You are on page 1of 4

Security by Simple Network Traffic Monitoring

Hiroshi TSUNODA
Tohoku Institute of Technology 35-1, Yagiyama Kasumi-cho, Taihaku-ku, Sendai, Miyagi, Japan +81-22-305-3411

Glenn Mansfield Keeni


Cyber Solutions Inc. ICR Bldg, 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Miyagi, Japan +81-22-303-4012

tsuno@m.ieice.org

glenn@cysols.com

ABSTRACT
In this work we show how data vital to information and network security management can be obtained, relatively easily by basic traffic monitoring and analysis. We introduce a new traffic analysis technique, category transform, to extract more useful information from available data and show the means and significance of looking at traffic characteristics at greater detail.

companies prohibit use of devices not registered in the company. Yet, in a survey of the companies that prohibit use of private devices in the intranet, staff in 55% of the companies reported that they breached the policy without detection. This points to lack of monitoring of devices used in the intranet. In the following sections we show how network device monitoring can be done relatively easily by network traffic analysis.

Categories and Subject Descriptors


C.2.0 [Computer-Communication Networks]: General Security and protection; C.2.3 [Computer-Communication Networks]: Network Operations Network management, Network monitoring

2.1 Device Detection by Monitoring ARP and NDP Packets


For communications in the intranet, it is necessary to discover the mapping between the Layer-2 (MAC) addresses and the Layer-3 (IP) addresses. This is done using the Address Resolution Protocol (ARP) for IPv4 and Neighbor Discovery Protocol (NDP) for IPv6. These discovery attempts are easy to monitor as the protocol request packets are always broadcast across the network. In the intranet it is very important to monitor and regulate the devices that will connect to the network. The regulation may depend on time of day and place/network of connection. By monitoring ARP/NDP packets the devices that are connected to the network can be monitored. Network administrators can detect newly connected terminals and obtain pairs of IP address and MAC address of connected terminals by analyzing the header field and payload of these discovery packets. This technique is useful and important in both IPv4/IPv6 networks. In IPv6, terminal discovery by pinging the multicast addresses cannot completely discover all terminals because some operating systems do not respond to ping requests destined for multicast addresses. Therefore, terminal detection by monitoring NDP packets is important. The results may also be used to generate usage logs of terminals. An ARP or NDP packet indicates that the source of the packet is present in the network and is attempting to communicate with another device. Hence, they can be used for estimating terminal activities in the intranet. Figure 1 shows an example of estimated activity by using ARP packet information. These logs will be very useful for forensic studies once an event has occurred.

General Terms
Management, Measurement, Security

Keywords
Traffic monitoring, Network security, Category transform

1. INTRODUCTION
For information and network security management, it is necessary to monitor and vet everything that happens on a network and on the connected devices. A surprising amount of information, vital to information and network security management, can be obtained, relatively easily by basic traffic monitoring and analysis. A large part of this analysis can be passive which means zero additional load on the network. More often than not, it does appear that this information is overlooked or not utilized. In this work we discuss these information components. We show how they can be obtained in a network which uses the TCP/IPv4/IPv6 suite of protocols. We introduce a new traffic analysis technique, category transform, to extract more useful information from available data and show the means of looking at traffic characteristics at greater detail. We show the significance of these information components in the security context.

2. NETWORK DEVICE MONITORING


According to a survey report [1], 40% of companies in Japan have a clear policy on BYOD (Bring Your Own Device). 29% of the

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN12, October 25-27, 2012, Jaipur, India Copyright 2012 ACM 978-1-4503-1668-2/12/10 ...$15.00.

Figure 1 Terminal activity estimated using ARP packets

201

2.2 Verification of Detected Devices


From the point of view of security, the result can be vetted with respect to the security policy of the organization to decide whether A) the device is: A-1) allowed to connect to the network A-2) not allowed to connect at that time A-3) not allowed to connect to that network B) the device is an illegal device. C) misleading information is being sent. ARP and NDP packets can be misused to manipulate communication in the Intranet. Both ARP and NDP protocols are based on trust. Every packet is trusted. The authenticity is not verified. By sending a crafted ARP or NDP packet, communication can be diverted. The presence of such forged packets could indicate that C-1) an attempt to disrupt the communication is in progress. C-2) a man-in-the middle attack is in progress: the communication is being diverted to an intended target and from there to the intended destination. This is often the modus operandi employed to steal information and/or tamper with the communication contents. Defense against manin-the-middle attacks requires continuous monitoring of ARP and NDP packets and their validation. It must be noted that MAC addresses may be spoofed too. However, this should not prevent the operator/administrator from doing the primary checks assuming non-spoofed addresses.

volume is difficult. But if we can look at the traffic characteristics in greater detail i.e. smaller intervals, the sharp short-lived bursts may manifest themselves. Figure 2 shows an example of high resolution monitoring. When we look at the number of packets per second, the variation is relatively stable. However, the number of packets per 10 milliseconds shows that there are several peaks. Such peaks indicate that short bursts of traffic existed. These bursts may cause instantaneous congestion in the network.

