Detectando eventos em redes utilizando um modelo de rastreamento de fluxos baseado em assinaturas
Abstract
Analyzing current network flow is perceived a variety of protocols generating flow at different densities what becomes more difficult to detect specific events through this diversity. This work shows a detection events model based on signatures that use information given exclusively by flows. These signatures are accurate descriptions (abuse) or thresholds based (anomalies) that allow tracking of events through network flows environment. The ACHoW system is an implementation of this model and it allows detection and identification of events as like malware spreading, denial of services and general anomalies.
References
ADVENTNET. (2009) “ManageEngine NetFlow Analyzer”. Disponível em: http://origin.manageengine.adventnet.com/products/netflow/index.html, Aceso em mai. 2009.
BARTOS, K. et al. (2008) “Flow Based Network Intrusion Detection System using Hardware-Accelerated NetFlow Probes”. CESNET Conference 2008. pp. 49-58.
BERNAILLE, L. et al. (2006) “Traffic classification on the fly”. SIGCOMM Comput. Commun. Rev. 36, April, pp. 23-26.
CANSIAN, A. M.; CORRÊA, J. L. “Detecção de ataques de negativa de serviço por meio de fluxos de dados e sistemas inteligentes”. VII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, v. 7, p. 125-141, 2007.
CORRÊA, J. L.; PROTO, A.; CANSIAN, A. M. “Modelo de armazenamento de fluxos de rede para análises de tráfego e de segurança”. VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, v. 8, p. 7386, 2008.
DAVE, P. (2000) “FlowScan: A Network Traffic Flow Reporting and Visualization Tool”. Proceedings of the 14th USENIX conference on System administration, New Orleans, Louisiana, p. 305-318, 2000.
DRESSLER, F. et al. (2007) “Flowbased Worm Detection using Correlated Honeypot Logs”. 15 GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), pp. 181-186.
ELMASRI, R.; NAVATHE, S. B. “Sistemas de banco de dados”. 4 ed. Cap. 6. São Paulo: Pearson Education do Brasil, 2005. ISBN 8588639173.
FATEMIPOUR, F.; YAGHMAEE, M. H. (2007) “Design and Implementation of a Monitoring System Based on IPFIX Protocol”. In Proceedings of the the Third Advanced international Conference on Telecommunications. AICT'07. IEEE Computer Society, Washington, DC.
FLOW-TOOLS. (2009) Disponível em: http://www.splintered.net/sw/flow-tools/docs/flow-tools.html. Acesso em mai. 2009.
KARAGIANNIS, T. et al. (2005) “BLINC: multilevel traffic classification in the dark”. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications. ACM SIGCOMM '05. Philadelphia, USA, pp. 229-240.
L7-FILTER. (2009). Disponível em: http://l7-filter.sourceforge.net. Acesso em: 10 ago. 2009.
LAKHINA, A.; CROVELLA, M.; DIOT, C. (2004) “Characterization of networkwide anomalies in traffic flows”. In Proceedings of the 4th ACM SIGCOMM Conference on internet Measurement. ACM IMC'04. Taormina, Italy, pp. 201-206.
MYUNG-SUP, K. et al. (2004) “A flowbased method for abnormal network traffic detection”. Network Operations and Management Symposium. NOMS. IEEE/IFIP, v. 1, p. 599-612. NETFLOW (2009) Disponível em: https://www.cisco.com/web/go/netflow. Acesso em mai. 2009.
NETWORKS, F. (2008) “NetFlow Tracker”. Disponível em: http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/, Acesso em mai. 2009.
NFSEN. (2009) Disponível em: https://nfsen.sourceforge.net. Acessso em: 10 ago. 2009.
NTOP. (2009) Disponível em: https://www.ntop.org. Acesso em mai. 2008.
RFC 3917 (2004) “Requirements for IP Flow Information Export: IPFIX”.
SNORT. (2009) Disponível em: http://www.snort.org. Acesso em: 03 jun. 2009.
BARTOS, K. et al. (2008) “Flow Based Network Intrusion Detection System using Hardware-Accelerated NetFlow Probes”. CESNET Conference 2008. pp. 49-58.
BERNAILLE, L. et al. (2006) “Traffic classification on the fly”. SIGCOMM Comput. Commun. Rev. 36, April, pp. 23-26.
CANSIAN, A. M.; CORRÊA, J. L. “Detecção de ataques de negativa de serviço por meio de fluxos de dados e sistemas inteligentes”. VII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, v. 7, p. 125-141, 2007.
CORRÊA, J. L.; PROTO, A.; CANSIAN, A. M. “Modelo de armazenamento de fluxos de rede para análises de tráfego e de segurança”. VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, v. 8, p. 7386, 2008.
DAVE, P. (2000) “FlowScan: A Network Traffic Flow Reporting and Visualization Tool”. Proceedings of the 14th USENIX conference on System administration, New Orleans, Louisiana, p. 305-318, 2000.
DRESSLER, F. et al. (2007) “Flowbased Worm Detection using Correlated Honeypot Logs”. 15 GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), pp. 181-186.
ELMASRI, R.; NAVATHE, S. B. “Sistemas de banco de dados”. 4 ed. Cap. 6. São Paulo: Pearson Education do Brasil, 2005. ISBN 8588639173.
FATEMIPOUR, F.; YAGHMAEE, M. H. (2007) “Design and Implementation of a Monitoring System Based on IPFIX Protocol”. In Proceedings of the the Third Advanced international Conference on Telecommunications. AICT'07. IEEE Computer Society, Washington, DC.
FLOW-TOOLS. (2009) Disponível em: http://www.splintered.net/sw/flow-tools/docs/flow-tools.html. Acesso em mai. 2009.
KARAGIANNIS, T. et al. (2005) “BLINC: multilevel traffic classification in the dark”. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications. ACM SIGCOMM '05. Philadelphia, USA, pp. 229-240.
L7-FILTER. (2009). Disponível em: http://l7-filter.sourceforge.net. Acesso em: 10 ago. 2009.
LAKHINA, A.; CROVELLA, M.; DIOT, C. (2004) “Characterization of networkwide anomalies in traffic flows”. In Proceedings of the 4th ACM SIGCOMM Conference on internet Measurement. ACM IMC'04. Taormina, Italy, pp. 201-206.
MYUNG-SUP, K. et al. (2004) “A flowbased method for abnormal network traffic detection”. Network Operations and Management Symposium. NOMS. IEEE/IFIP, v. 1, p. 599-612. NETFLOW (2009) Disponível em: https://www.cisco.com/web/go/netflow. Acesso em mai. 2009.
NETWORKS, F. (2008) “NetFlow Tracker”. Disponível em: http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/, Acesso em mai. 2009.
NFSEN. (2009) Disponível em: https://nfsen.sourceforge.net. Acessso em: 10 ago. 2009.
NTOP. (2009) Disponível em: https://www.ntop.org. Acesso em mai. 2008.
RFC 3917 (2004) “Requirements for IP Flow Information Export: IPFIX”.
SNORT. (2009) Disponível em: http://www.snort.org. Acesso em: 03 jun. 2009.
Published
2009-09-28
How to Cite
CORRÊA, Jorge L.; PROTO, André; ALEXANDRE, Leandro A.; CANSIAN, Adriano M..
Detectando eventos em redes utilizando um modelo de rastreamento de fluxos baseado em assinaturas. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 9. , 2009, Campinas.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 189-202.
DOI: https://doi.org/10.5753/sbseg.2009.20632.
