Bryan Owen

The “Portaledge” Enumeration Event Class - Beta

Blog Post created by Bryan Owen on Jul 7, 2009

Last week the Portaledge research team at Digitalbond reached another milestone with beta release of the Enumeration Event class!

 

The Enumeration Event class is implemented using the PI Advanced Calculation Engine to flag unexpected network communication patterns (collected by the IP Flow interface).

 

Raw IP Flow tag data (source, destination, ports, protocols, and octets) is first added to a shared collection object representing session activity captured over the calculation interval. Separate analytic modules are provided for each type of enumeration event.

 

Browsing the analytic logic shows effective use of the popular .NET System Data namespace for further handling of session data, alert rules (eg. maximum ports touched threshold) and exception rules (eg. allowed communication protocol).

 

DataTable objects provide an in memory cache for structured data but the schema is created explicitly. The DataView object provides built-in methods for searching, sorting and filtering.

 

Dim myTable As New DataTable
Dim column As DataColumn
Dim row As DataRow
Dim myView As DataView

 

' ...

 

column = New DataColumn()
column.DataType = System.Type.GetType("System.String")
column.ColumnName = "SrcIP"
myTable.Columns.Add(column)

 

'...

 

row=myTable.NewRow()
row("SrcIP") = LocalSessions(i).SrcIP
row("DstIP") = LocalSessions(i).DstIP
row("SrcPort") = LocalSessions(i).SrcPort
row("DstPort") = LocalSessions(i).DstPort
row("Protocol") = LocalSessions(i).Protocol
myTable.Rows.add(row)

 

'...

 

myView = New DataView(myTable)
myView.Sort = "DstIP ASC, DstPort ASC, SrcIP ASC" 

Portaledge enumeration analysis adds another dimension to the tried and true IP Flow interface. This method is especially useful for monitoring communication patterns involving a protected network.  The code is open source thanks to the US DoE and DigitalBond's nominal subscription, so have a look at Portaledge and get this app up and running!

Outcomes