Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Slides:

Advertisements

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Challenges in Making Tomography Practical

Multihoming and Multi-path Routing

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

What’s New in WatchGuard Dimension v1.2

F3 Collecting Network Based Evidence (NBE)

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Host Intrusion Prevention Systems & Beyond

Department Of Computer Engineering

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Firewall Slides by John Rouda

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Chapter 5: Implementing Intrusion Prevention

ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Security fundamentals Topic 10 Securing the network perimeter.

Cryptography and Network Security Sixth Edition by William Stallings.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

DoS/DDoS attack and defense

PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,

Some Great Open Source Intrusion Detection Systems (IDSs)

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Security fundamentals

Instructor Materials Chapter 7 Network Security

Domain 4 – Communication and Network Security

Error and Control Messages in the Internet Protocol

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Part 1: Basic Analysis Chapter 1: Basic Static Techniques

GCED Exam Braindumps

Network Security: IP Spoofing and Firewall

Firewalls Purpose of a Firewall Characteristic of a firewall

Detecting Targeted Attacks Using Shadow Honeypots

Introduction to Internet Worm

Presentation transcript:

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County

Intrusion Detection Systems (IDS) Network IDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network Host IDS monitors the inbound and outbound packets from the device only Signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats Anomaly based IDS will monitor network traffic and compare it against an established baseline 2

Existing Limitations Network IDS: Network Speed affected if you analyze all inbound and outbound traffic. Host IDS: Slows productivity. Signature based IDS: Signature database keeps increasing in size. Anomaly based IDS: Training models is hard. 3

Ping Broadcast Attack Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim) 4

Ping broadcast attacks 5 If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.

Points worth a mention One type of IDS cannot handle all types of attacks Application IDS cannot handle PING broadcast attacks, but network IDS can. Network rules are needed for dynamic network management When an attack is identified, write a rule for it. 6

Our Design Understandings Hetrogeneous IDS is the future Better load balancing and minimum packet loss is a requirement. Main Characteristics Isolating different IDS Traffic specific intrusion detection 7

Decentralized traffic based Heterogeneous Intrusion Detection eg. SNORT eg. OSSEC HIDS 8

Novelty 1. Smart Switch Block, Fork, Divert traffic. Small cache for faster throughput. 2. Decentralized Intrusion Detection Working with current open source IDS packages 3. Smart Hashing Destination specific hashing. Source specific hashing. Session specific hashing. 9

10

Intrusion Detection Algorithms Signature Extraction Detect changes in registry, use of dlls N-grams to train learning models and detect unknown viruses Instance-Based Learner, Vector Machines, Decision Trees etc. 11

A scalable multi-level feature extraction technique to detect malicious executables [5] 12 [5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham A scalable multi-level feature extraction technique to detect malicious executables

Extracting n-grams 13

We explore multiple paths Use semantic based searching for malicious code. Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence. Better feature extraction techniques for malicious and benign code. 14

Future Work: Evolution of Malware Use metasploit for N-gram analysis Test our detection techniques Apply identification technique for encrypted and altered versions of malware code. 15

Future Work: Detecting a process in execution Send tagged code and 16K memory dump Offload work to bluegrit Fast search according to signature + code sequence Reg-ex. Reply to server within reasonable time limits 16

Future Work: Current Progress Survey Infected Files. Repository Look for ways to reduce false negatives and false positives compared to previous approaches. [6] Parallel scalable detection. [6] Learning to Detect and Classify Malicious Executables in the Wild J. Zico Kolter KOLTER, Marcus A. Maloof 17