SlideShare a Scribd company logo

PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection

PROIDEA
PROIDEA

Next Generation Network Traffic Monitoring and Anomaly Detection

Presentations & Public Speaking
1 of 42
Download to read offline
Next Generation Network Traffic Monitoring and Anomaly Detection springl@invea-tech.com Petr Springl
2/42 INVEA-TECH • University spin-off company  10 years of development, participation in EU funded projects  project Liberouter and programmable hardware, 10 mil Euro invested, creation of world's unique technologies • Company profile  Strong academic background: CESNET, MU, VUT  Founded 2007  Expansion onto foreign markets since 2010: UK, US, Canada, Germany, Japan and others • Key products:  FlowMon: network traffic monitoring  ADS: detection of anomalies, operational and security issues  FlowMon + ADS = a complete solution for monitoring and security 22.10.2012 FlowMon © INVEA-TECH 2012
3/42 Reference • GEÁNT2, Federica – monitoring of 7 European backbones • CZ Ministry of Defense (via VDI META) • Korea Telecom • AVG, Aegon • CESNET • T-Mobile • and more ... 22.10.2012 FlowMon © INVEA-TECH 2012
4/42 Agenda • Network & Security  interesting/surprising statistics?  standard security tools overview • Network Traffic & Security Monitoring • FlowMon Solution Introduction • Use Case – Discovery of Botnet Chuck Norris 22.10.2012 FlowMon © INVEA-TECH 2012
Network & Security 22.10.2012
6/42 Malware 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
7/42 Botnets – infected devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
8/42 Botnets – infected devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
9/42 Attackers Motivation 22.10.2012 FlowMon © INVEA-TECH 2012 Source: Radware – 2011 Global Application & Network Security Report
10/42 Data Breaches 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
11/42 Botnet as a Service 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: First Quarter 2011
12/42 How to face attacks • Attacks against any organization (SMBs, enterprises, government, education or other organizations) are rising • Attackers use different approaches and attack types  hacking, cracking, dictionary attacks, DOS/DDOS attacks, attacks against services, social engineering, identity theft, botnets… • Organizations don’t know which specific threats to fight • Many attacks are undetectable by standard approaches  Advanced Persistent Threats, Zero-Day attacks, Polymorphic malware,… • What possibilities are there  for organizations?  for ISPs? 22.10.2012 FlowMon © INVEA-TECH 2012
13/42 Organizations • Perimeter Security  firewall, IDS/IPS, UTM, application firewall, web filter, email security, remote access • Endpoint Security  antivirus, personal firewall, antimalware, antirootkit, endpoint DLP • Internal Network Security  network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
14/42 ISPs • ISPs are in different situation • Have to face to the same threats, but don’t have so many possibilities how to do that • ISPs shouldn’t protect only themselves, but also  help to protect their customers  protect Internet from their customers 22.10.2012 FlowMon © INVEA-TECH 2012
15/42 ISPs • Network Elements Security  switches, routers…  configuration, secure management, services • Network Security  routing, rate limiting, filtering, redundancy • Incident Detection  alert from customer, ISP or other  IDS, syslogs, SNMP monitoring  network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
16/42 Summary • All the tools and approaches mentioned are very important from a security point of view • Most are aimed at protection from known threats and attackers • That’s why continuous monitoring and detailed information about activities in the network is important  provides complete visibility into network  able to detect sophisticated attacks (APTs, zero-day attacks) - even that which are not detected by other approaches 22.10.2012 FlowMon © INVEA-TECH 2012
Network Traffic & Security Monitoring 22.10.2012
18/42 Flow Monitoring Principles • IP flows monitoring  packet headers analysis only  content (packets payload) is not monitored • Modern method for network monitoring  NetFlow v5/v9 – Cisco standard 22.10.2012 FlowMon © INVEA-TECH 2012
