Troubleshooting & Traffic Mining(TM)
Contents
1. sourceforge net projects traviz Rls ge Tieu proj ahead RUAG Google Dataming for Hackers2. 51 1 6 80 13438 mm 6 51728 14541 088 221 213 115_0x00000000 192 168 203 227_0x00000001 094 199 249 122 0x00000000 192 168 203 067 0x00000001 03 SrcIP00 00 00 subnet ip GHP000000 subnet dat ip 192 168 254 157 0x00000001 192 168 203 133 0x00000001 1 0 3 193 247 193 029 0x000106D8 layer4 proto dstPort numPktsSnt 6 53683 5 6 40518 2 6 50813 2 209 085 129 093_0x00000000 209 085 129 095 0x00000000 209 085 129 100 0x00000000 209 085 129 104 0x00000000 6 49956 2 6 44779 2 6 44778 2 209 085 129 105 0x00000000 6 60437 2 6 80 2 209 085 135 138 0x00000000 17 5353 1 224 000 000 251 0x00000000 209 085 129 138 0x00000000 6 39778 2 Connection Flow Matrix t Connection Count o 8 8 amp 8 B B B logether ahead RUAG Anomaly Flow Centrality vannet p 4 S RP Centrality 1 ee ea E EK ewe DET I m Time Graph Network Host Classification m Sw mio ines ta CCP Ee RR CER Pit SR Cc EE Nas W AIT SER QT tend Te Oe A NE Sa ET Wake Via te 200 IPs logether ahead RUAG Sledgehammer Dimension Reduction Al N X NOSSA NN AN logether ahead R Clustering of Multidimensional Data ESOM Nonlinear Mapping Hetina Chainlink 3D ahead RUAG ESOM Anomaly Picture 13 Dim stat
3. 9829 1 63 63 0x00 0x42 0 0000 8146 5440245 109 116 464 8104 5840 5840 000000 65535 0 0x18 0x1B00 0 0000 0x03 0 00000000 0 0000 10 365783 1 Together 46 ahead RUAG Yeah sure lots of numbers But encryption prevents TM Which features you want to look at logether ahead RUAG Encrypted IM Packet Length Magic Distinguish by listening Gap in tracks s Sound F d p dt dm dt v m dm dt dm dpkt dpkt dt Packet Length Packet Fire Rate Together 15 Interdistance ahead RUAG 3D Statistical Application User profiling Packet length Interdistance Statistics Fingerprinting P2P Skype VOIP and File transfer via proxy Vulnerable against logether 24 ahead RUAG Packet Signal Encrypted VoIP Mining Packet Length Signal logether 7 ahead RUAG Exercise Multiple Flow Packet Length Signal See the features e Codec training OO Burschka Fischkopp Linux udp_len _ t gt lt eae 8 5 s 8 8 SP a 8 8 8 Ping min 23 x oo 1 13657 9 1 13657 9 1 13657 9 1 13657 9 1 13657 9 time 18 B Hr o what can I do f NS NS N AN 5 WR Together ahead RUAG packet size B A Encryption TM SSH Command amp Parameter Estimation PSEC Tunnel Application User Profiling Skype C
4. Troubleshooting amp Traffic Mining IM P2P Skype VOIP and File transfer via proxy Percent Packet Length Stefan logether 0 10 0 20 0 50 0 40 0 50 0 50 0 70 0 50 0 90 1 00 1 10 Burschka ahead RUAG Agenda Intro Who What Problems with big traffic data How to address problems with brain amp tools Lots of examples and exercises logether ahead RUAG What we do n RT Products Network Troubleshooting Forensics Security e TRANALYZER TS High Speed and Volume Traffic Analyzer RAVIZS Graphical Toolset for Tranalyzer Complete Tool Sets for IM amp Forensics Artificial Intelligence Plugins Hesearch Brain support 4 multi dimensional datasets Encrypted IM Big Data Visualization Traviz Malware and covert channel detection e Nifty stuff Together ahead RUAG Data Traffic Mining gt Forensics Input Huge Output Tiny Almost Everything OEE R CLE A 5 G R st gt Aa si FS T by 2 2 ra e 2 Almost Nothing 193 5 230 129 80 au Tiny Answer Large Puzzle Find what everybody missed Find patterns anomalies and the undetectable Tell me everything and especially Owner gender colour of hair and underpants talks to pigs OS type of computer logether ahead RUAG Traffic Mining TM Hidden Knowledge Listen See
