Parallel Autonomous Cyber Systems Monitoring and Protection

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

1 Applications of Data Mining in Banking Maria Luisa Barja Jesús Cerquides Ubilab IT Laboratory UBS AG.

The Northwestern Mutual Life Insurance Company – Milwaukee, WI Application Monitoring Jeremy Kalsow.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

PROS & CONS of Proxy Firewall

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

ShopKeeper was designed from the ground up to manage your entire fleet maintenance operations … from 1 user to 100, including full security features that.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Event Metadata Records as a Testbed for Scalable Data Mining David Malon, Peter van Gemmeren (Argonne National Laboratory) At a data rate of 200 hertz,

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Analyze Assure Accelerate TM SmartFlow 4.00 – New Features FastTrack

Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina Mark Crovella Christophe Diot in ACM SIGCOMM 2005 Presented by: Sailesh Kumar.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Mobile Analyzer A Distributed Computing Platform Juho Karppinen Helsinki Institute of Physics Technology Program May 23th, 2002 Mobile.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Some Great Open Source Intrusion Detection Systems (IDSs)

Introduction to Machine Learning, its potential usage in network area,

Proactive Incident Response

SIEM Rotem Mesika System security engineering

CS457 Introduction to Information Security Systems

CEN 4010 Intro to Software Engineering Professor Alex Roque

IoT Security Part 2, The Malware

Graphical Data Engineering

Internet Quarantine: Requirements for Containing Self-Propagating Code

Chapter 19: Network Management

Lab A: Planning an Installation

Manufacturing Productivity Solutions

Distributed Network Traffic Feature Extraction for a Real-time IDS

PANA Issues and Resolutions

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

MCTS Guide to Microsoft Windows 7

Top-Down Network Design Chapter Twelve Testing Your Network Design

3 | Analyzing Server, Network, and Client Health

Outline Introduction Characteristics of intrusion detection systems

Data collection methodology and NM paradigms

Modeling Cyberspace Operations

Digital Pacman: Firewall Edition

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Chapter 8: Monitoring the Network

12/6/2018 Honeypot ICT Infrastructure Sashan

Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.

How to Keep Running When Things Go Wrong

An Improved Neural Network Algorithm for Classifying the Transmission Line Faults Slavko Vasilic Dr Mladen Kezunovic Texas A&M University.

Department of Electrical Engineering

Intrusion Detection system

Topic 5: Communication and the Internet

Presentation slide for courses, classes, lectures et al.

Autonomous Network Alerting Systems and Programmable Networks

Network Security Mark Creighton GBA 576 6/4/2019.

TDT49 Mobile Information Systems, Jørgen Birkeland

Lecture 4: File-System Interface

Intrusion Detection Systems

Case Study: Choosing an Exercise Mode in a Heart Rate Monitor

Presentation transcript:

Parallel Autonomous Cyber Systems Monitoring and Protection December 8, 2009 Revision 1 Chris Archer

Cyber Challenges Zero-day exploits always provide new tactics for adversaries. Current heuristic methods only respond to known tactics. The time lag for heuristic methods catching up to new exploits is a huge window of opportunity for bad things to happen. This challenge overlaps into “traditional IT” – it is difficult to see a problem arising until it is too late. New tools are needed that can react at the speed of the network to previously unknown threats and problems.

Application and Extension of Unsupervised Clustering to Cyber Applications Unsupervised clustering has been developed to allow autonomous organization of large amounts of data into hierarchical groups of similar data The addition of new information-based distance metrics (based on IG, et al) to existing unsupervised clustering will allow us to find the needles in the haystack. Because of the scalability improvements (developed under NG IRAD) and parallel nature, we can process extremely large volumes of data quickly. Approach will adapt to information content – not based on heuristic approaches that become outdated. Potential for orders of magnitude of improvement in time required to react to new and changing threats and failures.

Application 1: Parallel Unsupervised Clustering Tree for Autonomous Firewall Packet Inspection Shallow and Deep Packet Distance Metrics Multilayer Data-Driven Clustering Course Packet Clustering Increasing Parallelism Fine Packet Clustering Fine Packet Clustering Finer Packet Clustering Finer Packet Clustering Finer Packet Clustering Alerts Cluster Recognition and Uniqueness Metric Thresholding Packet Management

Packets and Data Time t Time t+D Normal, Known Information Something new develops: *Problem *Attack *New Pattern of Usage Continuous Data Flow

Finding Needles in Large Haystacks Information Metrics separate out data of different characteristics. Auto-summarization is based on clusters: Large clusters get summarized often Small clusters do not get summarized No more hiding in the data. Use a prototocol with a lot of traffic to hide OR Use a distributed approach: Won’t work: the information content of the packets will be different and will separate out. Overwhelm the processing so it falters: Highly parallel, efficient implementation can process large amounts of data Failure modes can even be designed to fail ‘gracefully’

Deep and Shallow Pack Distance Metrics Shallow Metric Based on Header Information Ports, IP Addresses, Length, Flags Deep Distance Metric based on Packet Content More expensive metric can be utilized in lower levels which are conducted in parallel Can include content information metrics Separation of the two leads to a highly parallel implementation Possible fast/cheap implementation using CUDA on Nvidia Graphics Cards

Application 2: Autonomous Log Monitoring Northrop Grumman Proprietary Level 1 Application 2: Autonomous Log Monitoring Computers Log Server Multilayer Data-Driven Clustering Line-by-line Logs Cluster Recognition and Uniqueness Metric Thresholding Program Summary Purpose: To Provide a top-level summary of key program positions and performance areas that are deemed significant for review Definitions: Accomplishments: Recent activities, milestones, highlights, or events Challenges: Items that could significantly impact program Quality, financial/technical performance, delivery, or Customer Satisfaction. Customer/Contract Issues: Open Customer issues or actions items, Contract/funding/GFE issues, “who owes who what”. Focus: Near term actions/plans (next 90 days) Process: Enter listed fields. References: IPRS User Guide Automated System Management Alerts

Experiment Plan: Application 1 – Firewall Segment Need a source of data Time tagged for artificial streaming Packet captures would be ideal Real data is better / Simulated data may be possible to generate Develop and test detailed shallow and deep packet distance metrics Set up unsupervised clustering code for autonomous hierarchical clustering Run data to generate clusters and uniqueness metrics Conclusion: We should be able to find the interesting features automatically Proof of concept should allow easy transition into a system prototype

Experiment Plan: Application 2 – Log Segment Need a source of data OR use MiSTICKE Lab to generate a real data stream Time tagged for artificial streaming Tune existing text-based distance metrics to log content, as needed Set up unsupervised clustering code for autonomous hierarchical clustering Run data to generate clusters and uniqueness metrics Conclusion: We should be able to quickly and easily find unique system events. Easily transitioned into a system prototype.

11