19/42 Architecture • Source of network statistics  switches, routers, specialized probes or other devices  network traffic monitoring - generate and export flow data • Flow data collectors  flow data storage, collection & analysis 22.10.2012 FlowMon © INVEA-TECH 2012
20/42 Network Traffic Monitoring Benefits • Complete Network Visibility – real-time & historically  TOP N statistics (users/customers, services, sites)  user defined profiles (based on user filters)  drill down up to any communication  alerting & reporting • Security Enhancement, Incidents Tracking • Benefits also for network management  fast, precise and effective troubleshooting  network performance monitoring  trending, capacity planning, traffic engineering  IP traffic based accounting and billing  network management costs reduction 22.10.2012 FlowMon © INVEA-TECH 2012
21/42 Network Behavior Analysis (NBA) • Automatic advanced analysis of flow (NetFlow) data • Modern approach to network security • Undesirable behavior patterns detection  internal and external threats  undesirable services and application • Behavior analysis  behavior profiles  anomalies and suspicious behavior detection “NBA is about higher visibility in the behavior of your network to cover gabs left by signature based mechanism.” Paul E. Proctor, Vice President, GARTNER 22.10.2012 FlowMon © INVEA-TECH 2012 Behavior detection  Signature detection  Network level  Host level 
22/42 NBA Benefits • Internal & external attacks detection • Fast overview about any events in the network including problem indication • Enables to fight modern sophisticated attacks • Detection of threats which are undetectable by standard approaches • Effective for encrypted traffic 22.10.2012 FlowMon © INVEA-TECH 2012
FlowMon solution 22.10.2012
24/42 FlowMon – Network Under Control • Innovative network traffic & security monitoring solution using IP flows • Based on NetFlow v5/v9 and IPFIX technology • Provides information about who communicates with whom, how long, what protocol, traffic volume and more • Best price/performance ratio in the industry • Solution for networks of all dimensions • Exceptional customer benefits • Your network under control! 22.10.2012 FlowMon © INVEA-TECH 2012
25/42 FlowMon Architecture • FlowMon Probes  passive standalone source of network statistics (NetFlow / IPFIX data) • FlowMon Collectors  visualization and evaluation of network statistics • FlowMon plugins  FlowMon ADS - automatic traffic analysis for reveal operational & security issues 22.10.2012 FlowMon © INVEA-TECH 2012
26/42 FlowMon Probe • High-performance standalone probe - source of IP flow records in NetFlow v5,9 and IPFIX format • L2/L3 invisible - transparent for monitored network • Standard and hardware accelerated models • Remote configuration via a user-friendly web GUI • 10/100/1000 Ethernet, 10 GbE, IPv4, IPv6, MPLS, VLAN • Maintenance-free appliance with simple configuration • Built-in collector (data storage redundancy) 22.10.2012 FlowMon © INVEA-TECH 2012
27/42 FlowMon Probe Models • Compact rack mount (1U) NetFlow probes • Standard models  suitable for the most networks, excellent price/performance ratio  performance more than 500 k packets per second for 1GbE port  up to 5 M packets per second for 10GbE port  models from 1x 100MbE port up to 4x 10GbE ports • Hardware-accelerated models (Pro)  suitable for large networks and backbone links  wire speed performance  10GbE models available, 40/100GbE models available soon 22.10.2012 FlowMon © INVEA-TECH 2012
28/42 FlowMon Collector • Standalone appliance for long term storage of flow statistics from multiple sources (probes, routers, switches) • Support for NetFlow/IPFIX/sFlow data storage & analysis • Professional solution for mid-size and large networks  RAID, redundant power, remote management  storage capacity from 1TB up to hundreds TBs  unique performance – more than 200k flows/s processing 22.10.2012 FlowMon © INVEA-TECH 2012
