SlideShare a Scribd company logo

Barsamian alexander-identifying-network-users

P
ProQSys

This document presents a method for passively fingerprinting network users based on their unique patterns of network behavior, as observed in NetFlow data. The method identifies destinations only contacted by a single internal IP, compiling these into fingerprints that can identify users. Initial results found fingerprints for 38-83% of users, depending on how strictly uniqueness was defined. Fingerprints showed some variability over time, leaving opportunities to improve stability and automate the process. The approach aims to make simple behavioral fingerprinting accessible to network administrators.

Technology
Related topics:
Overview of Operating Systems
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Identifying Network Users Using Flow-Based Behavioral Fingerprinting Barsamian, Berk, Murphy Presented to FloCon 2013
What Is A User Fingerprint? • Users settle into unique patterns of behavior according to their tasks and interests • If a particular behavior seems to be unique to one user… … and that behavior is observed… … can we assume that the original user was observed? • Affected by population size, organization mission, and the people themselves Why Fingerprint? • Basic Research • Policy Violations and Advanced Security Warning • Automated Census and Classification 2
Why Fingerprint? • Basic Research – Change Detection – Population Analysis • Policy Violations and Advance Warning – Preliminary heads-up of botnet activity – Identify misuse of credentials • Automated Census and Classification – Passive network inventory – User count estimation (despite multiple devices) – Determination of roles 3
Background • Passive and active static fingerprints – Operating system identification • p0f/NetworkMiner, Nmap – Signature-based detection of worms and intrusions • Dynamic fingerprints – Hardware identification – Unauthorized device detection1 – Browser fingerprinting2 • Increasingly important part of security systems3 – Reinforcing authentication – Identifying policy violations 4 1 Bratus, et al “Active Behavioral Fingerprinting of Wireless Devices”, 2008 2 http://panopticlick.eff.org 3 François, et al “Enforcing Security with Behavioral Fingerprinting”, 2011
But… • Difficult to implement, requiring significant expertise not available to many IT departments • Require unusual or unavailable data – Data collection incurs overhead; easier to justify if data is useful for multiple purposes • No unitaskers in my shop! – Protocol analysis needed • Computationally expensive • Impinges user privacy • Increasingly defeated by encrypted channels and tunnels 5
Challenge Make active, adaptive fingerprinting available to the widest possible set of network administrators • Data requirements – Common data source, common data fields • Processing requirements – Can’t require major computing resources to create and handle • Ease of implementation – Not just technology, but policy – Could search emails and web forms for personally- identifying statistically improbable phrases, but would never fly at most institutions 6
Why NetFlow Fingerprints? • NetFlow has very attractive properties to an analyst… – Privacy • Unintrusive to end users • Not affected by encrypted channels – Speed • Easily-parsed datagrams with fixed fields • Bulk of processing taken care of by specialty equipment – Scalability • Less affected by volume than protocol analyzers • … but is it up to the task? – (Spoiler alert: yes) 7
Methodology After multiple revisions, arrived at the following: 1. Define your parameters 2. Get a list of all the outgoing sessions from that subnet 1. List of sessions for which client IP is in CIDR block of interest 2. From that list, extract the destination addresses 3. For each of those destination addresses, do a 'ip-pair' query: (CLNIP==classC && SRVIP=dest). 1. Count the unique local addresses for each destination 4. Eliminate all of the external addresses that get contacted by more than 1 local address 5. Result is a set of external addresses that are only contacted by ONE client 8 (CLNIP==classC) (CLNIP==classC && SRVIP=dest)
Example Fingerprints User B 661 total sessions eee.87.169.51 93 eee.87.160.30 34 eee.87.169.50 37 9 User A 8475 total sessions aaa.93.185.143 38 bbb.175.78.11 44 ccc.22.176.46 42 ddd.28.187.143 37 • Individual fingerprints for a user (when that user has one) contain a list of IP addresses that user (and only that user) contacted within the time period • One-time connections not included here • Using the Class C block for the server would compress fingerprints like User B’s • In this case, would still be unique
Parameters • Definition of local network – Select the smallest network of interest – May be worth fingerprinting wired and wireless networks separately, to account for users with both desktops and wireless devices • Time frame – Shorter-term profiles faster to create – Longer-term profiles less transitory • Destination subnet – When filtering on each destination, using a slightly wider subnet can reduce the computing impact of content distribution networks • Top N vs. All – Cutting off the list of servers with very few sessions improves scalability – Potential reduced fingerprint list
