Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907

Slides:



Advertisements
Similar presentations
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Advertisements

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
A Brief Taxonomy of Firewalls
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
COEN 252 Computer Forensics Collecting Network-based Evidence.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Windows 7 Firewall.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
TCP/IP Protocols Contains Five Layers
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Module 7: Advanced Application and Web Filtering.
Network Security Part III: Security Appliances Firewalls.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
TCP and UDP Ports. 1.The TCP part of TCP/IP stands for Transmission Control Protocol, and it is a reliable transport-oriented way for information to be.
Machine Learning for Network Anomaly Detection Matt Mahoney.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Computer Data Security & Privacy
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
File Transfer Protocol
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Firewalls Purpose of a Firewall Characteristic of a firewall
دیواره ی آتش.
Firewalls.
By Seferash B Asfa Wossen Strayer University 3rd December 2003
Protection Mechanisms in Security Management
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN September 24, 2003

Motivation Port numbers can be unreliable for determining traffic type –Proxies –Port Remappers (e.g., AntiFirewall) –“Backdoored” services –User-installed services

Motivation Strong reliance on port number –Firewall filtering rules –IDS signatures Given a flow of packets from a server, can we identify the application?

Modeling Flow Behavior Capture operational characteristics Connection initialization data not required Payload data not required Intuition: Application protocols use the underlying TCP state mechanism in different ways, thus they can be differentiated

Feature Construction Individual packet features –TCP state flags –Packet length –Inter-arrival time Use an overlapping packet window

Supervised Learning Train learner to classify unseen flows as one of k classes Assumption: Policy specifies services for a host Does flow match expected service?

Aggregate Flow Experiments FTP, SSH, Telnet, SMTP, HTTP Data sets (1999 Lincoln Labs) Training : Week 1 Test: Week 3 Fifty flows / protocol Packet window sizes: 10 to 1000 Use C5.0 to build decision tree

Aggregate Flow Results Window Size FTPSSHTelnetSMTPHTTP %88%94%82%100% %96%94%86%100% 20098%96% 84%98% %96% 86%100% 5098%96% 82%100% 20100%98% 82%98% 10100% 82%98%

Per-Host Flow Experiments Operational characteristics of a host –Server implementation –OS platform Five hosts with three or more services Build decision trees (window size 100) Classify unseen flows for same host

Per-Host Flow Results HostFTPSSHTelnetSMTPWWW %-100%90%100% %100%84%100% % %95%100%95% %- -

Water Cooler Effect Cause: long lapses in user activity Result: large increase in mean IAT Future work Analysis of sub-flows

Experiments Using Live Traffic Data collected from our test network Augmented with file-sharing data (Kazaa) Accuracy % Comparable to synthetic data

Utilizing Flow Classifiers

Subverting Classification Water Cooler Effect Extraneous TCP Flags (e.g., URG) Duplication of particular behavior unlikely

Related Work “ Flow Classification for Intrusion Detection” Tom Dunigan and George Ostrouchov, ORNL/TM-2001/115 (2000) “Detection and Classification of TCP/IP Network Services” Tan, K.M.C. and Collie, B.S., Proceedings of the 13 th Annual Computer Security Applications Conference (1997) Signature Based –Connection –Payload

Conclusions Designed features that model application behavior Achieved high classification accuracy in real time Future work –IDS integration –Mitigation of Water Cooler Effect –Attempts to subvert classification

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.