29/42 FlowMon Collector - GUI • Graphs, tables and form for further data processing • Top N statistics (users, sites, services) • Predefined set of profiles/views for standard protocols • User defined profiles (based on IP address or ports) • Intelligent reporting (online/offline email/pdf/csv reports) • Profile support and automatic alerts (e-mail, syslog, SNMP etc.) 22.10.2012 FlowMon © INVEA-TECH 2012
30/42 FlowMon Plugins 22.10.2012 FlowMon © INVEA-TECH 2012
31/42 FlowMon ADS • Undesirable behavior detection  Attacks  Undesirable services  Operational and configuration problems • Behavior profiles computing  Communication partners  Anomaly detection  Traffic volume and structure • Intuitive user interface  Immediate network problems indication  Interactive event visualization  Integration with information from DNS, WHOIS, geolocation services • Complex filtering, alerting, reporting 22.10.2012 FlowMon © INVEA-TECH 2012
32/42 FlowMon ADS • Detection of undesirable patterns in communication  Attacks (port scanning, dictionary attacks, DOS/DDOS, telnet protocol)  Data traffic anomalies (DNS, multicast, non-standard communications)  Undesirable applications (P2P networks, anonymizer)  Internal security problems (viruses, spyware, botnets)  Mail traffic (outgoing spam)  Operational problem (delays, high traffic, reverse DNS records) 22.10.2012 FlowMon © INVEA-TECH 2012
33/42 FlowMon Benefits • Long-term statistics storage about traffic • Network capacity planning • Connectivity optimization • Peering agreements optimization • Attacks, anomalies and suspicious behavior detection • Data retention law fulfillment • Accounting and billing based on traffic amount • Possibility to graphs and tables integration to your IS 22.10.2012 FlowMon © INVEA-TECH 2012
Use Case – Discovery of Botnet Chuck Norris prepared in cooperation with CSIRT-MU 22.10.2012
35/42 Botnet Chuck Norris • Lot of attempts from all over the world to connect to TELNET service  discovered by network security monitoring (flow monitoring) at Masaryk University  Who nowadays use TELNET???  Why do devices from all over the world try to connect to TELNET port? • Following detailed analysis lead to botnet revelation 22.10.2012 FlowMon © INVEA-TECH 2012
36/42 Botnet Chuck Norris • Back tracking  infected devices are ADSL modems, WIFI routers… • Analysis of infected device • Connection to C&C server • Analysis of botnet behavior 22.10.2012 FlowMon © INVEA-TECH 2012
37/42 Botnet Chuck Norris • Attacks linux servers – ADSL modems, WIFI routers • Infected devices  try to infect other devices  port scanning – TELNET  dictionary attack – only 15 passwords !!!!  connect to C&C central server, which send him commands (IRC) 22.10.2012 FlowMon © INVEA-TECH 2012
38/42 Botnet Chuck Norris • Compilation timestamp in pnscan tool – July 2008 • First file uploaded to distribution servers – May 2009 • Botnet discovery at Masaryk University – December 2009 • Trying to shutdown the botnet (CSIRT-MU) • Chuck Norris v2 – May 2010 • Different modification till nowadays  Hydra  Aidra  ??? 22.10.2012 FlowMon © INVEA-TECH 2012
39/42 Attacks Continue 22.10.2012 FlowMon © INVEA-TECH 2012
40/42 Chuck Norris - summary • Attacks poorly-configured Linux MIPSEL devices - ADSL modems, WIFI routers, …  users are not aware about the malicious activities  missing anti-malware solution to detect it  possible to manipulate with complete traffic to/from the network • Attack based on trivial dictionary attack (15 passwords) • Lot of network operators underestimated possibility of trivial attack 22.10.2012 FlowMon © INVEA-TECH 2012 Discovered at Masaryk University. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris !
41/42 INVEA-TECH @ PLNOG 2012 Is network traffic & security monitoring interesting for you? • Visit our next presentation @ PLNOG 2012  FlowMon – Network Traffic & Security Monitoring in Examples  Tomorrow at 11:50 – New Technology section • Visit our booth and discuss with us 22.10.2012 FlowMon © INVEA-TECH 2012
42/42 INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner 22.10.2012 FlowMon © INVEA-TECH 2012 Petr Špringl springl@invea-tech.com 00420 511 205 252 Thank you for your attention