Figure 2 High resolution monitoring

3. NETWORK ACTIVITY MONITORING 3.1 Traffic Volume Monitoring


Traffic characteristics provide a wealth of information on network activities. Observation of traffic statistics is important not only for evaluating the quality and performance of networks, but also for detecting incidents and securing networks. In general traffic characteristics are limited to traffic volume e.g. number of packets and/or the number of octets. Large variations in the traffic characteristics are considered suspicious and merit investigation. Although variations of overall traffic are in general frequent and thus tend to be ignored, variations at small timescales and variations in specific types of traffic give important insights into the hidden attacks or the risk of information leakage. We discuss how we can obtain useful information from the variations of traffic volume.

3.1.2 Monitoring of Encrypted Traffic


In some cases the monitored traffic may be encrypted. The encrypted nature of the traffic may be determined from the network services (i.e., source or destination port number in a transport protocol header). Table 1 shows some of the well-known services that send and receive encrypted traffic. Table 1 Network services with encryption and assigned port numbers Service ssh https imaps pop3s port number 22 443 993 995

3.1.1 High Resolution Traffic Monitoring


High resolution traffic monitoring [2] enables us to monitor traffic at the timescale of milliseconds and it is useful for detecting stealthy DoS attacks. Stealthy DoS attacks are also known as Low-rate TCP-Targeted DoS attacks [3] or pulsing DoS attacks. This type of attacks send sharp, short-lived traffic bursts periodically to routers, instead of continuous packet flood like conventional DDoS attacks. Such bursts fill up the buffer of routers and cause packet losses of legitimate TCP flows. Since a TCP sender interprets packet losses as the occurrence of congestion, the throughput of legitimate flows is reduced as a result of congestion control. Since each traffic burst is sharp and short-lived, total traffic volume may not be large and detection based on the traffic

It is important that the administrator be aware of the encrypted traffic flowing in and out of the network. In particular, ssh and https are often used to build tunnels to bypass firewalls. If the administrator is not aware of unauthorized tunnels, he/she is running the risk of information leakage. Therefore, the administrator must audit the source and destination of encrypted traffic in order to make sure that there are no undetected and unauthorized tunnels. On the other hand the network administrator must also make sure that the unencrypted traffic flowing out of the network carries minimal risk. If confidential information is carried in unencrypted traffic, malicious users may be able to obtain the information easily.

202

3.2 Category Transform


In some cases the variations in traffic volume may be too small to be noticeable. A massive increase in traffic volume would indicate that a Denial of Service (DoS) attack is in progress. However, if the bandwidth was already saturated - the traffic will not increase despite the attack, and the attack will evade detection. Also, network scanning which does not generate a large traffic volume cannot be detected based on traffic volume. In this subsection, we discuss a different view of the traffic that amplifies changes in usage patterns, particularly attacks. A category is the property which is defined by a value of one or more header fields of packets. Figure 3 illustrates header fields of IPv4, TCP, and UDP respectively. For example, packets with the same transport protocol belong to the same category. Packets can also be categorized based on their source address, destination address, source port number, destination port number and so on.

into the network dynamics. Below we discuss how incidents can be detected based on the category transform technique.

3.2.1 Port Scan Detection


Port scan is a scan activity for identifying open ports of a target host. A potential attacker conducts port scan in order to find vulnerable services in advance to attempt real intrusion. Since port scan does not generate so many packets, traffic volume may not increase significantly even if i-th interval is in the scan period. However, since the attacker accesses every port of the target host and ports can take values in the range of 1 to 65535, the number of destination port categories will show a significant increase. Figure 4 shows the examples of variation in the number of packets and the number of categories . As shown in Figure 4, varies even in normal situations and is not a good parameter to detect port scan. On the other hand, the number of destination port categories is stable in normal conditions; and it increases significantly when a port scan is in progress. In this manner, when the usage pattern is changed, the destination port category based characteristics show a change that is amplified compared to volume-based characteristics.