Data Source Characterization • Knowing your source helps determine optimal parameters • Educational environment with a mix of wireless and wired infrastructure • Inherent “life spans” to fingerprints – Large turnover each year – “Mission” changes every term – Gaps in data (scheduled breaks) confound ability to detect gradual change 11
Select Outbound Requests • Get a list of top servers by destination • How do you define “outbound” and why? – Anything outside examined subnet? Outside organization? – Presumption that use of internal resources not identifying? • Mostly true, but what about private servers? 12
Select Pairs • For each server in Top N list, get the list of clients that contacted it • Filter to reduce computation? – Select only ports of interest (HTTP) • Avoiding BitTorrent makes for stronger profiles – Filter out known-common networks (Akamai, Google) – Include only servers with more than some minimum number of sessions 13
Compile Fingerprints • At this stage we have a list of those servers that have only been contacted by one client – Potentially pre-filtered for significance (e.g. minimum number of sessions, removed trivial connects such as BitTorrent, etc) • Create for each client a list of servers – Optionally: ranked by percent of client’s total traffic (requires second query for each client, increasing total fingerprint time, but providing context and significance measure) • Each list is a basic but functional fingerprint of that client – Sessions to one of those servers in future traffic indicates likely link to that fingerprinted user • Primary: that user generated that traffic (on the original device or not) • Secondary: that user is connected directly to the user who generated that traffic14
Initial Results • Of ~250 users, profiles could be created representing – 38% of users – 53% of total traffic • Breakdown by profile length (# servers in profile): 1. 51 users (55.4% of profiles) 2. 20 users (21.7%) 3. 7 users (7.6%) 4. 9 users (9.8%) 5. 2 users (2.2%) 6. 1 users (1.1%) 7. 1 users (1.1%) 8. 1 users (1.1%) Unique Profiles NP 1 2 3 4 5 6 7 (i.e. 51 users each contacted 1 host unique to them, and one user contacted 8 hosts that nobody else did) 15
Uniqueness Levels • By relaxing uniqueness requirement, more users can be fingerprinted – Tradeoff: Certainty vs. breadth • Nomenclature – The more clients that share a host, the higher the U number 16 U1 U2 U3 U4 • What is lost in ability to pinpoint users, is gained in insight into shared task/interest • Some profiles non-unique • Same user at different IP addresses?
U1-U4 Profile Lists U1 Profiles NP 1 2 3 4 5 U2 Profiles NP 1 2 3 4 5 U3 Profiles NP 1 2 3 4 5 U4 Profiles NP 1 2 3 4 5 38% of users, 53% of traffic 60% of users, 78% of traffic 12 non-unique usersNone U1U2 U3 U4 Membership None U1 U2 U3 U4 75% of users, 89% of traffic 10 non-unique users 83% of users, 93% of traffic 10 non-unique users17
Variance Over Time • Variability from month to month is observed • Month 1 • Month 2 18 Uniqueness % of users % of traffic U1 38% 53% U2 60% 78% U3 75% 89% U4 83% 93% Uniqueness % of users % of traffic U1 46% 80% U2 60% 92% U3 69% 96% U4 75% 98%
Results and Lessons Learned • This represents a first step toward making simple flexible fingerprinting widely available – NetFlow is an ideal data source • Able to fingerprint users comprising majority of network traffic in relatively unrestricted environment • Uniqueness Levels – U1 profiles are more significant – U4 profiles cover far more of the population – Keeping track of them in parallel allows us the best of both worlds 19
Take-Home • NetFlow, with its benefits to privacy, ease, and scalability, can be used to produce simple user fingerprints – Several types are possible; we went with the simplest plausible type • Unique site accesses represent one such fingerprint type – Intuitive and easy to grasp – Adjustable to the level of desired uniqueness • More sophisticated fingerprints are expected to be more useful still 20
Next Steps, Short-Term • Room to grow within NetFlow collection regime: – Refine by port/protocol – Aggregate content distribution networks • Make better use of ground truth – Newer version of software allows searching on MAC address, to quickly check when fingerprint appears to change or duplicate – Determine whether there are substantive differences between wireless and wired networks • Number of individuals with identifiable fingerprints • Fingerprint stability 21
Next Steps, Long-Term • Learning Period Estimation – What constitutes a baseline? • Long-Term Stability – How much do these fingerprints change over time? – What can be learned from those changes? – How are fingerprint lives distributed? vs • Autonomous Operation – Can fingerprint creation and tuning be automated? … to the point of using them for auto-remediation? 22
For Additional Information… • For a copy of these slides and the whitepaper, or to evaluate the fingerprinting tool, visit us at: – http://www.flowtraq.com/research/FloCon2012.html • We would be happy to address any questions or comments – abarsam@flowtraq.com – vberk@flowtraq.com – jmurphy@flowtraq.com 23

