Integrating Human and Synthetic Reasoning Via Model-Based Analysis.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

How to be an Effective Listener.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Network Certification Preparation. Module - 1 Communication methods OSI reference model and layered communication TCP/IP model TCP and UDP IP addressing.

Eleven by Sandra Cisneros

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Computer Networks Fall, 2007 Prof Peterson. CIS 235: Networks Fall, 2007 Western State College  What are the main layers? What happens at each?

Chapter 14 TCP/IP and Routing Part #1 Unix System Administration.

An 8051 Based Web Server Project by Mason Kidd Advised by Dr. Schertz.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Department Of Computer Engineering

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Internet Review Academic Talent Search. All About Networking DevicesDevices Packet TransferPacket Transfer HardwareHardware SoftwareSoftware Wiring/CablingWiring/Cabling.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

Data Communications and Networks

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE

1 Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,

Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,

Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic, Samujjwal Bhandari, Kedar Hippalgaonkar, and Susan Urban.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.

TCP/IP fundamentals Unit objectives Discuss the evolution of TCP/IP Discuss TCP/IP fundamentals.

Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Reading ACT Test. Format 40 questions/4 passages/35 minutes/ ½ minutes per passage 2-3 minutes to read each passage and 5-6 to answer questions.

1 Multilevel TRILL draft-perlman-trill-rbridge-multilevel-00.txt Radia Perlman Intel Labs March 2011.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Your device Title Here Your Name Your class Period.

Mental Models Sonia Chiasson and Robert Biddle Human Oriented Technology Lab Carleton University, Ottawa.

Requirements Engineering Southern Methodist University CSE 7316 – Chapter 3.

Use Case Diagram The purpose is to communicate the system’s functionality and behaviour to the customer or end user. Mainly used for capturing user requirements.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

TAXII SC Call Agenda Administrivia Month Behind Discussion Month Ahead.

1. Layered Architecture of Communication Networks: TCP/IP Model

Intrusion Detection System

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Models and Diagrams. Models A model is an abstract representation of something real or imaginary. Like a map, a model represents something A useful model.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser

Study & Conclusions. Perspectives on Face-to-face Interaction Success at anticipating the actions of the other – Implies need for Model of user that supports.

© 2002, Cisco Systems, Inc. All rights reserved..

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.

Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:

CSE333 CSE333 DDS.1 A System for Creating Specialized DDS Architectures Research and Work By: Tom Puzak Nathan Viniconis Solomon Berhe Jeffrey Peck Project.

Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2015.

BRAIN SCAN  Brain scan is an interactive quiz for use as a revision/ learning reinforcement tool that accompanies the theory package.  To answer a question.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Decision Support and Business Intelligence Systems (9 th Ed., Prentice Hall) Chapter 12: Artificial Intelligence and Expert Systems.

Introduction to Machine Learning, its potential usage in network area,

Instructor & Todd Lammle

OAIS Producer (archive) Consumer Management

Securing the Network Perimeter with ISA 2004

Direction Changes Over Time

Exam 1 Terminology Review

Net 323 D: Networks Protocols

Latest Free Exam Questions - Free Full Training

Model-View-Controller Patterns and Frameworks

Elements of a Short Story

Presentation transcript:

Integrating Human and Synthetic Reasoning Via Model-Based Analysis

Introduction and Explanation This is an experimental idea and very rough – Glue together very tame AI and user interface through some fault trees To capture knowledge Improve efficiency Overview of work (My) Questions!

If you haven’t seen this slide, you haven’t attended any of my talks

How much do we know about network traffic?

Basic problem We don’t know what we know and we don’t know what we don’t know Most valuable resource available is analyst head time Lots of repetitive mindless attacks Lots of low-risk, high-threat attacks Have to automate Also have to ensure automation isn’t self defeating

A Metric For Knowledge Every day we receive k-billion flows – We can understand and accurately tag x% of them – As x approaches 100%, the better We improve x: – Hiring more analysts – Reducing traffic into the network – Automating the process – Describing multiple flows at 1 time

Prototype System Diagram Flow DPI AI Models Admission Of Ignorance Maps Reports Alerts Historical Maps Conflict

What is an AI? An AI is a system that reads in network data and outputs: – A domain – Some models – Alerts – Inventory data AI DPI Maps Scans Important Scans Systems Scanned

Complementary AIs Accurate Predictable Unambiguous human/machine communication Humans serve as the final judge Don’t overwhelm with trivia

Accuracy Control ambiguity – ROC curves provide us with a measure of accuracy – But we’ve generally been unsure about what TP to use AIs will not guess in order to avoid a bad guess

Predictable There isn’t much we can do… – Reports: periodic and predictable information on the state of the system (e.g., scanning) – Alerts: When an actionable event occurs, a notice of the event and a recommended strategy (alter fw rules, take down machine, send people with guns) – Internal Intelligence: maps of the inside of the network – External Intelligence: maps of the outside world Inventory is central

Conflict Resolution We know that something is something – By fiat (“It’s my webserver”) – By published reference (port 80 is http) – Deep packet inspection (HTTP/1.0…) – Behaviorally (short requests, big transfers) Hierarchy of certainty – DPI >> Fiat >> Behavioral >> Published reference

Managing Conflict DPIFiatBehavioralPublishedResult A---Map as A, alert on lack of published info A!AXXMap as A, alert on conflict AAXXMap as A A--!AMap as A, alert on masquerade -A-AMap as A -A!AAReport anomaly, Map as A -A--Map as A

Human/Machine Communication AIs don’t raise alerts on normal behavior – Reports are for that AIs raise alerts on actionable anomalies – Provide diagnostics, inventory and history AIs raise alerts on conflicts – Rely on the user to resolve the conflict and move on

User Controls Everyone controls domains: sip, dip, sport, dport, time and protocol value – Domains have wildcards Agents mark or subscribe domain: – Mark: this happened in the past and I can infer what happened For AI’s, Mark indicates “I recognize this” – Subscribe: I will control and worry about this from now onto the future For users, subscription says “This is my territory”

Models AIs don’t output flow data – They mark off some segment of flows and group them together as a separate structure For example: – A “scan” – A “Bittorrent Network” – A “Surfing session” These models, in turn, have questions and structures that are more relevant to analysis – Who did the scan hit? – How much traffic was transferred in BT?

A Really Ugly UI

What that is Certainly not a testament to my visualization skills Prototype using two systems – Simple scan detection – BitTorrent detection The black is what’s left

Problems As I said, this is all very rough right now Problems remaining: – Application/Knowledge Layering – Model Taxonomy – User experience – Backtracking – Metadata

Application Layering Make judgments at different levels of the stack Different inferential resolution: – Does this IP exist? – Does this IP communicate? – What does this IP communciate? – Is this IP significant in its network?

Model Taxonomy Models replace flows with more compact descriptions of phenomena – E.g., “A Scan” is a list of the scanned IP’s, and anything that responded Trying to begin with broad behavioral descriptions and move down from there Flood ServiceRouting ScanningBackscatter Worm DDoS Xfer Chatty

Unsolved Problems Weirdometer metrics – Flows/IPS/bytes/IP pairs? Backtracking – How much do we want to see flow vs. model vs. map? Response Mechanism – What can a CSIRT do? Meta metrics – How much of the traffic do we understand?