Recommended

PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples PROIDEA
 
Ch10
Ch10Ch10
Ch10Ali Khawaja
 
Zanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: ZandersZanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: ZandersZanders Treasury, Risk and Finance
 
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...SIPfoundry
 
Ch12
Ch12Ch12
Ch12Ali Khawaja
 
Network Controller
Network ControllerNetwork Controller
Network ControllerAbhishek Srivastava
 
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationRevolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationSadatulla Zishan
 
Ch11
Ch11Ch11
Ch11Ali Khawaja
 

Recommended

PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples PROIDEA
 
Ch10
Ch10Ch10
Ch10Ali Khawaja
 
Zanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: ZandersZanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: ZandersZanders Treasury, Risk and Finance
 
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...SIPfoundry
 
Ch12
Ch12Ch12
Ch12Ali Khawaja
 
Network Controller
Network ControllerNetwork Controller
Network ControllerAbhishek Srivastava
 
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationRevolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT HarmonizationSadatulla Zishan
 
Ch11
Ch11Ch11
Ch11Ali Khawaja
 
CompTIA Security+ Guide
CompTIA Security+ GuideCompTIA Security+ Guide
CompTIA Security+ GuideSmithjulia33
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drivesmuthamizh adhithan
 
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMNetpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMBoni Bruno
 
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4danieljimmie
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
Cross selling 5
Cross selling 5Cross selling 5
Cross selling 5Sen Nathan
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationEnergySec
 
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in BezeqProduction Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in BezeqLeadersNet.co.il
 
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.shiriskumar
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
oneM2M - Release 1 Primer
oneM2M - Release 1 PrimeroneM2M - Release 1 Primer
oneM2M - Release 1 PrimeroneM2M
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Net motion mobility_intro_overview
Net motion mobility_intro_overviewNet motion mobility_intro_overview
Net motion mobility_intro_overviewStef Coetzee
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)Byres Security Inc.
 
Resume 2016
Resume 2016Resume 2016
Resume 2016Jeremy Simmons
 
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...MarketingArrowECS_CZ
 
soc
socsoc
socDhirendra Thapa
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri TobolaJan Fried
 
Living objects network performance_management_v2
Living objects network performance_management_v2Living objects network performance_management_v2
Living objects network performance_management_v2Yoan SMADJA
 
BYOD Monitoring
BYOD MonitoringBYOD Monitoring
BYOD MonitoringNetFlow Analyzer
 

More Related Content

What's hot

CompTIA Security+ Guide
CompTIA Security+ GuideCompTIA Security+ Guide
CompTIA Security+ GuideSmithjulia33
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drivesmuthamizh adhithan
 
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMNetpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMBoni Bruno
 
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4danieljimmie
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
Cross selling 5
Cross selling 5Cross selling 5
Cross selling 5Sen Nathan
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationEnergySec
 
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in BezeqProduction Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in BezeqLeadersNet.co.il
 
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.shiriskumar
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
oneM2M - Release 1 Primer
oneM2M - Release 1 PrimeroneM2M - Release 1 Primer
oneM2M - Release 1 PrimeroneM2M
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Net motion mobility_intro_overview
Net motion mobility_intro_overviewNet motion mobility_intro_overview
Net motion mobility_intro_overviewStef Coetzee
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)Byres Security Inc.
 
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...MarketingArrowECS_CZ
 

What's hot (19)

CompTIA Security+ Guide
CompTIA Security+ GuideCompTIA Security+ Guide
CompTIA Security+ Guide
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
 
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMNetpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APM
 
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
 
Cross selling 5
Cross selling 5Cross selling 5
Cross selling 5
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
 
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in BezeqProduction Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in Bezeq
 
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
 
oneM2M - Release 1 Primer
oneM2M - Release 1 PrimeroneM2M - Release 1 Primer
oneM2M - Release 1 Primer
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
 
Net motion mobility_intro_overview
Net motion mobility_intro_overviewNet motion mobility_intro_overview
Net motion mobility_intro_overview
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
Resume 2016
Resume 2016Resume 2016
Resume 2016
 
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
 
soc
socsoc
soc
 

Similar to PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection

Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri TobolaJan Fried
 
Living objects network performance_management_v2
Living objects network performance_management_v2Living objects network performance_management_v2
Living objects network performance_management_v2Yoan SMADJA
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDaniel Vinyar
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
ciscothousandeyesusecase
ciscothousandeyesusecaseciscothousandeyesusecase
ciscothousandeyesusecaseRENJITHKNAIR5
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PROIDEA
 
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERSTECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERSiQHub
 
Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2MIDIH_EU
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...Bosnia Agile
 
OptiCom Company Presentation
OptiCom Company PresentationOptiCom Company Presentation
OptiCom Company PresentationVladimir PAVLENKO
 
Flexthink2016_IIOT_Vision
Flexthink2016_IIOT_VisionFlexthink2016_IIOT_Vision
Flexthink2016_IIOT_VisionYvan Rudzinski
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsJay Bryant
 
An Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An OverviewAn Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An OverviewManageEngine
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA SystemInductive Automation
 
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed SystemsOctober Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed SystemsReal-Time Innovations (RTI)
 

Similar to PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection (20)

Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
 
Living objects network performance_management_v2
Living objects network performance_management_v2Living objects network performance_management_v2
Living objects network performance_management_v2
 
BYOD Monitoring
BYOD MonitoringBYOD Monitoring
BYOD Monitoring
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
 
Jonathan Newton - Vodafone
Jonathan Newton - VodafoneJonathan Newton - Vodafone
Jonathan Newton - Vodafone
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
ciscothousandeyesusecase
ciscothousandeyesusecaseciscothousandeyesusecase
ciscothousandeyesusecase
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
 
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERSTECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
 
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Wireless Network Security Palo Alto Networks / Aruba Networks IntegrationWireless Network Security Palo Alto Networks / Aruba Networks Integration
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
 
Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...
 