5. Understand Invariants Model Application in Troubleshooting Security Classification Encrypted TM Netzwerk usage VoIP P2P traffic shaping application user profiling Profiling amp Marketing usage performance amp market index Law enforcement and Legal Interception Indication Evidence Info Leak process delays who Why What Infected Misconfigured Extract all ene gether above ahead RUAG Right But why all this What is the problem N X NOSSA NN AN logether ahead R Problem Controlled Flight into Terrain Seldom problem oriented KISS Engineering There is a union for the lifeform High Complexity small fault tolerance 2 Customer Test Lab s Time and economic pressure info overload Banana Principle Conditioning of cutomers logether ahead RUAG SW became a weapon 298 the Network is slow The Network is insecure gt it s not Microsoft shut up It wasn t E N TU m Manager MBA Production poor Techie Finance MBA Always right DoR Knows Always warned Knows basic calculus License to Powerpoint Always his fault FUBAR License to Excel License to get fired We didn t find the problem in 4 months can you do the job in 2 weeks We supply only 11TB data Together ahead RUAG Large unstructured Traffic Datasets s Problem roen WTF am I looking for Data Se
6. istical T2 Flow parameters Now conceivable by human brain 2487 T 4 pure ME af Rows 250 e gt 6 4 2 gh 1 d gt T ws Ex FREIE VER op te 8 aus Fehl del rel Columns 410 P 35 cs Er F E 78 245 Br Vs Dimensions 13 3 gt i 8 2 or e 3 T 2714 2 28 326 B did da Mini 0 00 adt Pes ee 22 70 RE E B 1 KE cR od Minimum 0 Preservation amp g Trustworthiness in progress B _ 1 50 2 5 B Preservation WB trustworthiness Sca ot Colorlegend and density of heightvalues 7 57 19 47 111 36113 25115 141 logether ahead Mooooment orig UNN NNNN WW NSR Together ahead RUAG Exercise Al yourself JJOSOJOINN ahead RUAG Exercise Knowledge Extraction Data Bad Weather Data Good Weather Good Weather Sun amp Rain Words or Word Chains which separate most of data sets correctly have highest Information gain logether ahead RUAG Questions Comments Try me Who wants Bootcamp wPacket layerzlype b LHEIRNI Wem 5 33 2 Ease Z reer SN EN Wit ETHERTYPFI dissemblelPPacket SnewPacket http sourceforge net projects tranalyzer stefan burschka ruag com http tranalyzer gom mem logether http
7. lection like to have lt gt Eat what you get Preprocessing Dimension Reduction Feature Selection Data nou 526 Formats XML EXCEL Binary txt Tools Interfaces Microsoft av lt gt Bash awk DB Operating Storage Cache lt gt Memory 3 SSD 3 Disk mE Together FBHDD Visualization Al ahead RUAG 10 Exercise What is wrong here logether ahead RUAG See the disaster now Now you have POSER oed 4 ahead RUAG Preprocessing Context Dimension Reduction Versatile Flow Compression Definition 6 Tuple Vlan s srcIP srcpPort dstIP dstPort L4Protocol Or why not a bit more context and meaning srcWho dstWho srcNetwork dstNetwork x Together Tranalyzer Flow Example 1196278772 439355 1196279184 642073 412 202718 0 98 42 22 192 168 1 10 0x00000001 2119 182 236 128 34 0x8008036C 80 6 00 0f 1f cf 7c 45 00 00 0c 07 ac 0a 6387 http 6387 8272 464 5437587 0 5 9 15 494803 1 125660 0 128590 0 999829 1 87 128 128 0x00 0x42 0x0000 116 464 6231 4116 5437724 2253 63754 64831 988281 62501 65535 3342 2904 5713 0x18 OxF900 0x0000 0x03 0 00000000 0x0000 1 0 3 36578 1 B 1196278772 409312 1196279184 642073 412 232761 Ox9B43 22 182 236 128 34 0x8008036C 80 192 168 1 10 0x00000001 2119 6 00 d0 00 64 d0 00 00 0f 1f cf 7c 45 8272 http 8272 6387 5437587 464 0 1380 20 066333 13190 574633 0 128590 0 99
8. ontent Guessing CCC 2011 Datamining for Hackers Although always alone we survive logether ahead RUA 50 packet number Any other useful features UNN NNNN WW NSR Together ahead R Exercise What is the Unknown o what Some real Application now N X NOSSA NN AN logether ahead R The one way CP flow problem oymptom on and off access problems TCP flows established unidirectional T2 proofed Reverse connection exists not through firewall Router 2 Reverse Flow 2 Forward Flow Workstation am mm Together Trampel ahead RUAG Connection Matrix ay maw ae PON al ee ver d Destination 145 nz 540831 5 Source IP Together Awk 4 516 Y Sort uniq ahead RUAG Application User roles Malware Detection NES NGS NOSSA NN AN logether ahead R Layer3 4 Visualization Graphviz gt simple forensic picture for small datasets 192 168 203 001 0x00000001 224 000 000 005_0 00000000 192 168 203 080 0x00000001 17 137 1 192 168 203 117 0x00000001 17 1374 17 17500 11 192 168 203 255 0x00000001 192 168 203 150 0x00000001 17500 255 255 255 255 0 00000000 092 123 220 020 0 00000000 6 80 2 094 126 017 227 0x000103F7 ns 192 168 203 122 0x00000001 6 448
Download Pdf Manuals
Related Search