TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
Quasi-Static Binary Analysis Hassen Saidi. Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Final Project: Advanced security blade
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Intrusion Prevention Systems
Principles of Computer Security
GCED Exam Braindumps
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection & Prevention
Intrusion Detection Systems (IDS)
Detecting Targeted Attacks Using Shadow Honeypots
Intrusion Prevention Systems
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection Systems
Intrusion Detection Systems
Presentation transcript:

transAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013

Intrusion Detection Systems  Secure code – Vulnerabilities are just waiting to be discovered  Attackers come up with new attacks all the time.  A single line of defense to prevent malicious activity is insufficient

Intrusion Detection Systems  Adds one more line of defense to prevent attackers from getting away easily  What is an Intrusion Detection System (IDS) supposed to detect? Activity that deviates from the normal behavior – Anomaly detection Execution of code that results in break-ins – Misuse detection Activity involving privileged software that is inconsistent with respect to a policy/ specification - Specification based Detection - D. Denning

Types of IDS  Host Based IDS Installed locally on machines Monitoring local user activity Monitoring execution of system programs Monitoring local system logs  Network IDS Sensors are installed at strategic locations on the network Monitor changes in traffic pattern/ connection requests Monitor Users’ network activity – Deep Packet inspection

Types of IDS  Signature Based IDS Compares incoming packets with known signatures E.g. Snort, Bro, Suricata, etc.  Anomaly Detection Systems Learns the normal behavior of the system Generates Alerts on packets that are different from the normal behavior

Network Intrusion Detection Systems Source:

Network Intrusion Detection Systems Current Standard is Signature Based Systems Problems:  “Zero-day” attacks  Polymorphic attacks  Botnets – Inexpensive re-usable IP addresses for attackers

Anomaly Detection Anomaly Detection (AD) Systems are capable of identifying “Zero Day” Attacks Problems:  High False Positive Rates  Labeled training data Our Focus:  Web applications are popular targets

transAD & STAND  transAD TPR 90.17% FPR 0.17%  STAND TPR 88.75% FPR 0.51%  Relative improvement in FPR 66.67% (Actual: )  Relative improvement in TPR 1.6% (Actual: )

Attacks Detected by transAD Type of AttackHTTP GET Request Buffer Overflow/?slide=kashdan?slide=pawloski?slide=ascoli?slide=shukla?slide =kabbani?slide=ascoli?slide=proteomics?slide=shukla?slide=shu kla Remote File Inclusion //forum/adminLogin.php?config[forum installed]= Directory Traversal /resources/index.php?con=/../../../../../../../../etc/passwd Code Injection//resources-template.php?id= union+select+0 Script Attacks/.well-known/autoconfig/mail/config-v1.1.xml? address=********%40*********.***.***

transAD - Outline  Transduction Confidence Machines based Anomaly Detector  Completely unsupervised  Builds a baseline representing normal traffic  Ensemble of AD sensors

Transduction based Anomaly Detection  Compares how test packet fits with respect to the baseline  A “Strangeness” function is used for comparing the test packet  The sum of K-Nearest Neighbors distances is used as a measure of Strangeness

Hash Distance

 In the above example: One n-gram ‘bcd’ matches The larger string has 5 n-grams  Distance is 0.8

Request Normalization  Different GET requests may have the same underlying semantics  Improves discrimination between normal and attack packets

Transduction based Anomaly Detection  Hypothesis testing is used to decide if a packet is an Anomaly Several confidence levels were tested and 95% was chosen Null Hypothesis: The test point fits well in the baseline

Micro-model Ensemble  Packets captured into epochs of time called “Micro-models”  Micro-model contain a sample of normal traffic  Micro-models could potentially contain attacks

Sanitization  Removes potential attacks from the micro-models  Generally attacks are short lived and poison a few micro-models  Packets that have been voted as an anomaly by the ensemble are excluded from the micro-models Several voting thresholds were tested and 2/3 majority voting chosen

Model Drift  Overtime the services in the network change  Old micro-models become stale resulting in more False Positives  Old models are discarded and new models inducted into the ensemble.

Experimental Setup  Two data sets with traffic to Two weeks of data No synthetic traffic  IRB approved  Run offline faster than real time  Alerts generated were manually labeled Over 10,000 alerts labeled Number of GET Requests Number of GET Requests with Arguments Data Set 125 million445,000 Data Set 219 million717,000

Parameter Evaluation – Micro-model duration Magnified portion of the ROC curve for different micro-model duration

transAD Parameters ParametersValue Number of Nearest Neighbors (k) 3 Micro-model Duration4 hours N-gram Size6 Relative n-gram Position Matching 10 Confidence Level95% Voting Threshold2/3 Majority Ensemble Size25 Drift Parameter1

Alerts per day for transAD and STAND transADSTAND

Questions? Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.