More Related Content

PPTX
Network traffic analysis with cyber security
KAMALI PRIYA P
 
PDF
Dist sniffing & scanning project
Rishu Seth
 
PDF
Detection and Prevention of security vulnerabilities associated with mobile b...
Clinton DSouza
 
PPT
Network forensics1
Santosh Khadsare
 
PDF
Feature selection for detection of peer to-peer botnet traffic
Pratik Narang
 
PDF
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
PPTX
Defense against botnets
Vaibhav Ahlawat
 
PPTX
Network forensics and investigating logs
anilinvns
 
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Dist sniffing & scanning project
Rishu Seth
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Clinton DSouza
 
Network forensics1
Santosh Khadsare
 
Feature selection for detection of peer to-peer botnet traffic
Pratik Narang
 
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
Defense against botnets
Vaibhav Ahlawat
 
Network forensics and investigating logs
anilinvns
 

What's hot (20)

PPT
Lec 1 apln security(4pd)
Santosh Khadsare
 
PPTX
Minimizing Information Transparency
Usman Arshad
 
PDF
Detection of the botnets’ low-rate DDoS attacks based on self-similarity
IJECEIAES
 
PPT
On hyper-local web pages
Coldbeans Software
 
PDF
Fuzzy System-based Suspicious Pattern Detection in Mobile Forensic Evidence -...
Konstantia Barmpatsalou
 
PPTX
Commonly Used Peer to Peer Methods & Applications
905426
 
PPTX
Introduction to cyber forensics
Anpumathews
 
PPTX
Network forensic
Manjushree Mashal
 
PDF
Network Forensic
Sujeet Kumar
 
PPTX
Open source network forensics and advanced pcap analysis
GTKlondike
 
PPTX
Network packet analysis -capture and Analysis
Manjushree Mashal
 
PPTX
Mobile fraud detection using neural networks
Vidhya Moorthy
 
PPTX
A system for denial of-service attack detection based on multivariate correla...
IGEEKS TECHNOLOGIES
 
PDF
A Location Based Cryptosystem For Mobile Devices Using Improved Rabin Algorithm
Editor IJMTER
 
PDF
A proposed architecture for network
IJCNCJournal
 
PPTX
Secure your LAN
Cadariu Cristian
 
PPTX
Distance-bounding facing both mafia and distance frauds
KaashivInfoTech Company
 
PPTX
What’s New: Splunk App for Stream and Splunk MINT
Splunk
 
PPT
Twitter as a Transport Layer Platform
Coldbeans Software
 
PDF
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
Lec 1 apln security(4pd)
Santosh Khadsare
 
