Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi.

Slides:



Advertisements
Similar presentations
Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011
Advertisements

Hidden Markov Models (HMM) Rabiner’s Paper
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Jensen’s Inequality (Special Case) EM Theorem.
2004/11/161 A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition LAWRENCE R. RABINER, FELLOW, IEEE Presented by: Chi-Chun.
An Introduction to Hidden Markov Models and Gesture Recognition Troy L. McDaniel Research Assistant Center for Cognitive Ubiquitous Computing Arizona State.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
School of Computer Science and Information Systems
The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.
Probabilistic Analysis of a Large-Scale Urban Traffic Sensor Data Set Jon Hutchins, Alexander Ihler, and Padhraic Smyth Department of Computer Science.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Ambulation : a tool for monitoring mobility over time using mobile phones Computational Science and Engineering, CSE '09. International Conference.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Masquerade Detection Mark Stamp 1Masquerade Detection.
Isolated-Word Speech Recognition Using Hidden Markov Models
What is FORENSICS? Why do we need Network Forensics?
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
HMM - Basics.
Recognizing Activities of Daily Living from Sensor Data Henry Kautz Department of Computer Science University of Rochester.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Online Arabic Handwriting Recognition Fadi Biadsy Jihad El-Sana Nizar Habash Abdul-Rahman Daud Done byPresented by KFUPM Information & Computer Science.
Traffic Analysis: Network Flow Watermarking Amir Houmansadr CS660: Advanced Information Assurance Spring CS660 - Advanced Information Assurance.
Using Inactivity to Detect Unusual behavior Presenter : Siang Wang Advisor : Dr. Yen - Ting Chen Date : Motion and video Computing, WMVC.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.
Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Reestimation Equations Continuous Distributions.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Reestimation Equations Continuous Distributions.
Module 7: Advanced Application and Web Filtering.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Kemal Baykal Rasim Ismayilov
Monitoring and Managing Server Performance. Server Monitoring To become familiar with the server’s performance – typical behavior Prevent problems before.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
정하경 MMLAB Fundamentals of Internet Measurement: a Tutorial Nevil Brownlee, Chris Lossley, “Fundamentals of Internet Measurement: a Tutorial,” CMG journal.
Computer Simulation of Networks ECE/CSC 777: Telecommunications Network Design Fall, 2013, Rudra Dutta.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Anomaly Detection in GPS Data Based on Visual Analytics Kyung Min Su - Zicheng Liao, Yizhou Yu, and Baoquan Chen, Anomaly Detection in GPS Data Based on.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
Università di Perugia Enabling Grids for E-sciencE Status of and requirements for Computational Chemistry NA4 – SA1 Meeting – 6 th April.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Classification of melody by composer using hidden Markov models Greg Eustace MUMT 614: Music Information Acquisition, Preservation, and Retrieval.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Reestimation Equations Continuous Distributions.
By: Nicole Cappella. Why I chose Speech Recognition  Always interested me  Dr. Phil Show Manti Teo Girlfriend Hoax  Three separate voice analysts proved.
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security of Grid Computing Environments
Timing Analysis of Keystrokes and Timing Attacks on SSH
Timing Analysis of Keystrokes And Timing Attacks on SSH
Lecture 9 The GHMM Library and The Brill Tagger
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Autonomous Network Alerting Systems and Programmable Networks
Presentation transcript:

Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi

Outline Overview of CABALS Behaviors and Models Probabilistic Automata An Application to Computer Security CABALS Functionalities

Overview Finite State Models Behaviors CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… 12 3 Web Server Model 12 3 Network Traffic Model 12 3 User Model HMMs K-grams

Behavior: collection of sequences of observable events exhibited by an agent or system: Client/Server interaction (e.g. time to respond to a request, type of received requests, protocols, etc.) User Signatures (e.g. typing habits, etc) Network Traffic Signatures Modeling: finite state machines HMMs k-grams DFAs/NFAs Behaviors and Models Finite State Model

k-gram Automata Models k-order statistics of observed data – Order Statistics 04 / 7 13 / 7 2 – Order Statistics 001 / / / / 6 01 p 01 / 1 p 00 / 0 p 10 / 0 p 11 / p 000 / 0 p 001 / 1 p 100 / 0p 011 / 1 p 111 / 1p 110 / 0 … …

A sample scenario: time covert channel CABALS Receiver Δt 1 Δt 2 Δt 3 Models the behavior of the inter-packet times k-gram Compromised ! Observed Behavior: sequence of inter-packet delays 1-order stats 2-order stats Δt 4 Δt 5 Δt 6 Defense/Attack Dualism: [V. Crespi et al. “Attacking and Defending Covert Channels and Behavioral Models”, 2011] Trojan learns higher order models of traffic to hide covert communication behind higher order statistics. CABALS complexifies traffic at specific orders to detect anomalies and discover covert communications. Web Server

Analyzing Network Behavior First Order Statistics (K = 1) Second Order Statistics (K = 2) Normal Behavior Behavior Under Covert Communication

CABALS Infrastructure and Functionalities Monitor and logs live network traffic (type of connections can be customized) Train Hidden Markov Model (HMM) using the Baum-Welch algorithm (other algorithms being added) Train k-grams, for arbitrary k Compute properties of the learned models (e.g. KL-distance, likelihood of observed behavior to be classified, etc.) Complexifying module (in progress) Current Implementation: Collection of Command-line tools written in Java, using the JPCAP library (GUI being developed.) Existing Functionalities:

References 1. V. Crespi, G. Cybenko, and A. Giani. Attacking and Defending Covert Channels and Behavioral Models. ArXiv e-prints, April Alberto Dainotti, Antonio Pescaṕe, Pierluigi Salvo Rossi, Francesco Palmieri, and Giorgio Ventre. Internet traffic modeling by means of Hidden Markov Models. Computer Networks, 52(14):2645–2662, James Giles and Bruce Hajek. An Information-Theoretic and Game- Theoretic Study of Timing Channels. IEEE Transactions on Information Theory, 48(9):2455–2477, September Lawrence E. Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. In Proceedings of the IEEE, Dawn Xiaodong Song et. al. Timing Analysis of Keystrokes and Timing Attacks on SSH. In USENIX Security Symposium, 2001.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.