Comments (2)
The necessary changes to Theia are changes to the spark operator, and adding CLI commands. Both changes to flow-exporter and flow-aggregator will need to be implemented in Antrea, and a separate issue and design document will need to be outlined within the Antrea repository.
Design Document
Introduction
The bulk of the logic needed to be implemented in Theia is for determining candidates for a port scan attack based on logs of incomplete or attempted connections.
Necessary Fields
The following are fields that will be stored in the logs to describe the incomplete or attempted connections:
- time
- sourceIP
- destinationIP
- destinationPort
- destinationPodName
- destinationPodLabel
- protocol
- HTTP flags
Possible Approaches to Attack Detection
There are several possible approaches to detecting the attacks themselves, with varying complexities and effectiveness.
1. SYN sent to SYN-ACK received ratio
An extremely simple method of testing for a likely attacker is by checking the logs for the ratio of SYNs sent to SYN-ACKs received. A normal IP attempting to communicate would know the port that it's trying to communicate with, and wouldn't continue to send SYN requests without corresponding acknowledgement. A number could be defined, 3 for example, that is the acceptable ratio of SYN to SYN-ACK. This approach is simple and requires little computation with the data but could be accurate for simpler port scan attacks.
2. Time interval and Port
Another simple method of testing for a likely attacker is by checking the logs for batches of connections with similar intervals between attempts with consecutive or commonly used ports being checked in succession. For example, if an attacker attempted to connect to an IP with port range 3000-3500 with 20 ms between each request, the algorithm would know through timestamps and an increasing port number that a port scan attack is likely being carried out. Even for longer intervals for slow port scan attacks, the algorithm could catch the similar intervals between port checks.
3. Dempster Shaffer Portscan Detection
This approach is by far the most complex of the 3. Dempster Shaffer evidence theory attempts to extrapolate information through taking any evidence that could affect an outcome into account. In order to do this, it defines a mass function that outlines probabilities of individual outcomes occurring and the weights of the evidence which caused those outcomes. In our case, traffic features would be used as the evidences, and would be used to evaluate the comprehensive threat. Additionally, Dempster Shaffer also gives a measure of plausibility, which can be used to determine an upper bound for a confidence interval of the result. Populating the mass function itself may require some logic from approaches 1 and 2, but I'll update this document after some more research. Additionally, Dempster Shaffer requires more resources to run, as it potentially has a O(2^n) complexity.
CLI features
- top N potential attackers, rated by confidence of classification
- potential for adding ingress rules blocking attacking IPs
from theia.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days
from theia.
Related Issues (20)
- Add the support for the aggregated throughput anomaly detection HOT 1
- Throughput value reported by Grafana is different than the value reported by iperf HOT 1
- Codecov Flag Support for e2e-tests and kind-e2e-tests HOT 1
- Integration Tests for Theia HOT 2
- Enable Dependabot to create PRs to update dependencies
- Document multi-cluster support
- Bump Antrea to 1.11.1 HOT 1
- Coverage for Python files
- Update Go version to 1.20
- L7 Visibility HOT 1
- Update `hack/generate-manifest.sh --mode antrea-e2e` HOT 5
- Ability to create a read only user
- [E2E]Better way to check connection setup between CH client and CH server HOT 1
- Fix ClickHouse crashing after ZooKeeper lost data HOT 2
- Dependabot in Snowflake Folder
- Replace deprecated `set-output` command with environment file
- Enabling L7FlowExporter in Antrea FlowAggregator fails with missing columns in table HOT 2
- Helm Chart - Add on Values option to add Grafana Init Image Repository
- Helm Chart - Support Grafana Proxy Config of Offline Plugins
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from theia.