Minimizing Information Transparency
Usman Arshad
 
Detection of the botnets’ low-rate DDoS attacks based on self-similarity
IJECEIAES
 
On hyper-local web pages
Coldbeans Software
 
Fuzzy System-based Suspicious Pattern Detection in Mobile Forensic Evidence -...
Konstantia Barmpatsalou
 
Commonly Used Peer to Peer Methods & Applications
905426
 
Introduction to cyber forensics
Anpumathews
 
Network forensic
Manjushree Mashal
 
Network Forensic
Sujeet Kumar
 
Open source network forensics and advanced pcap analysis
GTKlondike
 
Network packet analysis -capture and Analysis
Manjushree Mashal
 
Mobile fraud detection using neural networks
Vidhya Moorthy
 
A system for denial of-service attack detection based on multivariate correla...
IGEEKS TECHNOLOGIES
 
A Location Based Cryptosystem For Mobile Devices Using Improved Rabin Algorithm
Editor IJMTER
 
A proposed architecture for network
IJCNCJournal
 
Secure your LAN
Cadariu Cristian
 
Distance-bounding facing both mafia and distance frauds
KaashivInfoTech Company
 
What’s New: Splunk App for Stream and Splunk MINT
Splunk
 
Twitter as a Transport Layer Platform
Coldbeans Software
 
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
Ad

Viewers also liked (15)

PDF
Flow questions and answers
ProQSys
 
DOCX
Mental illness to order1
Grandmaster Paul W Spirit Runing Bear DyerPhD
 
PDF
Corona optus
Invest Gurgaon Properties
 
PPTX
Camouflage
Amit Chauhan
 
PPT
Introduction to TCP/IP
Frank Fang Kuo Yu
 
PDF
Investment from the GCC and development in the Mediterranean.The outlook for ...
Samir Abdelkrim
 
PDF
Foreign direct investment in the Med countries in 2008: Facing the crisis
Samir Abdelkrim
 
PDF
Revit Architecture Training Topics and Notes in Detail Days-51-60
Subair Shamsudheen
 
PDF
Boosting Business in the Mediterranean: Entrepreneurs' Success Stories
Samir Abdelkrim
 
PPTX
Investment opportunities tekirdag_burcu
Burcu Yiğiter
 
ODP
How to bet against a stock
moneygeek
 
PDF
Revit Architecture Training Topics and Notes in Detail Days-41-50
Subair Shamsudheen
 
PPTX
Final case protocol 'abortion'
Abie Atienza
 
PPT
Right to Information Act
Sony Parackal
 
PPT
Right to Information Act
Sony Parackal
 
Flow questions and answers
ProQSys
 
Mental illness to order1
Grandmaster Paul W Spirit Runing Bear DyerPhD
 
Corona optus
Invest Gurgaon Properties
 
Camouflage
Amit Chauhan
 
Introduction to TCP/IP
Frank Fang Kuo Yu
 
Investment from the GCC and development in the Mediterranean.The outlook for ...
Samir Abdelkrim
 
Foreign direct investment in the Med countries in 2008: Facing the crisis
Samir Abdelkrim
 
Revit Architecture Training Topics and Notes in Detail Days-51-60
Subair Shamsudheen
 
Boosting Business in the Mediterranean: Entrepreneurs' Success Stories
Samir Abdelkrim
 
Investment opportunities tekirdag_burcu
Burcu Yiğiter
 
How to bet against a stock
moneygeek
 
Revit Architecture Training Topics and Notes in Detail Days-41-50
Subair Shamsudheen
 
Final case protocol 'abortion'
Abie Atienza
 
Right to Information Act
Sony Parackal
 
Right to Information Act
Sony Parackal
 
Ad

Similar to Barsamian alexander-identifying-network-users (20)

