Transcript Introducing: NOBAD

Introducing:
NOBAD
Network Oriented Basic Anomaly
Detection
Network Oriented Anomaly Detection
Network
Workstation
<XML/>
Consolidate
Router
Data Aggregator
$normality
PEP
etc.
!($normality)
Engine
PATTERN
Outcome
Database
Feedback
Network Oriented Anomaly Detection
Sample collector output
<collector 192.168.1.9 type=“emb”>
<data 192.168.1.11>
<desc name=“webserver” crit=“high”>
<sensor type=“load” data=“0.11”/>
<sensor type=“df” data=“66”/>
<sensor type=“avail” data=“true::2”/>
<sensor type=“avail_local” data=“true”/>
</data>
<data 192.168.1.1>
<desc name=“router_to_T1” crit=“high”>
<sensor type=“where” data=“NULL”>
Network Oriented Anomaly Detection
Data Collection
Appliance
Expect
LISTEN 3333
Application
SNMP
Sender
Proprietary
XMLIZER
Syslog
NORMALIZER
Sender
XML
Network Oriented Anomaly Detection
Basic Functionality
• Collect data from a number of independent
devices.
• Aggregate data into representation of current
“state”
• Compare state to $normality
• If both are sufficiently equal -> continue
• If both are sufficiently different -> analyze
Network Oriented Anomaly Detection
“Analyze”
• Do values exceed given thresholds?
• Is the change significant even if it does not
exceed thresholds?
• Are there past occurrences? How have the
been rated by the resolving entity?
• Who needs to be made aware?
• What means of alarm do we have?
• What could the possible root cause?
Network Oriented Anomaly Detection
Root Cause
•
•
•
•
•
•
•
•
•
•
Fact: System A{5} inaccessible (HTTP)
Probe: Is the httpd up?
Probe: How many hits are there per second, currently?
Probe: On traceroutes from all aggregators and sensors:
what seeems to be the last point we can reach?
Probe: Does the IDS pick up signs of DoS/dDoS?
Probe: Does the Firewall notice strange traffic?
Probe: How does incoming and outgoing traffic look like?
Probe: What’s the load on all participating routers
Probe: How about my BGP/OSPF processes?
etc.
Network Oriented Anomaly Detection
Key Design Goals
• Platform and vendor independence
– Currently no plans to run Aggregators or Engines on
Windows, Sensors are available, though.
• Data Integration and Aggregation
– e.g. CAIDAs cflowd, RRDtool, skitter, skping, ntrace,
DNScollect, net::lint, etc.
• Data Analysis and Visualization
– Python module for XML data analysis (finished)
– C++ Class (unfinished)
– *ix Library (almost finished)
Network Oriented Anomaly Detection
Next Steps
• Train NOBAD to understand more
vendorware (Foundry, Nortel, Cisco
Netranger)
• Move Unix-OS sensors from Perl to C
• Provide set of DLLs for Windows Sensor
development and document API
• Release first beta on Sourceforge
Network Oriented Anomaly Detection
FAQ
• What’s the difference between NOBAD and
my current IDS?
• Is this a routing tool?
• Is NOBAD invasive or passive?
• What is NOBAD being used for?
• How long does it take for NOBAD to learn
$normality?
• How can I help, who can I contact?
Network Oriented Anomaly Detection
Contact
The NOBAD development Team:
[email protected]
http://www.d-fensive.com/nobad/
Thank You
Network Oriented Anomaly Detection