BRDF Simulation

The edge router of an enterprise network was configured to report IP flow statistics, using version 9 of the Netflow protocol, to a server running the Netflow collector software. The values assigned to each configuration parameter on the router are outlined in Table 5.16.

The flow samples reported by the router included all attributes listed in Table 5.17. The Netflow collector recorded flow samples for a period of seven days during a normal work week, from Monday morning 00h00 to the same time the following week. The flow records provided by the router were unidirectional, where separate entries for requests (source host to destination host) and responses (destination host to source host) are recorded.

Feature Description

T imestamp An integer time value (epoch) reported by the router

P rotocol An integer value representing the transport layer protocol of the flow T oS TheType of Service (ToS) bits set in the flow

SY N An indication if a SYN flag was observed for the flow ACK An indication if an ACK flag was set for the flow Exporter The router’s IP address, encoded as a 32-bit integer

SRC The source IP address of the flow, encoded as a 32-bit integer DST The destination IP address of the flow, encoded as a 32-bit integer sP ort The source port of the flow

dP ort The destination port of the flow

P ackets Total packets switched during the current reporting period Octets Total bytes switched during the current reporting period If In Inbound interface of the flow

If Out Outbound interface of the flow

Table 5.17: Features included in each flow record reported by the router. Netflow version 9 is template based, meaning the features used to described each flow may be customised on the router. The features listed in this table describe the default flow template defined on the test router.

Related flow samples were combined and aggregated into a single entry per host for each time-slot. Both internal and external hosts were aggregated, as the objective of this case study was to evaluate the APIC method as both a victim-end and source-end NBAD system. The aggregate features, calculated for each active host per time-slot, are outlined in Table 5.18.

Feature Description

timeslot The five-minute time-slot associated with this record Example: 2016-01-01 00:05:00

host The IP address of the summarised host Example: 192.168.10.245

outT otalF lows The total number of flows from this host toward others inT otalF lows The total number of flows toward this host from others outICM P F lows The total number of ICMP flows from this host toward others inICM P F lows The total number of ICMP flows toward this host from others outT CP F lows The total number of TCP flows from this host toward others inT CP F lows The total number of TCP flows toward this host from others outU DP F lows The total number of UDP flows from this host toward others inU DP F lows The total number of UDP flows toward this host from others outSY N The total number of flows with TCP SYN flag set from this host

toward others

inSY N The total number of flows with TCP SYN flag set from others toward this host

outACK The total number of flows with TCP ACK flag set from this host toward others

inACK The total number of flows with TCP ACK flag set from others toward this host

outT otalP ackets The total number of packets sent by this host to others inT otalP ackets The total number of packets sent by others toward this host outICM P P ackets The total number of ICMP packets sent by this host to others inICM P P ackets The total number of ICMP packets sent by others toward this

host

outT CP P ackets The total number of TCP packets sent by this host to others inT CP P ackets The total number of TCP packets sent by others toward this host outU DP P ackets The total number of UDP packets sent by this host to others inU DP P ackets The total number of UDP packets sent by others toward this host outBytes The total number of bytes (octets) sent by this host to others inBytes The total number of bytes (octets) received by this host from

others

dstHosts The number of unique hosts this host sent packets toward srcHosts The number of unique hosts sending packets toward this host Table 5.18: Features used to describe the communications of each host on the network.

A unique record was created for each host at every time-slot it was observed.

Figure 5.7: Total number of flows recorded per five-minute time-slot during the seven-day observation period.

Feature Description

rOutT otalP kts The ratio of total outbound packets to total inbound packets rInT otalP kts The ratio of total inbound packets to total outbound packets rOutICM P P kts The ratio of ICMP outbound packets to ICMP inbound packets rInICM P P kts The ratio of ICMP inbound packets to ICMP outbound packets icmpOutP erc Outbound ICMP packets as a percentage of total outbound

packets

icmpInP erc Inbound ICMP packets as a percentage of total inbound packets rOutT CP P kts The ratio of TCP outbound packets to TCP inbound packets rInT CP P kts The ratio of TCP inbound packets to TCP outbound packets tcpOutP erc Outbound TCP packets as a percentage of total outbound packets tcpInP erc Inbound TCP packets as a percentage of total inbound packets rOutU DP P kts The ratio of UDP outbound packets to UDP inbound packets rInU DP P kts The ratio of UDP inbound packets to UDP outbound packets udpOutP erc Outbound UDP packets as a percentage of total outbound packets udpInP erc Inbound UDP packets as a percentage of total inbound packets rOutBytes The ratio of total outbound bytes to inbound bytes

rInBytes The ratio of total inbound bytes to outbound bytes

rOutSY N The ratio of outbound flows with SYN TCP flag set to inbound flows with ACK TCP flag set

rInSY N The ratio of inbound flows toward this host with SYN TCP flag set to outbound flows with ACK TCP flag set

rDstHosts The ratio of unique hosts outbound flows were directed to against the number of flows inbound from unique hosts

rSrcHosts The ratio of unique hosts inbound flows directed to the host against the number of flows outbound from the host

Table 5.19: Statistical features derived from the aggregated flow records, used to describe and profile host communications on the network. The features listed were included in the

Day Training Data Testing Data

Monday 116,938 29,234

Tuesday 80,068 20,017

Wednesday 80,989 20,247

Thursday 71,085 17,771

Friday 75,930 18,983

Saturday 81,282 20,321

Sunday 110,227 27,557

Total 616,519 154,130

Table 5.20: Netflow experiment training and test data sets. Each count represents normal, individual host communication profiles summarised per timeslot.

A plot of the total number of aggregate flows recorded per time-slot, for the seven-day observation period, is shown in Figure 5.7. These aggregated records were used to produce statistical features, describing the communication profile of each host to the APIC method. These features are catalogued in Table 5.19.

In total, 96 internal and 62,889 external hosts were observed communicating through the router over the seven-day period. These communications generated 4,578,500 flow entries, all of which were aggregated, transformed and summarised per time-slot using the features described in Table 5.19. A plot showing the average value for each of these statistical features per time-slot is provided in Figure 5.8. A total of 770,649 host communication profiles were generated using the recorded flow data set. These temporal host profiles were divided into both training and testing data sets. For each time-slot, 80 percent of the recorded flows were randomly selected and moved to the training set, with the remaining 20 percent assigned to the testing set. The distribution of training and testing datum, per day, is listed in Table 5.20.

Figure 5.8: A plot describing the distribution of the average value for each statistical feature (Table 5.19) for each timeslot recorded over the seven-day period.