PDF
Network Analysis Mini Project 2.pdf
talkaton
 
PPTX
Network Analysis Mini Project 2.pptx
talkaton
 
PPTX
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
PPTX
New Splunk Management Solutions Update: Splunk MINT and Splunk App for Stream
Splunk
 
PPT
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
PDF
Network security monitoring elastic webinar - 16 june 2021
Mouaz Alnouri
 
PDF
Security Delivery Platform: Best practices
Mihajlo Prerad
 
PPTX
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
PPTX
Big Data Analytics and Advanced Computer Networking Scenarios
Stenio Fernandes
 
PPTX
The stories of IXP development and the way forward, MYNOG 7
APNIC
 
PDF
Stephen Wallo
AFCEA International
 
PDF
Internet Security, A Solid Foundation for Sustainable Internet Development
APNIC
 
PPTX
The differing ways to monitor and instrument
Jonah Kowall
 
PPTX
Onion routing and tor: Fundamentals and Anonymity
anurag singh
 
PPTX
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk
 
PPTX
ManageEngine OpUtils Technical Overview
ManageEngine, Zoho Corporation
 
PPTX
Network Bandwidth management - Mumbai Seminar
ManageEngine, Zoho Corporation
 
PPTX
Free Netflow analyzer training - diagnosing_and_troubleshooting
ManageEngine, Zoho Corporation
 
PDF
Network Situational Awareness with d00gle
Dug Song
 
PPTX
Threat_actors_and_vectors_with_whiiteandblack_boxtesting.pptx
gagandeepsinfosec
 
Network Analysis Mini Project 2.pdf
talkaton
 
Network Analysis Mini Project 2.pptx
talkaton
 
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
New Splunk Management Solutions Update: Splunk MINT and Splunk App for Stream
Splunk
 
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
Network security monitoring elastic webinar - 16 june 2021
Mouaz Alnouri
 
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
Big Data Analytics and Advanced Computer Networking Scenarios
Stenio Fernandes
 
The stories of IXP development and the way forward, MYNOG 7
APNIC
 
Stephen Wallo
AFCEA International
 
Internet Security, A Solid Foundation for Sustainable Internet Development
APNIC
 
The differing ways to monitor and instrument
Jonah Kowall
 
Onion routing and tor: Fundamentals and Anonymity
anurag singh
 
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk
 
ManageEngine OpUtils Technical Overview
ManageEngine, Zoho Corporation
 
Network Bandwidth management - Mumbai Seminar
ManageEngine, Zoho Corporation
 
Free Netflow analyzer training - diagnosing_and_troubleshooting
ManageEngine, Zoho Corporation
 
