Demonstration: NfQuery: A Privacy Friendly Framework for Multi-Domain Threat Analysis (Thursday I) Save to my Google calendar

06/06/2013 10:30-11:00
Demo area
NfQuery is an NfSen-based framework for the integration of various threat detection methods and automated transmission of incident information over a multi-domain environment. It uses NetFlow data for analysis of threats in combination with already available incident data from various sources such as on-line repositories and local security tools of each domain (Honeypots, IDS and etc.).
A central server in this framework coordinates information sharing and integration of various detection methods across domains, where an NfSen plug-in per domain exposes the NfQuery outputs and identified incidents relevant to each domain to local administrators for their analysis and further information exchange.
The main design criterion for NfQuery has been to develop a tool for multi-domain threat analysis that eases the privacy concerns of each domain subscribed to the framework. This is achieved by keeping NetFlow data of each domain locally, while receiving via the multi-domain NfQuery framework only the queries to be applied over the flow data and the statistics on the results of these queries.
NfQuery has been developed within the GN3 project. It consists of a Query Server (QS) application and the associated NfQuery Plug-In. The QS operates at the center of NfQuery framework in order to generate Nfdump queries based onthreat data published by various sources to the QS. The queries are then distributed to registered domains. This distribution is achieved by the NfQuery Plug-in deployed on the NfSen instance of each registered domain. The Plug-in enables registered domains to receive and apply locally NfQuery generated queries upon their flow data. The Plug-in then sends the statistics of query results back to the QS, so that they can be used rate the queries in the QS pool, i.e. to assess their significance and relevance to incidents. Rating improves the overall efficiency of the system. At the same time, Plug-ins preserve data privacy at each registered domain side by keeping the actual flow data and the results within their local NfSen server. This is only overridden when a multi-domain threat is detected locally, i.e. the queries applied result in a match to an IP address belonging to another domain registered to the same QS. In such a case, the Plug-in sends an alert to the QS which includes information on the query and the remote domain involved.
The results of a multi-domain NfQuery proof of concept with the participation of CESNET, GARR and ULAKBİM are presented. Also, experiences through the development and deployment of the framework are provided. Statistics and detections achieved by the proof of concept are also demonstrated. Last but not least, a live demo of the NfQuery framework is planned to be made during TNC'13.




Social Events