************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification:

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Network Security: Lab#5 Port Scanners and Intrusion Detection System
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
An overview.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Machine Learning for Network Anomaly Detection Matt Mahoney.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Port Scanning James Tate II
IT443 – Network Security Administration Instructor: Bo Sheng
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
NET 412 Network Security protocols
Intrusion Detection & Prevention
NET 412 Network Security protocols
Intrusion Detection Systems (IDS)
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Lecture 8: Intrusion Detection
Autonomous Network Alerting Systems and Programmable Networks
Lecture 7: Intrusion Detection
Intrusion Detection Systems
Presentation transcript:

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude Final Year Project Presentation DY1 Machine Learning for Computer Security Applications by Lam Ho-yu advised by Dr. Yeung Dit-yan

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 2 What is computer security? Computer Security = Firewall? Is it secure? 7-eleven examples…

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 3 Intrusion Detection System (IDS) Real world: Surveillance Camera Computer Networks: IDS to monitor network This project: computer security application = Intrusion Detection System (IDS)

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 4 Presentation Flow Problems of current IDS technology Objectives of this project Scenario – the key idea of this project System framework Another approach Active Support Vector Machine (ASVM) Active Support Vector Machine (ASVM)

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 5 Problems of Current IDS Low-level Large Quantity False alerts – Password typo vs. Password guessing? Heavy workload for network security officers /portmap pm_getport: sadmind -> 0/udp SensitivePortmapperAccess rpc: /659 > /portmap pm_getport: sadmind -> 56255/udp SensitivePortmapperAccess rpc: /660 > /portmap pm_getport: sadmind -> 56261/udp ContentGap /13525 > /telnet content gap (< 92797/14296) A part of “alert.log” of Bro

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 6 Objectives To allow easier separation between false alerts and real alerts To transform alerts to a more user-friendly representation To relief operator’s workload by automation

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 7 Notion of Scenario A typical attack usually takes several steps 1. Scan for candidate machines 2. Exploration – Gather information of the machine 3. Exploitation – Break into the machine 4. Escalation – gain more control (super-user) 5. Do anything the intruders want!! Operators want to see logical steps that the intruder is taking

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 8 The System Framework

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 9 Learning Components Clustering – Group similar alerts together Correlation – Group alerts that are in the same scenario Multi-Layer PerceptronsDecision Tree

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 10 Key Results Total Clusters: 236 Alert count in clusters: 835 ***********************Correlation Results************************* Total Scenarios: 182 Alert count in Scenarios: Confusion Matrix Processed Results DesiredTrueFalseTotal True False Total Processed Results DesiredTrueFalseTotal True99.21%0.7874%15.21% False18.36%81.64%84.79% Total30.66%69.34%

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 11 Screen Shot

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 12

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 13 Q & A

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 14 Thank you!

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: * * Creation time: 0xc39e21e6.0x5b14b00 ( :34: ) * Detection time: 0xbc6f91f9.0x ( :34: ) * Analyzer ID: * Analyzer model: Prelude NIDS * Analyzer version: * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team ids.org * Analyzer OS type: Linux * Analyzer OS version: * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: > [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq= ,ack= ,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd #..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 15 Active Support Vector Machine Identify the “most useful” test data and ask the user to classify it for training Most useful? Random sampling Random sampling SVM-based sampling SVM-based sampling False Alerts True Alerts margin Test data

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.