Statistical based IDS background introduction

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
TCP/IP Christopher Zacky. lolwut Decimal Numbers.
1 Transport Protocols & TCP CSE 3213 Fall April 2015.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
FLAME: A Flow-level Anomaly Modeling Engine
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Anomaly Detection in the WIPER System using A Markov Modulated Poisson Distribution Ping Yan Tim Schoenharl Alec Pawling Greg Madey.
Anomaly Based Intrusion Detection System
Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.
Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
Online Chinese Character Handwriting Recognition for Linux
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Distributed Denial of Service Attacks
A Dos Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Department of EECS, Northwestern University.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
Open-Eye Georgios Androulidakis National Technical University of Athens.
DoS/DDoS attack and defense
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011.
DDoS Attacks on Financial Institutions Presentation
Distributed Systems.
Footprinting (definition 1)
Transport Layer.
TCP.
PART 5 Transport Layer Computer Networks.
Net 221D : Computer Networks Fundamentals
Introduction to Networking
TCP Transport layer Er. Vikram Dhiman LPU.
TCP - Part I Karim El Defrawy
Intrusion Detection with Neural Networks my awesome graphic ↑
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Transport Layer 9/22/2019.
Intrusion Detection Systems
TCP Connection Management
Presentation transcript:

Statistical based IDS background introduction

Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description Feature extraction Statistical method introduction Result analysis

Project goals Related work Our goals Internet has various network attacks, including denial of service attacks and port scans, etc. Overall traffic detection Flow-level detection Our goals Detect both attacks at the same time Differentiate DoS and port scans

Attack introduction TCP SYN flooding - An important form of DoS attacks - Exploit the TCP’s three-way handshake mechanism and its limitation in maintaining half-open connection - Feature: spoofed source IP - Recent reflected SYN/ACK flooding attacks

Attack introduction Port scan - horizontal scan - Vertical scan - Block scan Feature: real source IP address

Statistical IDS architecture Learning part Detection part

Data description DARPA98 data The first standard corpora for evaluation of network intrusion detection systems. From the Information Systems Technology Group ( IST ) of MIT Lincoln Laboratory, Under Defense Advanced Research Projects Agency ( DARPA ITO ) and Air Force Research Laboratory ( AFRL/SNHS ) sponsorship Seven weeks of training data Two weeks of detection data

Data description DARPA98 data format 897048008.080700 172.16.114.169.1024 > 195.73.151.50.25: S ACK 1055330111:1055330111(0) win 512 <mss 1460> - Time stamp: 897048008.080700 - Source IP address + port: 172.16.114.169.1024 - Destination IP address + port: 195.73.151.50.25 - TCP flag: S (maybe other : R, F, P) - ACK flag: ACK - Other part of packet header: 1055330111:1055330111(0) win 512 <mss 1460>

Feature extraction Calculate the metrics in every 5 minute traffic For example: SYN-SYN_ACK pair SYN-FIN + SYN-RSTactive pair traffic volume SYN packet volume …… Good Luck 

Statistical method Statistical based IDS Goals: Using statistical metrics and algorithm to differentiate the anomaly traffic from benign traffic, and to differentiate different types of attacks. - Advantage: detect unknown attacks - Disadvantage: false positive and false negative

Hidden Markov Model (HMM) HMM is a very useful statistical learning model. It has been successfully implemented in the speech recognition. - Advantage 1. analyzing sequence data (using observation probability and transition probability to represent) 2. unsurprised data training and surprised data training 3. high accuracy - Disadvantage comparatively long training time

Double Gaussian model Introduction - Two Gaussion distribution models are used to represent two classes of behaviors - Get the two probabilities of current behavior using different two-class Gaussian parameters - Compare them. The current behavior belongs to the larger probability class. Training period - Get the two-class Gaussian parameters Detection period - Use two-class Gaussian parameters to get probabilities and compare them

Double Gaussian model Advantage Disadvantage Simple, easy to understand Fast Disadvantage No sequence characteristic

Result analysis Evaluation - Important quantitative analysis: false positive + false negative - Looking at metric value, and finding the reasons - Repeating experiments