Analysis of the US-CERT DAC...(Figure of Merit) –Evaluate hours –Record # alerts, # source IP...

CERTCERTSituationalSituationalAwarenessAwareness

© 2004 by Carnegie Mellon University

CERT® Network Situational Awareness GroupSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

The CERT Network Situational Awareness Group is part of the Software Engineering Institute.The Software Engineering Institute is sponsored bythe U.S. Department of Defense.

Analysis of the US-CERT DACJosh McNutt <[email protected]>

FloCon: Netflow Analysis Workshop

July 21, 2004


© 2004 by Carnegie Mellon University 2

Outline

• Data• Graphical Displays

• Detecting Trends• Anomaly Detection• Roadmap



Data

• Snort– Signature-based alerts– Pre-processor alerts

• Origin– Multiple networks of varying size

• Volume– ~30-50 million alerts per month

• Ancillary Information– Country code– Netblock



IDS Data: challenges

• No new attacks– Only matches known signatures

• Lack of context– Don’t know what we are not seeing

• Non-standardized signature rule sets– No administrative control

• Missing Data– Uncertainty: Sensor failure vs. no intrusion attempts



TCP Destination Port Changes

-30.0%

-20.0%

-10.0%

0.0%

10.0%

20.0%

30.0%

40.0%

sid2sid9sid11sid13

sid2 39.7% 9.7% 4.2% 7.3% 5.2%

sid9 10.2% 4.1% 1.3% -18.0% -0.9%

sid11 4.0% 0.0% -15.9%-25.0% -7.6%

sid13 17.2% 0.0% -1.2% -0.4% -12.5%

Port 80

Port 119

Port 1080

Port 3128

Port 8080

Comparison of port activity across organizations shows monthlytrends.



Share of New Source IP Addresses

0%

20%

40%

60%

80%

100%

1/1/

2004

1/8/

2004

1/15

/200

4

1/22

/200

4

1/29

/200

4

2/5/

2004

2/12

/200

4

2/19

/200

4

2/26

/200

4

Old source IP's

New source IP's

Share of new daily source IP addresses stays fairly consistent.



Signature Class Transition

Transition probabilities highlight sequential patterns in data.• Current State

– Source IP records alert onDestination IP

• Transition probability– Percent chance for next

class of alert recorded

• Most source/dest combosinvolve only one signatureclass

• Small transition probabilityfor– Privilege Escalation

0.0% 5.0% 10.0% 15.0%

Transition Probability

Policy Violation

PrivilegeEscalation

Reconnaissance

SuspiciousActivity

Denial-of-Service

Cu

rren

t S

tate

Policy ViolationPrivilege EscalationReconnaissanceSuspicious ActivityDenial-of-Service

May 1, 2004



Daily Transition Probabilities

Transition probabilities can be monitored over time toidentify consistent sequences.

Reconnaissance to Suspicious Activity

0%5%

10%15%20%25%30%35%40%45%50%

5/1/

2004

5/8/

2004

5/15

/200

4

5/22

/200

4

5/29

/200

4

Reconnaissance toSuspicious Activity



Trend Detection

• Current month vs.previous month– Across organizations– % changes

• Time Series– Fit trend line

– Arbitrary time period

– Seasonal Components– Regression with ARMA

errors

-30.0%

-20.0%

-10.0%

0.0%

10.0%

20.0%

30.0%

40.0%

sid2sid9sid11sid13

sid2 39.7% 9.7% 4.2% 7.3% 5.2%

sid9 10.2% 4.1% 1.3% -18.0% -0.9%

sid11 4.0% 0.0% -15.9%-25.0% -7.6%

sid13 17.2% 0.0% -1.2% -0.4% -12.5%

Port 80

Port 119

Port 1080

Port 3128

Port 8080

0

10000

20000

30000

40000

50000

60000

1 3 5 7 9 11 13 15 17 19 21 23 25 27

data

fit

Linear (data)



Anomaly Detection

• Goal: Identify data points whichdeviate from overall pattern ofdata

• Our current implementation(Figure of Merit)– Evaluate hours

– Record # alerts, # source IPaddresses, # destination IPaddresses, # signatures

• For each hour, we wantmeasure of how deviant it was.

figure_of_merit

050

100150200250300350400

2004

-04-

01 0

0

2004

-04-

03 1

1

2004

-04-

05 2

2

2004

-04-

08 0

9

2004

-04-

10 2

0

2004

-04-

13 0

7

2004

-04-

15 1

8

2004

-04-

18 0

5

2004

-04-

20 1

6

2004

-04-

23 0

3

2004

-04-

25 1

4

2004

-04-

28 0

1

2004

-04-

30 1

2

figure_of_merit



-5 0 5

-50

5

destination IP addresses

sour

ce IP

add

ress

es

Mahalanobis distance: 2D case

Euclidean Distance (based on circle)

Mahalanobis Distance (based on ellipse)• Compute distance metricbetween each hour and theaverage hour

• When measuring Euclidean(Mahalanobis) Distance, allpoints along circle (ellipse) aresame distance from the center– Points on larger circle/ellipse

are greater distance fromcenter

• Shape of the ellipse– Function of correlation

between variables

• Generalizes to n dimensions(Ellipsoid)

Data is for Illustration Only



Analysis Roadmap

• Incorporate flow data• Automating trend detection

– Time series analysis

• Clustering– Group sources by similar activity patterns

– Temporal correlation– Targeting similarities

– Signature usage

– Look for evidence of possible coordination

Analysis of the US-CERT DAC...(Figure of Merit) –Evaluate hours –Record # alerts, # source IP...

Documents

Transcript of Analysis of the US-CERT DAC...(Figure of Merit) –Evaluate hours –Record # alerts, # source IP...