NetSEC: metrology-based application

for network security

Jean-François SCARIOT

Bernard MARTINET

Centre Interuniversitaire

de Calcul de Grenoble

TNC 2002June 2002

2

Plan Metrology

Why, what & how? Analyze

NetSEC Goals Architecture Available tools

Conclusion

3

why to measure? To know network usage

To know network availability

To detect dysfunction

To do cost sharing

Also… to improve security

4

What and how to measure? Qualitative: knowing its network

I/O traffic load, CPU load, collision…

Watch the counters of the equipments

Quantitative: controlling its network Traffic type, I/O traffic load per host or

group...

extract information from frame analysis

5

Measurement to supervise Daily supervision (15’ is enough )

Curves or bar graphs

Always the same "look"

““To control and manage a To control and manage a network, you must visualize its network, you must visualize its

behaviour”behaviour”

6

Highlighting a problem

Monday April the 2nd 2001

Monday April the 9th 2001

A « normal » day

May be some problems

7

Highlighting a problem

Unfortunately!

Problem discovery is a

posteriori

We have to go back We have to go back AndAnd

analyze the traffic of the involved period. analyze the traffic of the involved period.

8

Traffic analyzing

Locate the host(s) Date, addresses, intrusion method, extend

of the damage…

HOW?

Doing crosschecking

Sorting metrology data on several

parameters Powerful sorting tools are Powerful sorting tools are

needed!needed!

9

NetSEC goals

To have an evolving software

To analyze “well-known” data NetMET IPtrafic

To support open standards

To improve the security of

networking computers

10

NetSEC foundations

Using a relational database

A simple network description

A modular architecture

Using an open source software

11

Open software

Linux system (Redhat)

MySQL database

Apache Web server

JAVA

12

About database

JDBC database access

Basic SQL queries

One loader per collector

13

DB structure

One table for one day (of data) src@ & dst@ Date Port & protocol Volume

One table for the network description

14

Network description A network

192.168.10.11/24

An organism University Joseph Fourier

An entity CICG

A location Campus of Grenoble

15

Available tools

A data query module

A graphic generator module

A data mining module

16

Architecture

Query Engine

QueryProcess

SQLRequest

s

HTMLRequest

s

NetworkDescriptio

n

Loader

GraphicGeneratio

nProcess

Graphic Generator Engine

SQLRequest

sDB

KDDProcess

Knowledge Discovery Database Engine

Collector

Collected

Data

Loader

SQLRequest

s

ALARMSREPPORTS

17

The query tool

To use the SQL power Sort Query Extract

Querying data with a friendly interface

18

Web interface (Question)

19

How does it work?

Parameters processing

JDBC driver loading & connection

Building and executing the SQL query

Displaying the results

20

Web interface (Answer)

21

Graphic generation

A zoom of a network on demand.

A supervision of a determined services

22

Graphic generation: HTTP

23

Functioning

Database system provides data

Querying database (with SQL queries)

Returning results to MRTG for displaying

MRTG Graphics building

24

Graphic generation: SSH

25

Data mining

Produce unknown information non trivial Useful

Produce association rules A and B => C

26

Association rules process

Database

Set ofTransactio

ns

DataSelection

Explanation Knowledge

Large Itemsets

LargeItemsetsResearch

Associationrules

Association Rules

Generation Corn flakes and sugar milk

27

Association rule example

"] 14h-19h]" AND

"SCAN/REGULAR_SERV" AND

"[0-1KB]" AND

53 "TUESDAY" (14.8%, 90.4%)

28

Conclusion A contribution to improve

security

A metrology based-application Built on a database Open & Modular

Who would like to participate?

E-mail : netsec@grenet.fr E-mail : netsec@grenet.fr

29

TIGRE