OptiCom Company Presentation
OptiCom Company PresentationOptiCom Company Presentation
OptiCom Company Presentation
 
Stephen Wallo
Stephen WalloStephen Wallo
Stephen Wallo
 
Flexthink2016_IIOT_Vision
Flexthink2016_IIOT_VisionFlexthink2016_IIOT_Vision
Flexthink2016_IIOT_Vision
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
 
An Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An OverviewAn Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An Overview
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System
 
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed SystemsOctober Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
 

Recently uploaded

Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 

Recently uploaded (20)

Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 

PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection

  • 1. Next Generation Network Traffic Monitoring and Anomaly Detection springl@invea-tech.com Petr Springl
  • 2. 2/42 INVEA-TECH • University spin-off company  10 years of development, participation in EU funded projects  project Liberouter and programmable hardware, 10 mil Euro invested, creation of world's unique technologies • Company profile  Strong academic background: CESNET, MU, VUT  Founded 2007  Expansion onto foreign markets since 2010: UK, US, Canada, Germany, Japan and others • Key products:  FlowMon: network traffic monitoring  ADS: detection of anomalies, operational and security issues  FlowMon + ADS = a complete solution for monitoring and security 22.10.2012 FlowMon © INVEA-TECH 2012
  • 3. 3/42 Reference • GEÁNT2, Federica – monitoring of 7 European backbones • CZ Ministry of Defense (via VDI META) • Korea Telecom • AVG, Aegon • CESNET • T-Mobile • and more ... 22.10.2012 FlowMon © INVEA-TECH 2012
  • 4. 4/42 Agenda • Network & Security  interesting/surprising statistics?  standard security tools overview • Network Traffic & Security Monitoring • FlowMon Solution Introduction • Use Case – Discovery of Botnet Chuck Norris 22.10.2012 FlowMon © INVEA-TECH 2012
  • 6. 6/42 Malware 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
  • 7. 7/42 Botnets – infected devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
  • 8. 8/42 Botnets – infected devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
  • 9. 9/42 Attackers Motivation 22.10.2012 FlowMon © INVEA-TECH 2012 Source: Radware – 2011 Global Application & Network Security Report
  • 10. 10/42 Data Breaches 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
  • 11. 11/42 Botnet as a Service 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: First Quarter 2011
  • 12. 12/42 How to face attacks • Attacks against any organization (SMBs, enterprises, government, education or other organizations) are rising • Attackers use different approaches and attack types  hacking, cracking, dictionary attacks, DOS/DDOS attacks, attacks against services, social engineering, identity theft, botnets… • Organizations don’t know which specific threats to fight • Many attacks are undetectable by standard approaches  Advanced Persistent Threats, Zero-Day attacks, Polymorphic malware,… • What possibilities are there  for organizations?  for ISPs? 22.10.2012 FlowMon © INVEA-TECH 2012
  • 13. 13/42 Organizations • Perimeter Security  firewall, IDS/IPS, UTM, application firewall, web filter, email security, remote access • Endpoint Security  antivirus, personal firewall, antimalware, antirootkit, endpoint DLP • Internal Network Security  network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
  • 14. 14/42 ISPs • ISPs are in different situation • Have to face to the same threats, but don’t have so many possibilities how to do that • ISPs shouldn’t protect only themselves, but also  help to protect their customers  protect Internet from their customers 22.10.2012 FlowMon © INVEA-TECH 2012
  • 15. 15/42 ISPs • Network Elements Security  switches, routers…  configuration, secure management, services • Network Security  routing, rate limiting, filtering, redundancy • Incident Detection  alert from customer, ISP or other  IDS, syslogs, SNMP monitoring  network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
