Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Network security policy: best practices
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Chapter 6: Packet Filtering
IIT Indore © Neminah Hubballi
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Big Data Bijan Barikbin Denisa Teme Matthew Joseph.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Cryptography and Network Security Sixth Edition by William Stallings.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Intrusion Detection System
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
IS3220 Information Technology Infrastructure Security
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Maintaining and Updating Windows Server 2008 Lesson 8.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
A Generic Approach to Big Data Alarms Prioritization
CompTIA Security+ SY0-401 Real Exam Question Answer
Basic Policy Overview Palo Alto.
Principles of Computer Security
Introduction to Networking
Firewalls.
Unit 27: Network Operating Systems
Machine Learning Week 1.
IS4680 Security Auditing for Compliance
iSRD Spam Review Detection with Imbalanced Data Distributions
AbbottLink™ - IP Address Overview
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework (Storm) using WEKA classifiers (SVM). Details of individual TCP connections are aggregated to contain details such as # of connections over a period of time. Outside context such as country of origin/destination is queried and merged into the samples. A compromised machine may attempt to avoid detection by slowly altering its behavior over time. Such behavior would likely result in a machine drifting from one behavior group to another. Detection may be possible by comparing new group assignments to previous assignments. Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework (Storm) using WEKA classifiers (SVM). Details of individual TCP connections are aggregated to contain details such as # of connections over a period of time. Outside context such as country of origin/destination is queried and merged into the samples. A compromised machine may attempt to avoid detection by slowly altering its behavior over time. Such behavior would likely result in a machine drifting from one behavior group to another. Detection may be possible by comparing new group assignments to previous assignments. Modifying classifier Training Data Cluster Roles Data Streams in New Training / Clustering Data Train Classifiers Classification results Admin Alerts Suspicious clustering changes Assigning new machines to cluster User traffic Alerting admin of suspicious behavior. A key requirement is to prevent administrator alarm fatigue. BBACs primary approach to this is grouping reports of suspicious behavior. Alerts will initially be grouped by: Source machine ID Time of day External address Administrators will be capable of creating white lists and black lists with details such as known good/bad URLs that should no longer trigger alerts. An additional advantage of producing decision trees during the clustering process is that they will enable the production of reports for administrators containing visual cues as to what is happening during re-clustering. If a machines changes clusters, then a comparison of the new decision tree branches vs. previous branches provides context for the change. Additionally, alerts can be triggered only if more than n new branches were traversed. Additionally, decision tree metrics may correlate with the effectiveness of the clustering. Alerting admin of suspicious behavior. A key requirement is to prevent administrator alarm fatigue. BBACs primary approach to this is grouping reports of suspicious behavior. Alerts will initially be grouped by: Source machine ID Time of day External address Administrators will be capable of creating white lists and black lists with details such as known good/bad URLs that should no longer trigger alerts. An additional advantage of producing decision trees during the clustering process is that they will enable the production of reports for administrators containing visual cues as to what is happening during re-clustering. If a machines changes clusters, then a comparison of the new decision tree branches vs. previous branches provides context for the change. Additionally, alerts can be triggered only if more than n new branches were traversed. Additionally, decision tree metrics may correlate with the effectiveness of the clustering. Correcting false positives. The method for correcting false positives will depend on if classification is in-band (e.g., HTTP proxy checks request) or out-of-band (e.g., logs are analyzed). Flagged requests would ideally be reviewed by the associated user. However, if this person has taken on an adversarial role such reviews will likely be untrustworthy. Balancing the utility/trust of these users remains an open questions. Correcting false positives. The method for correcting false positives will depend on if classification is in-band (e.g., HTTP proxy checks request) or out-of-band (e.g., logs are analyzed). Flagged requests would ideally be reviewed by the associated user. However, if this person has taken on an adversarial role such reviews will likely be untrustworthy. Balancing the utility/trust of these users remains an open questions. Setting policy and classifier selection. Ideally administrators could select a classifier that balances alert frequency with classification ability, i.e., true vs. false positives, within the current threat environment / acceptable risk model. What information to present, as well as, how to present this information remain open questions. Current research