorized tunnels, he/she is running the risk of information leakage. Therefore, the administrator must audit the source and destination of encrypted traffic in order to make sure that there are no undetected and unauthorized tunnels. On the other hand the network administrator must also make sure that the unencrypted traffic flowing out of the network carries minimal risk. If confidential information is carried in unencrypted traffic, malicious users may be able to obtain the information easily.
202
into the network dynamics. Below we discuss how incidents can be detected based on the category transform technique.
Port scan
Figure 3 IPv4, TCP, and UDP header fields By transforming from the traffic volume to the traffic category, the identification of some characteristics is amplified. Unlike traffic volume, the variation of the number of categories in normal situations is limited based on users' usage pattern. Thus, a sudden increase or decrease of the number of categories is likely to be caused by some new usage pattern. Say that the traffic volume is represented by the time series - ( packets have been detected at the i-th time interval from to . Width of i-th interval is .). The corresponding category transformed time series will be ( categories were seen in the packets). For example if we are focusing on the source address category, then source addresses were present in the packets seen in the i-th time interval. If a category , j-th category in i-th interval, includes packets, the relationship between and is represented as
Figure 4 Variation pattern of packet count and the number of categories in port scan activity
Note that 1 in the usual case. The traffic volume and traffic category monitored in a given link are both upper bounded by ( ) where Bw and MTU are the bandwidth and the maximum transmission unit of the link, respectively. But obviously because 1 in a normal network. Therefore, the number of categories more strongly reflects a change in usage pattern of the link. By transforming from traffic volume to traffic category, the amplified traffic characteristics provide us with deeper insights
203
looking at the number of source IP address categories, DoS attacks can be identified more easily.
File sharing
DDoS
Figure 5 Variation pattern of packet count and the number of categories in DDoS attacks
5. ACKNOWLEDGEMENTS
This work was partially supported by Promotion program for Reducing global Environmental loaD through ICT innovation (PREDICT-115102001), Ministry of Internal Affairs and Communications, Japan. The authors would like to thank the WIDE-netman group for their valuable comments. REFERENCES
An increase in the focused category transformed statistic may indicate an attack from outside to the focused group or, that an illegal application is running inside in the focused group, or that there is a fault or misconfiguration of the network. A decrease in the focused category transformed statistic may indicate a fault or link down in the network or an application failure. Figure 6 illustrates the example of variation in the number of packets, destination IP categories, and focused categories in illegal file sharing activities. Note that it is difficult to find characteristic changes in both the number of packets and destination IP address categories. But, if we focus on a specific source host, we can see the sudden increase in the number of destination IP address categories.
[1] Trend Micro. Actual condition survery about BYOD of smart phones and tablet devices (in Japanese). Retrieved July 29, 2012, from Trend Micro: http://jp.trendmicro.com/jp/about/news/pr/article/2012 0628060439.html. [2] G. Manfield, S. Karakala, T. Saitoh, and N. Shiratori. High
Resolution Traffic Measurement. Workshop on Passive and Active Measurements on the Internet (PAM2001), April 2001. E. Knightly and A. Kuzmanovic. Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies. IEEE/ACM Transactions on Networking, 14(4):638-696, August 2006. R. Chang. Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. IEEE Communications Magazine, 40(10):42-51, October 2002. the guardian. Anonymous claims responsibility for taking down government sites. Retrieved July 30, 2012, from the guardian: http://www.guardian.co.uk/technology/2012/apr/08/anonym ous-taking-down-government-websites.
[3]
4. CONCLUSION
In this paper, we have shown that simple and basic traffic monitoring and analysis provide information that is vital for network security management. Network security management requires monitoring connected devices and activities in an intranet. Network device monitoring can be done by analyzing address
[4] [5]
204