Presentation is loading. Please wait.

Presentation is loading. Please wait.

FLAME: A Flow-level Anomaly Modeling Engine

Published byGodfrey Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "FLAME: A Flow-level Anomaly Modeling Engine"— Presentation transcript:

1 FLAME: A Flow-level Anomaly Modeling Engine
Daniela Brauckhoff, Arno Wagner, Martin May (Presentation: Martin Burkhart) ETH Zurich, Switzerland © ETH Zürich

2 Motivation Many approaches for NetFlow-based anomaly detection developed in recent years PCA, Kalman filter, clustering, wavelets, SOMs, sketches,... Evaluation of approaches is difficult since appropriate evaluation traces are not available Appropriate means labeled, versatile, representative, and of sufficient size and length

3 Available Evaluation Methods
Trace Merging Merge captured trace with attack traffic e.g., output from nmap scanner  generate flows Drawbacks: too simplistic, network characteristics might not match Shape injection Inject anomaly of certain shape, e.g., rectangle, directly into metric used by detector Drawbacks: too specific, required for each metric, unrealistic Simulation/Emulation Emulate network nodes and generate traffic synthetically Drawbacks: limited size of experiments, generation of background traffic is difficult

4 Anomaly Injection for ADS Testing
Solid lines: Flow data streams Router weg...

5 Anomaly Injection by Trace Modification
Advantages High reproducability Applicable to different data sets Fine-grained anomaly parameterization possible Generic with respect to detector since it modifies traffic directly (not derived metrics) Disadvantages Interaction with background traffic must be accounted for by the anomaly model Attack mitigation approaches cannot be evaluated Manual labeling of background traffic still necessary Characteristics of our approach

6 FLAME: An experimentation framework
C++ framework (helpers and modifiers) Standardized interface Python Plugin (anomaly models), so far 3 simple examples (wil be presented) FLAME is flexible, easily extensible, and available (so far upon request)

7 Setup Example One possible configuration
Reader/writer convert between flow format of file and internal flow format (packet of flows) Merger sorts flows based on timestamps (only one policy at the moment: export timestamp) and aggregates 30 flows into one flow packet

8 Flow vs Packet Generation
Packet-level traffic generation has advantage that flow export settings (timeouts, sampling rates) can be adapted to the underlying trace  less injection artifacts Packet-level models might not be available for all attacks (especially if models are extracted from flow traces), potentially more expensive FLAME supports packet-level and flow-level traffic generation

9 Generator/Add Component
Each packet/flow generator is its own process

10 Implementation Summary
Communication between components via named pipes Producer-consumer synchronization with bounded buffer size (consumer waits for input from producer) Generic flow forwarder interface between core components (based on NetFlow v5) Configuration for deleter and packet generator via embedded Python (plug-ins) Performance: 140‘000 flow records per second (Linux, 2xdual-core CPUs, 2.2 GHz, 8 GB RAM)

11 Types of Anomalies Subtractive Anomalies Additive Anomalies
Delete flows with defined characteristics from existing traffic Examples are outage events, ingress shifts Additive Anomalies Add flows with defined characteristics to existing traffic Examples are alpha flows, scans, bots Interactive Anomalies Delete exisiting flows, and add new flows Examples are denial of service attacks What general modifications are necessary to inject these anomalies...

12 Example 1: Ingress Shift
Deleter Model (python pseudo code): if (start < time < end) { if (source or destination IP address within range){ delete flow; } Deleter Parameters: start, end, shifted IP address range

13 Example 2: Constant Rate TCP SYN Scan
Generator Model on packet level (python pseudo code): while (start < time < end) { generate TCP SYN packet header generate reply with constant delay plus random offset, reply is either nothing, TCP RST, TCP SYN/ACK, or ICMP dest unreachable (source is router) advance time by 1 / scan rate } Generator Parameters: start, end, scan rate, scanned IP address range, scanner‘s source IP address, probability for each reply type, source/destination port

14 Example 3: Constant Rate SYN flooding
Generator Model and Parameters: Generate TCP SYN packet at flooding rate, generate reply with certain probability and constant delay plus random offset start, end, flooding rate, reply probability, victim IP address Deleter Model (accounts for loss of replies) and Parameters: Delete each flow with certain probability if source is victim start, end, IP address of victim, probability for a loss

15 Plots: Injection of TCP SYN Scan
Injection in flow trace captured from border router of Swiss educational backbone network (SWITCH AS 559) Scanning source internal, scanned destinations external Impact on common detection metrics (outgoing traffic): Left: number of flows, right: destination IP address entropy 2 Stunden...

16 Conclusion Contributions Future work
Flexible tool for anomaly injection (scripted model plugins) Extensibility: components can be easily added Three example anomalies (ingress shift, ddos, network scan) Future work Concentrate on model development Evaluate the model accuracy with flow traces

17 Questions FLAME is available from

Download ppt "FLAME: A Flow-level Anomaly Modeling Engine"

Similar presentations

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.

User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google