F3 Collecting Network Based Evidence (NBE)

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Intrusion Detection Systems and Practices

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

COEN 252: Computer Forensics Router Investigation.

Host Intrusion Prevention Systems & Beyond

Department Of Computer Engineering

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Security Monitoring By Bea Wilds CS Dec 06.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

COEN 252 Computer Forensics

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Linux Networking and Security

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

Cryptography and Network Security Sixth Edition by William Stallings.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Role Of Network IDS in Network Perimeter Defense.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Network Devices and Firewalls Lesson 14. It applies to our class…

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.

Some Great Open Source Intrusion Detection Systems (IDSs)

Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Defining Network Infrastructure and Network Security Lesson 8.

Principles of Computer Security

6.6 Firewalls Packet Filter (=filtering router)

NETWORK SECURITY LAB Lab 9. IDS and IPS.

Intrusion Detection & Prevention

Intrusion Detection Systems (IDS)

Intrusion Prevention Systems

Lecture 3: Secure Network Architecture

Red Team Exercise Part 3 Week 4

Intrusion Detection Systems

Presentation transcript:

F3 Collecting Network Based Evidence (NBE) Dr. John P. Abraham Professor UTPA

NBE Proactive Reactive Collect To prevent attacks Attack already happened. Collect Full content data Session data Alert data Statistical data

Full Content Data Similar to recording all conversations of suspects. Collecting all computer activities. Intercept all packets and record. Takes a lot of disk space. Takes a lot of time for analysis Beyond the means of most organizations to collect full content data. Usually this is not done.

Session Data Similar to recording one conversation between suspects. Also retrieve phone company records for a summary of all conversations. You can get a summary of sessions with date and time, from source and destination addresses and how it was terminated.

Alert Data Analyzing NBE for a predefined items of interest. For example, when a particular pair of source/destination addresses are encountered. Programmed to recognize bit patterns. It might trigger a precursor to an attack. Similar to a red light going off when a particular word is heard, such as OSAMA.

Statistical data Similar to time of the day of the regular calls between subjects, duration, etc. Most active IP addresses, ports, data length, etc.

A standard Intrusion scenario Example Reconnaissance. Preliminary examination before an attack. Validate address and connectivity, enumerate services, and check for vulnerable versions of software. Reinforcement. Download attack tools. Attempt to elevate privileges at the target, perhaps using a backdoor. Consolidation. Use someone else’s IP address to connect to the victim. Or have the victim connect to a chat, and enter through that. Pillage. Steal info. Damage computer, etc.

Using full content data Data collected using network security monitoring. By collecting every packet you could have a complete record of intruder’s actions, unless the intruder used encryption. The following questions could be answered: Is the web server compromised? What info was lost. Where did the intruder go to get the info. Find the backdoor

Using session data Sessions data is a summary of conversations. Easiest form of data to understand and manipulate because packets are not collected nor examined. Scanmap3d is a visualization software for session data, available:http://scanmap3d.sourceforge.net/ Scanmap3d is a JAVA program, written as a concept demonstration for visualisation of network intrusion detection information. The program reads information from a MySQL database and produces a 3D map of network traffic. The visualisation is very useful for intrusion detection or network troubleshooting. The code is now in a stable enough state to be useful in analysing tcpdump/snort data within a mysql database.

Session data provides answers Is the web server compromised? You can view suspicious connections. Usual web requests are inbound connections. Suspicious are outbound connections. Also using ports other than 80. Did the intruder visit other machines using the webserver? You can get this information from the sessions data. Is the intruder present now? How frequent are the visits?

Using Alert Data Intrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access. The two primary methods of monitoring are signature-based and anomaly-based. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way. Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods. Good to determine if the system was scanned.

Using Statistical Data Information on unusual ports or protocols, amount of traffic, etc.

Data Collection Hubs. Forwards to all ports, a monitoring station can detect all packets. Operates under half duplex, so the speed suffers, perhaps can get about 60Mbps. Place it between the router and the next device (switch, firewall, etc). Taps. More expensive. Works the same way, with improved speed. Bridges. You can use a computer with two network ports, bridged to do the same as a tap. Switched port analyzer. Set a port as a mirror port

Collecting and Storing Traffic Full content data tools: www.tcpdump.org is the standard packet capture program. Use the program libpcap to make copies of traffic. For PCs may use wincap.org/windump or winPcap.org For analyzing, use www.ethereal.com and to view graphically, use www.etherape.sourceforge.net There are freeware available to search in a dump. www.packetfactory.net/projects/ngrep

Session Data tools Download argus from www.qosient.com/argus several versions available. Operates in live or batch mode. www.tcptrace.org is designed to interpret traffic in batch mode. Tcpflow from circlemud can work with full content data and it can rebuild the contents of individual sessions.