Port scan

Figure 3 IPv4, TCP, and UDP header fields By transforming from the traffic volume to the traffic category, the identification of some characteristics is amplified. Unlike traffic volume, the variation of the number of categories in normal situations is limited based on users' usage pattern. Thus, a sudden increase or decrease of the number of categories is likely to be caused by some new usage pattern. Say that the traffic volume is represented by the time series - ( packets have been detected at the i-th time interval from to . Width of i-th interval is .). The corresponding category transformed time series will be ( categories were seen in the packets). For example if we are focusing on the source address category, then source addresses were present in the packets seen in the i-th time interval. If a category , j-th category in i-th interval, includes packets, the relationship between and is represented as

Figure 4 Variation pattern of packet count and the number of categories in port scan activity

3.2.2 DDoS Attack Detection


Distributed DoS (DDoS) attacks have posed a serious threat to the service-availability of the Internet servers. In DDoS attacks, multiple attackers send a large number of packets to a victim [2]. Recently, several DDoS attacks have been reported [3]. The early detection and defense against DDoS attacks are still important issues in network security. One of the difficulties of DDoS detection is that payloads of attack packets are the same as those of legitimate packets. Thus it is almost impossible to detect and filter out attack packets at a firewall. Moreover, source addresses of attack packets are usually spoofed randomly in order to evade detection. Thus, detection using a black list of source addresses does not work. However, by looking at source IP address categories, one will see a significant increase. The number of source IP address categories will increase significantly, upper-bounded by the number of packets . Figure 5 shows the examples of variation in the number of packets and the number of source IP address categories . Although the number of packets increased due to a DoS attack, there are similar unrelated increases in even under normal circumstances. Thus it is difficult to detect DoS attack based only on . But, by

Note that 1 in the usual case. The traffic volume and traffic category monitored in a given link are both upper bounded by ( ) where Bw and MTU are the bandwidth and the maximum transmission unit of the link, respectively. But obviously because 1 in a normal network. Therefore, the number of categories more strongly reflects a change in usage pattern of the link. By transforming from traffic volume to traffic category, the amplified traffic characteristics provide us with deeper insights

203

looking at the number of source IP address categories, DoS attacks can be identified more easily.

File sharing

DDoS

Figure 5 Variation pattern of packet count and the number of categories in DDoS attacks

3.2.3 Focused Category Transform


In some cases the data characteristics may be weak or almost invisible even after category transform. For example when a DDoS is carried out, by varying the source address over a relatively small range; or, when an illegal application like a fileshare software is running, it accepts connections to several addresses. But the relative change in the total number of addresses seen over the link is likely to be small. In cases like this, the traffic may be grouped according to some property in the packet, for example on the value of one or more IP-header fields (transport protocol, source address, destination address), other protocol header fields (source port, destination port), and/or any combination of these. The resultant grouped traffic may then be category transformed. This allows us to see changes in the categories of traffic (a) (b) (c) from/to a network/group of hosts/host/group of ports/port for a particular protocol (TCP/UDP/ICMP) combination of (a) and (b). Figure 6 Variation pattern of packet count, categories, and focused categories in illegal file sharing activities resolution protocol request packets and neighbor discovery protocol request packets. Network activities can be monitored by looking at traffic statistics from various points of view. We have introduced a new traffic analysis technique called category transform. By transforming the traffic volume to the traffic category, some characteristics of traffic are amplified and some usage patterns, particularly illegal usage patterns, become clear.

5. ACKNOWLEDGEMENTS
This work was partially supported by Promotion program for Reducing global Environmental loaD through ICT innovation (PREDICT-115102001), Ministry of Internal Affairs and Communications, Japan. The authors would like to thank the WIDE-netman group for their valuable comments. REFERENCES

An increase in the focused category transformed statistic may indicate an attack from outside to the focused group or, that an illegal application is running inside in the focused group, or that there is a fault or misconfiguration of the network. A decrease in the focused category transformed statistic may indicate a fault or link down in the network or an application failure. Figure 6 illustrates the example of variation in the number of packets, destination IP categories, and focused categories in illegal file sharing activities. Note that it is difficult to find characteristic changes in both the number of packets and destination IP address categories. But, if we focus on a specific source host, we can see the sudden increase in the number of destination IP address categories.

[1] Trend Micro. Actual condition survery about BYOD of smart phones and tablet devices (in Japanese). Retrieved July 29, 2012, from Trend Micro: http://jp.trendmicro.com/jp/about/news/pr/article/2012 0628060439.html. [2] G. Manfield, S. Karakala, T. Saitoh, and N. Shiratori. High
Resolution Traffic Measurement. Workshop on Passive and Active Measurements on the Internet (PAM2001), April 2001. E. Knightly and A. Kuzmanovic. Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies. IEEE/ACM Transactions on Networking, 14(4):638-696, August 2006. R. Chang. Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. IEEE Communications Magazine, 40(10):42-51, October 2002. the guardian. Anonymous claims responsibility for taking down government sites. Retrieved July 30, 2012, from the guardian: http://www.guardian.co.uk/technology/2012/apr/08/anonym ous-taking-down-government-websites.

[3]

4. CONCLUSION
In this paper, we have shown that simple and basic traffic monitoring and analysis provide information that is vital for network security management. Network security management requires monitoring connected devices and activities in an intranet. Network device monitoring can be done by analyzing address

[4] [5]

204

You might also like