Software Engineering Institute

In this talk, John Gerth discusses "locality," a semi-formal dimension of a flow derived from attributes of the address pairs. This approach has proven useful enough in our network defense work that we construct it in real-time for every flow. The basic notion of address labeling has long been supported by popular flow collectors such as Argus and YAF. For example, the SiLK tools can label addresses in YAF flows as "internal," "external," and "non-routable," or apply user-defined labels from prefix maps that assign an attribute based on the CIDR prefix of an address. Additionally SilK tools can label a flow as INT2INT, INT2EXT, etc. based on its routing characteristics. Argus has different mechanisms but also allows labels for flows. While these facilities are useful, the growth of insider attacks and the often lateral movements inside networks during APT attacks made us want to extend the definitions with a principled measure we call "locality" based on properties of the addresses.

The first distinction is between unicast and non-unicast traffic with the latter assigned locality=0. For all unicast traffic, we periodically construct a table that maps each IP/24 address to its assigned ASN number. Traffic with an ASN other than our own is given locality=1, and traffic within our ASN is given a locality>=2 (based on whether its VLAN is totally within our observation domain or not). The locality values, which may also be coupled with the ASN number for external flows, allow relatively fine-grained discrimination of both internal and external traffic in a semi-formal hierarchy that is useful to analysts. Every flow has a locality value, which makes it a convenient dimension for filtering and summarization of traffic when flows are stored in a relational DB or streamed live past an application. In this talk, Gerth presents various examples showing their utility for both situational awareness and incident investigation.