is examining how to expose this type of control to an administrator without making the system much to hard to configure or use. Setting policy and classifier selection. Ideally administrators could select a classifier that balances alert frequency with classification ability, i.e., true vs. false positives, within the current threat environment / acceptable risk model. What information to present, as well as, how to present this information remain open questions. Current research is examining how to expose this type of control to an administrator without making the system much to hard to configure or use. Assigning new actors to an existing behavior group. Administrators require a means of adding new machines to the appropriate behavioral group. A decision tree trained on the output of the k-means clustering step provides this support. A set of human intelligible questions regarding the expected use of the new computer is generated from this decision tree. By answering these questions an administrator is able to traverse the decision tree and assign new computers to the correct group. Each time re-clustering and re-training occurs a new set of questions will be generated. Assigning new actors to an existing behavior group. Administrators require a means of adding new machines to the appropriate behavioral group. A decision tree trained on the output of the k-means clustering step provides this support. A set of human intelligible questions regarding the expected use of the new computer is generated from this decision tree. By answering these questions an administrator is able to traverse the decision tree and assign new computers to the correct group. Each time re-clustering and re-training occurs a new set of questions will be generated. Grouping similar behavior. BBAC uses clustering to form groups of computers that have similar behavior. Classifiers are then trained for each cluster. This is intended to: 1.Shorten training time 2.Increase the parallelism of the system 3.Increase classifier accuracy Example groups include: externally accessible servers, internal file servers, developer laptops, HR desktops, etc. Training data is first filtered for features an administrator can logic about aggregated to single instances per each machine. A k-means algorithm is then utilized to identify groups and label machines in each. Grouping similar behavior. BBAC uses clustering to form groups of computers that have similar behavior. Classifiers are then trained for each cluster. This is intended to: 1.Shorten training time 2.Increase the parallelism of the system 3.Increase classifier accuracy Example groups include: externally accessible servers, internal file servers, developer laptops, HR desktops, etc. Training data is first filtered for features an administrator can logic about aggregated to single instances per each machine. A k-means algorithm is then utilized to identify groups and label machines in each. U SER S ELECTION OF C LUSTERS AND C LASSIFIERS IN B EHAVIOR B ASED A CCESS C ONTROL Abstract: The Behavior-Based Access Control (BBAC) project seeks to address increasingly sophisticated attacks and attempts to exfiltrate or corrupt critical sensitive information. BBAC uses statistical machine learning techniques (clustering and classification) to make predictions about the intent of actors establishing TCP connections and HTTP requests. Objective: Detect attacks while maintaining a low false positive rate. A medium size company may have 17 million URL requests a week. Even a 0.01% false positive rate led to 1700 false alerts a week. Background: BBAC must provide security for thousands of machines of different types, for example, servers that occasionally fetch updates late at night and desktop machines that are used to browse the web during work hours. The diversity of machine types and long training times make it impractical to have a single classifier. Instead machines with similar behavior are clustered together. This also increases the effectiveness of the system, as a server should not be using Twitter while it might be perfectly normal for a desktop machine. Dataset: Currently using a weeks worth of BRO network monitor log data collected at BBN. This data samples TCP packets and URL requests. Sensitive information, like IP addresses, are removed before the data leaves BBN. Approach: The BBAC approach is to: Identify cluster labels using k-means Bin values for features Use a decision tree algorithm to assign machines to clusters Train classifiers and then select the classifier that makes the best tradeoff for the current situation between true positives and false positives The advantages of this approach include providing intelligible cluster descriptions based on the decision tree. This will allow administrators to manually assign new machines to the proper cluster by providing the data for the decision tree (by answering questions). Alerts will also be sent to administrators when a machine is assigned to a new cluster. Administrators must also be able to select the classifier and settings to use and monitor the accuracy of the system. Is this machine a server? Yes No Is this machine using DHCP? Yes No Is this a shared machine? Yes No This work was sponsored by the Air Force Research Laboratory (AFRL). DISTRIBUTION A: Approved for public release; distribution unlimited (Case Number 88ABW ) Michael J. Mayhew US Air Force Research Laboratory Jeffrey Cleveland Raytheon BBN Technologies Aaron Adler Raytheon BBN Technologies Michael Atighetchi Raytheon BBN Technologies Server? NoYes Weekly connections <55 Shared? No Yes

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.