Network Situational Awareness with d00gle
Dug Song
 
Threat_actors_and_vectors_with_whiiteandblack_boxtesting.pptx
gagandeepsinfosec
 

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

Barsamian alexander-identifying-network-users

  • 1. Identifying Network Users Using Flow-Based Behavioral Fingerprinting Barsamian, Berk, Murphy Presented to FloCon 2013
  • 2. What Is A User Fingerprint? • Users settle into unique patterns of behavior according to their tasks and interests • If a particular behavior seems to be unique to one user… … and that behavior is observed… … can we assume that the original user was observed? • Affected by population size, organization mission, and the people themselves Why Fingerprint? • Basic Research • Policy Violations and Advanced Security Warning • Automated Census and Classification 2
  • 3. Why Fingerprint? • Basic Research – Change Detection – Population Analysis • Policy Violations and Advance Warning – Preliminary heads-up of botnet activity – Identify misuse of credentials • Automated Census and Classification – Passive network inventory – User count estimation (despite multiple devices) – Determination of roles 3
  • 4. Background • Passive and active static fingerprints – Operating system identification • p0f/NetworkMiner, Nmap – Signature-based detection of worms and intrusions • Dynamic fingerprints – Hardware identification – Unauthorized device detection1 – Browser fingerprinting2 • Increasingly important part of security systems3 – Reinforcing authentication – Identifying policy violations 4 1 Bratus, et al “Active Behavioral Fingerprinting of Wireless Devices”, 2008 2 http://panopticlick.eff.org 3 François, et al “Enforcing Security with Behavioral Fingerprinting”, 2011
  • 5. But… • Difficult to implement, requiring significant expertise not available to many IT departments • Require unusual or unavailable data – Data collection incurs overhead; easier to justify if data is useful for multiple purposes • No unitaskers in my shop! – Protocol analysis needed • Computationally expensive • Impinges user privacy • Increasingly defeated by encrypted channels and tunnels 5
  • 6. Challenge Make active, adaptive fingerprinting available to the widest possible set of network administrators • Data requirements – Common data source, common data fields • Processing requirements – Can’t require major computing resources to create and handle • Ease of implementation – Not just technology, but policy – Could search emails and web forms for personally- identifying statistically improbable phrases, but would never fly at most institutions 6
  • 7. Why NetFlow Fingerprints? • NetFlow has very attractive properties to an analyst… – Privacy • Unintrusive to end users • Not affected by encrypted channels – Speed • Easily-parsed datagrams with fixed fields • Bulk of processing taken care of by specialty equipment – Scalability • Less affected by volume than protocol analyzers • … but is it up to the task? – (Spoiler alert: yes) 7
  • 8. Methodology After multiple revisions, arrived at the following: 1. Define your parameters 2. Get a list of all the outgoing sessions from that subnet 1. List of sessions for which client IP is in CIDR block of interest 2. From that list, extract the destination addresses 3. For each of those destination addresses, do a 'ip-pair' query: (CLNIP==classC && SRVIP=dest). 1. Count the unique local addresses for each destination 4. Eliminate all of the external addresses that get contacted by more than 1 local address 5. Result is a set of external addresses that are only contacted by ONE client 8 (CLNIP==classC) (CLNIP==classC && SRVIP=dest)
  • 9. Example Fingerprints User B 661 total sessions eee.87.169.51 93 eee.87.160.30 34 eee.87.169.50 37 9 User A 8475 total sessions aaa.93.185.143 38 bbb.175.78.11 44 ccc.22.176.46 42 ddd.28.187.143 37 • Individual fingerprints for a user (when that user has one) contain a list of IP addresses that user (and only that user) contacted within the time period • One-time connections not included here • Using the Class C block for the server would compress fingerprints like User B’s • In this case, would still be unique
  • 10. Parameters • Definition of local network – Select the smallest network of interest – May be worth fingerprinting wired and wireless networks separately, to account for users with both desktops and wireless devices • Time frame – Shorter-term profiles faster to create – Longer-term profiles less transitory • Destination subnet – When filtering on each destination, using a slightly wider subnet can reduce the computing impact of content distribution networks • Top N vs. All – Cutting off the list of servers with very few sessions improves scalability – Potential reduced fingerprint list
  • 11. Data Source Characterization • Knowing your source helps determine optimal parameters • Educational environment with a mix of wireless and wired infrastructure • Inherent “life spans” to fingerprints – Large turnover each year – “Mission” changes every term – Gaps in data (scheduled breaks) confound ability to detect gradual change 11
