Embed Size (px)
Citation preview
www.telesoft-technologies.com | © copyright 2018 by Telesoft Technologies. All rights reserved.
TDAC Anomaly DetectionTechnical Overview
TDAC Anomaly Detection
The volume of network events within National IPS/Telco’s and Large Enterprises means
that they have to classify and prioritise certain data over others, in order to protect specific
elements of their networks.
Elements of Carrier Scale Network
• Connected devices (user equipment, IoT devices, LAN & VNO)
• Own physical infrastructure (routing, firewalls, gateways & switches)
• Own services and applications
• Internet (web servers, streaming, OTT services, P2P & VoIP)
• CNI (utilities, transport & financial)
This presentation gives a technical overview of TDAC Anomaly Detection, using ‘Entity
Sets’ to map logical and physical elements of hyper scale networks.
• Entity sets• Provisioned and auto-discovered sets
• Tagging physical & logical network assets (inc. CNI)
• Logical (e.g. services) and physical network topologies
• Anomaly detection• DDoS examples – HTTP flood, Water torture (Slowloris)
• Other threats classified:• Wider DDoS, botnet C2, crimeware, data exfiltration,
spam, anonymizers, network zone transgressions, zero day, more …
• Flow reputation• IPv4/6 and domain* reputation (*with Telesoft FlowProbe)
• Dashboard configuration• See TDAC user guide (35298-07) section 9
Features covered1
Entity sets2
• Entity sets describe:• Physical and non-physical network assets
• Infrastructure
• Services/applications
• Logical and physical network topologies
• Entity set members• Can be one or more of IPv4, IPv6, CIDR, domain
• Members can belong to more than one entity set
• All flows tagged with their set(s) for rapid forensics
• All entity sets are monitored
• Types• Provisioned – by the user
• Discovered – by the platform
Entity set types3
Provisioned Discovered
e.g. Router and interfacenetwork infrastructure,
botnet topologies
Entity set provisioning4
IPv4/6 and CIDR notation supported
Domain classification supportedwith Telesoft FlowProbe
Tag or drop (do not store)per-flow actions
Customer-definable list of tags supports monitoring and defence of: • Logical network (e.g. application, service, VNO)• Physical network (e.g. datacentre)• Other customer-specific use cases
Entity sets - examples5
IP RANGES TAGS APPLIED FLOWS (source/destination IPor domain matched)
NOTES
10.0.0.0 group: Applicationservice: Instant messagingenvironment: Production
This is the production environment of the Instant messaging service of the operator - one item in the suite of services/applications offered by the operator
Part of the logical network
10.0.0.2 group: Applicationservice: Instant messagingenvironment: Quality Assurance
The QA environment of the above
Part of the logical network
10.0.0.15 group: Applicationservice: VoIPenvironment: Production
VoIP production environment – another item in the suite of applications
Part of the logical network
10.0.0.010.0.0.2
group: Networkzone: Northumberandname: Ashington Data Centre
This is one of the entity sets describing the physical Network – in this case the operator has multiple national data centres and is grouping them by county.
Part of the physical network
10.0.0.111.0.0.0/8
group: Networkzone: Northumberandname: Longtown Data Centre
Another data centre in Northumberland (showing single IPv4 and CIDR config)
Part of the physical network
12.0.0.0/8FC00::/96kensington.cdn.company.com
group: Networkzone: Londonname: Kensington Data Centre
Another data centre in a different county (showing IPv4 & & IPv6 CIDR and domain config)
Part of the physical network
Anomaly Detection6
Current and historicalincidents and severity
Top network threats and incidents
Top threats and incidents by entity *
* See entity sets slide
All discovered data supports single-click to apply as filter or to change dashboardview for rapid incident forensic pivot
Example pivot – DDoS HTTP flood7
Attack profile
Target
Attack sources(botnet zombies)
An overwhelming proportion of HTTP flows attempting to consume target resources. Flow contain the expected suite of TCP flags (SYN/half-open/flag flood attacks look similar but do not contain all TCP flags). As shown the attack is the shape of a wave.
Example pivot – DDoS Water Torture (Slowloris)8
Attack profile
Target
Attack source
Long-duration dripping-byte flows consuming the target resources for serving legitimate requests. This attack looks blocky (like the continual dripping of water) as shown.
Flow reputation9
Threat classifications
Threat descriptions
Flow reputation lists10
• Intel sources• Open threat intelligence
• Support for STIX format (e.g. Snort, Suricata)
• Bespoke/customer intel lists supported
• Updating• Update frequency – hourly to daily
• Central site propagates rules throughout remote systems
Threat alerting11
• Alert on• IP/domain reputation classification
• Anomaly (user tuning supported for severity, classification, etc)
• Alert mechanisms• TDAC GUI
• Alert tied to other retained data
• Provides immediate first step in incident forensics
• Outbound webhook (JSON via secure REST API)
• Syslog
• Apache Kafka
• BGP Flowspec instruction – attack mitigation• Threat type & infrastructure dependent