  • 16. 16/42 Summary • All the tools and approaches mentioned are very important from a security point of view • Most are aimed at protection from known threats and attackers • That’s why continuous monitoring and detailed information about activities in the network is important  provides complete visibility into network  able to detect sophisticated attacks (APTs, zero-day attacks) - even that which are not detected by other approaches 22.10.2012 FlowMon © INVEA-TECH 2012
  • 17. Network Traffic & Security Monitoring 22.10.2012
  • 18. 18/42 Flow Monitoring Principles • IP flows monitoring  packet headers analysis only  content (packets payload) is not monitored • Modern method for network monitoring  NetFlow v5/v9 – Cisco standard 22.10.2012 FlowMon © INVEA-TECH 2012
  • 19. 19/42 Architecture • Source of network statistics  switches, routers, specialized probes or other devices  network traffic monitoring - generate and export flow data • Flow data collectors  flow data storage, collection & analysis 22.10.2012 FlowMon © INVEA-TECH 2012
  • 20. 20/42 Network Traffic Monitoring Benefits • Complete Network Visibility – real-time & historically  TOP N statistics (users/customers, services, sites)  user defined profiles (based on user filters)  drill down up to any communication  alerting & reporting • Security Enhancement, Incidents Tracking • Benefits also for network management  fast, precise and effective troubleshooting  network performance monitoring  trending, capacity planning, traffic engineering  IP traffic based accounting and billing  network management costs reduction 22.10.2012 FlowMon © INVEA-TECH 2012
  • 21. 21/42 Network Behavior Analysis (NBA) • Automatic advanced analysis of flow (NetFlow) data • Modern approach to network security • Undesirable behavior patterns detection  internal and external threats  undesirable services and application • Behavior analysis  behavior profiles  anomalies and suspicious behavior detection “NBA is about higher visibility in the behavior of your network to cover gabs left by signature based mechanism.” Paul E. Proctor, Vice President, GARTNER 22.10.2012 FlowMon © INVEA-TECH 2012 Behavior detection  Signature detection  Network level  Host level 
  • 22. 22/42 NBA Benefits • Internal & external attacks detection • Fast overview about any events in the network including problem indication • Enables to fight modern sophisticated attacks • Detection of threats which are undetectable by standard approaches • Effective for encrypted traffic 22.10.2012 FlowMon © INVEA-TECH 2012
  • 24. 24/42 FlowMon – Network Under Control • Innovative network traffic & security monitoring solution using IP flows • Based on NetFlow v5/v9 and IPFIX technology • Provides information about who communicates with whom, how long, what protocol, traffic volume and more • Best price/performance ratio in the industry • Solution for networks of all dimensions • Exceptional customer benefits • Your network under control! 22.10.2012 FlowMon © INVEA-TECH 2012
  • 25. 25/42 FlowMon Architecture • FlowMon Probes  passive standalone source of network statistics (NetFlow / IPFIX data) • FlowMon Collectors  visualization and evaluation of network statistics • FlowMon plugins  FlowMon ADS - automatic traffic analysis for reveal operational & security issues 22.10.2012 FlowMon © INVEA-TECH 2012
  • 26. 26/42 FlowMon Probe • High-performance standalone probe - source of IP flow records in NetFlow v5,9 and IPFIX format • L2/L3 invisible - transparent for monitored network • Standard and hardware accelerated models • Remote configuration via a user-friendly web GUI • 10/100/1000 Ethernet, 10 GbE, IPv4, IPv6, MPLS, VLAN • Maintenance-free appliance with simple configuration • Built-in collector (data storage redundancy) 22.10.2012 FlowMon © INVEA-TECH 2012
  • 27. 27/42 FlowMon Probe Models • Compact rack mount (1U) NetFlow probes • Standard models  suitable for the most networks, excellent price/performance ratio  performance more than 500 k packets per second for 1GbE port  up to 5 M packets per second for 10GbE port  models from 1x 100MbE port up to 4x 10GbE ports • Hardware-accelerated models (Pro)  suitable for large networks and backbone links  wire speed performance  10GbE models available, 40/100GbE models available soon 22.10.2012 FlowMon © INVEA-TECH 2012
  • 28. 28/42 FlowMon Collector • Standalone appliance for long term storage of flow statistics from multiple sources (probes, routers, switches) • Support for NetFlow/IPFIX/sFlow data storage & analysis • Professional solution for mid-size and large networks  RAID, redundant power, remote management  storage capacity from 1TB up to hundreds TBs  unique performance – more than 200k flows/s processing 22.10.2012 FlowMon © INVEA-TECH 2012