  • 12. Select Outbound Requests • Get a list of top servers by destination • How do you define “outbound” and why? – Anything outside examined subnet? Outside organization? – Presumption that use of internal resources not identifying? • Mostly true, but what about private servers? 12
  • 13. Select Pairs • For each server in Top N list, get the list of clients that contacted it • Filter to reduce computation? – Select only ports of interest (HTTP) • Avoiding BitTorrent makes for stronger profiles – Filter out known-common networks (Akamai, Google) – Include only servers with more than some minimum number of sessions 13
  • 14. Compile Fingerprints • At this stage we have a list of those servers that have only been contacted by one client – Potentially pre-filtered for significance (e.g. minimum number of sessions, removed trivial connects such as BitTorrent, etc) • Create for each client a list of servers – Optionally: ranked by percent of client’s total traffic (requires second query for each client, increasing total fingerprint time, but providing context and significance measure) • Each list is a basic but functional fingerprint of that client – Sessions to one of those servers in future traffic indicates likely link to that fingerprinted user • Primary: that user generated that traffic (on the original device or not) • Secondary: that user is connected directly to the user who generated that traffic14
  • 15. Initial Results • Of ~250 users, profiles could be created representing – 38% of users – 53% of total traffic • Breakdown by profile length (# servers in profile): 1. 51 users (55.4% of profiles) 2. 20 users (21.7%) 3. 7 users (7.6%) 4. 9 users (9.8%) 5. 2 users (2.2%) 6. 1 users (1.1%) 7. 1 users (1.1%) 8. 1 users (1.1%) Unique Profiles NP 1 2 3 4 5 6 7 (i.e. 51 users each contacted 1 host unique to them, and one user contacted 8 hosts that nobody else did) 15
  • 16. Uniqueness Levels • By relaxing uniqueness requirement, more users can be fingerprinted – Tradeoff: Certainty vs. breadth • Nomenclature – The more clients that share a host, the higher the U number 16 U1 U2 U3 U4 • What is lost in ability to pinpoint users, is gained in insight into shared task/interest • Some profiles non-unique • Same user at different IP addresses?
  • 17. U1-U4 Profile Lists U1 Profiles NP 1 2 3 4 5 U2 Profiles NP 1 2 3 4 5 U3 Profiles NP 1 2 3 4 5 U4 Profiles NP 1 2 3 4 5 38% of users, 53% of traffic 60% of users, 78% of traffic 12 non-unique usersNone U1U2 U3 U4 Membership None U1 U2 U3 U4 75% of users, 89% of traffic 10 non-unique users 83% of users, 93% of traffic 10 non-unique users17
  • 18. Variance Over Time • Variability from month to month is observed • Month 1 • Month 2 18 Uniqueness % of users % of traffic U1 38% 53% U2 60% 78% U3 75% 89% U4 83% 93% Uniqueness % of users % of traffic U1 46% 80% U2 60% 92% U3 69% 96% U4 75% 98%
  • 19. Results and Lessons Learned • This represents a first step toward making simple flexible fingerprinting widely available – NetFlow is an ideal data source • Able to fingerprint users comprising majority of network traffic in relatively unrestricted environment • Uniqueness Levels – U1 profiles are more significant – U4 profiles cover far more of the population – Keeping track of them in parallel allows us the best of both worlds 19
  • 20. Take-Home • NetFlow, with its benefits to privacy, ease, and scalability, can be used to produce simple user fingerprints – Several types are possible; we went with the simplest plausible type • Unique site accesses represent one such fingerprint type – Intuitive and easy to grasp – Adjustable to the level of desired uniqueness • More sophisticated fingerprints are expected to be more useful still 20
  • 21. Next Steps, Short-Term • Room to grow within NetFlow collection regime: – Refine by port/protocol – Aggregate content distribution networks • Make better use of ground truth – Newer version of software allows searching on MAC address, to quickly check when fingerprint appears to change or duplicate – Determine whether there are substantive differences between wireless and wired networks • Number of individuals with identifiable fingerprints • Fingerprint stability 21
  • 22. Next Steps, Long-Term • Learning Period Estimation – What constitutes a baseline? • Long-Term Stability – How much do these fingerprints change over time? – What can be learned from those changes? – How are fingerprint lives distributed? vs • Autonomous Operation – Can fingerprint creation and tuning be automated? … to the point of using them for auto-remediation? 22
  • 23. For Additional Information… • For a copy of these slides and the whitepaper, or to evaluate the fingerprinting tool, visit us at: – http://www.flowtraq.com/research/FloCon2012.html • We would be happy to address any questions or comments – abarsam@flowtraq.com – vberk@flowtraq.com – jmurphy@flowtraq.com 23