View
220
Download
1
Category
Tags:
Preview:
Citation preview
NetSEC: metrology-based application
for network security
Jean-François SCARIOT
Bernard MARTINET
Centre Interuniversitaire
de Calcul de Grenoble
TNC 2002June 2002
2
Plan Metrology
Why, what & how? Analyze
NetSEC Goals Architecture Available tools
Conclusion
3
why to measure? To know network usage
To know network availability
To detect dysfunction
To do cost sharing
Also… to improve security
4
What and how to measure? Qualitative: knowing its network
I/O traffic load, CPU load, collision…
Watch the counters of the equipments
Quantitative: controlling its network Traffic type, I/O traffic load per host or
group...
extract information from frame analysis
5
Measurement to supervise Daily supervision (15’ is enough )
Curves or bar graphs
Always the same "look"
““To control and manage a To control and manage a network, you must visualize its network, you must visualize its
behaviour”behaviour”
6
Highlighting a problem
Monday April the 2nd 2001
Monday April the 9th 2001
A « normal » day
May be some problems
7
Highlighting a problem
Unfortunately!
Problem discovery is a
posteriori
We have to go back We have to go back AndAnd
analyze the traffic of the involved period. analyze the traffic of the involved period.
8
Traffic analyzing
Locate the host(s) Date, addresses, intrusion method, extend
of the damage…
HOW?
Doing crosschecking
Sorting metrology data on several
parameters Powerful sorting tools are Powerful sorting tools are
needed!needed!
9
NetSEC goals
To have an evolving software
To analyze “well-known” data NetMET IPtrafic
To support open standards
To improve the security of
networking computers
10
NetSEC foundations
Using a relational database
A simple network description
A modular architecture
Using an open source software
11
Open software
Linux system (Redhat)
MySQL database
Apache Web server
JAVA
12
About database
JDBC database access
Basic SQL queries
One loader per collector
13
DB structure
One table for one day (of data) src@ & dst@ Date Port & protocol Volume
One table for the network description
14
Network description A network
192.168.10.11/24
An organism University Joseph Fourier
An entity CICG
A location Campus of Grenoble
15
Available tools
A data query module
A graphic generator module
A data mining module
16
Architecture
Query Engine
QueryProcess
SQLRequest
s
HTMLRequest
s
NetworkDescriptio
n
Loader
GraphicGeneratio
nProcess
Graphic Generator Engine
SQLRequest
sDB
KDDProcess
Knowledge Discovery Database Engine
Collector
Collected
Data
Loader
SQLRequest
s
ALARMSREPPORTS
17
The query tool
To use the SQL power Sort Query Extract
Querying data with a friendly interface
18
Web interface (Question)
19
How does it work?
Parameters processing
JDBC driver loading & connection
Building and executing the SQL query
Displaying the results
20
Web interface (Answer)
21
Graphic generation
A zoom of a network on demand.
A supervision of a determined services
22
Graphic generation: HTTP
23
Functioning
Database system provides data
Querying database (with SQL queries)
Returning results to MRTG for displaying
MRTG Graphics building
24
Graphic generation: SSH
25
Data mining
Produce unknown information non trivial Useful
Produce association rules A and B => C
26
Association rules process
Database
Set ofTransactio
ns
DataSelection
Explanation Knowledge
Large Itemsets
LargeItemsetsResearch
Associationrules
Association Rules
Generation Corn flakes and sugar milk
27
Association rule example
"] 14h-19h]" AND
"SCAN/REGULAR_SERV" AND
"[0-1KB]" AND
53 "TUESDAY" (14.8%, 90.4%)
28
Conclusion A contribution to improve
security
A metrology based-application Built on a database Open & Modular
Who would like to participate?
E-mail : netsec@grenet.fr E-mail : netsec@grenet.fr
29
TIGRE
Recommended