  • 29. 29/42 FlowMon Collector - GUI • Graphs, tables and form for further data processing • Top N statistics (users, sites, services) • Predefined set of profiles/views for standard protocols • User defined profiles (based on IP address or ports) • Intelligent reporting (online/offline email/pdf/csv reports) • Profile support and automatic alerts (e-mail, syslog, SNMP etc.) 22.10.2012 FlowMon © INVEA-TECH 2012
  • 31. 31/42 FlowMon ADS • Undesirable behavior detection  Attacks  Undesirable services  Operational and configuration problems • Behavior profiles computing  Communication partners  Anomaly detection  Traffic volume and structure • Intuitive user interface  Immediate network problems indication  Interactive event visualization  Integration with information from DNS, WHOIS, geolocation services • Complex filtering, alerting, reporting 22.10.2012 FlowMon © INVEA-TECH 2012
  • 32. 32/42 FlowMon ADS • Detection of undesirable patterns in communication  Attacks (port scanning, dictionary attacks, DOS/DDOS, telnet protocol)  Data traffic anomalies (DNS, multicast, non-standard communications)  Undesirable applications (P2P networks, anonymizer)  Internal security problems (viruses, spyware, botnets)  Mail traffic (outgoing spam)  Operational problem (delays, high traffic, reverse DNS records) 22.10.2012 FlowMon © INVEA-TECH 2012
  • 33. 33/42 FlowMon Benefits • Long-term statistics storage about traffic • Network capacity planning • Connectivity optimization • Peering agreements optimization • Attacks, anomalies and suspicious behavior detection • Data retention law fulfillment • Accounting and billing based on traffic amount • Possibility to graphs and tables integration to your IS 22.10.2012 FlowMon © INVEA-TECH 2012
  • 34. Use Case – Discovery of Botnet Chuck Norris prepared in cooperation with CSIRT-MU 22.10.2012
  • 35. 35/42 Botnet Chuck Norris • Lot of attempts from all over the world to connect to TELNET service  discovered by network security monitoring (flow monitoring) at Masaryk University  Who nowadays use TELNET???  Why do devices from all over the world try to connect to TELNET port? • Following detailed analysis lead to botnet revelation 22.10.2012 FlowMon © INVEA-TECH 2012
  • 36. 36/42 Botnet Chuck Norris • Back tracking  infected devices are ADSL modems, WIFI routers… • Analysis of infected device • Connection to C&C server • Analysis of botnet behavior 22.10.2012 FlowMon © INVEA-TECH 2012
  • 37. 37/42 Botnet Chuck Norris • Attacks linux servers – ADSL modems, WIFI routers • Infected devices  try to infect other devices  port scanning – TELNET  dictionary attack – only 15 passwords !!!!  connect to C&C central server, which send him commands (IRC) 22.10.2012 FlowMon © INVEA-TECH 2012
  • 38. 38/42 Botnet Chuck Norris • Compilation timestamp in pnscan tool – July 2008 • First file uploaded to distribution servers – May 2009 • Botnet discovery at Masaryk University – December 2009 • Trying to shutdown the botnet (CSIRT-MU) • Chuck Norris v2 – May 2010 • Different modification till nowadays  Hydra  Aidra  ??? 22.10.2012 FlowMon © INVEA-TECH 2012
  • 40. 40/42 Chuck Norris - summary • Attacks poorly-configured Linux MIPSEL devices - ADSL modems, WIFI routers, …  users are not aware about the malicious activities  missing anti-malware solution to detect it  possible to manipulate with complete traffic to/from the network • Attack based on trivial dictionary attack (15 passwords) • Lot of network operators underestimated possibility of trivial attack 22.10.2012 FlowMon © INVEA-TECH 2012 Discovered at Masaryk University. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris !
  • 41. 41/42 INVEA-TECH @ PLNOG 2012 Is network traffic & security monitoring interesting for you? • Visit our next presentation @ PLNOG 2012  FlowMon – Network Traffic & Security Monitoring in Examples  Tomorrow at 11:50 – New Technology section • Visit our booth and discuss with us 22.10.2012 FlowMon © INVEA-TECH 2012
  • 42. 42/42 INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner 22.10.2012 FlowMon © INVEA-TECH 2012 Petr Špringl springl@invea-tech.com 00420 511 205 252 Thank you for your attention