1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
The Most Analytical and Comprehensive Defense Network in a Box.
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
IDPS (Intrusion Detection & Prevention System )
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
ABHIJIT PATHAK ABHIJIT PATHAK. Roadmap Introduction Introduction System Overview System Overview System Architecture System Architecture Detailed Design.
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Project Description The project basically consists of three main components-Attacker, Defender, and Observer. Our project scenario is the following: A.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Visualization tool for network forensics analysis using an Intrusion Detection System ( Cyber ViZ )
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
The Most Analytical and Comprehensive Defense Network in a Box.
What is FORENSICS? Why do we need Network Forensics?
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.
Kali Linx Attacks Jim Nasto. Window 8 Computer On my Windows 8 64 bit OS machine. I started using a Virtual Machine using Hyper V Manager and shared the.
CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.
APM for Security Forensics ENHANCING IT SECURITY WITH POST-EVENT INTRUSION RESOLUTION Lakshya Labs.
PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam.
Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
24 September An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.
Understand Audit Policies LESSON Security Fundamentals.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
SIEM Rotem Mesika System security engineering
CSCE 548 Student Presentation By Manasa Suthram
Backtracking Intrusions
Honeypots and Honeynets
LINUX SECURITY Dongmei Wu ID: /25/00.
12/6/2018 Honeypot ICT Infrastructure Sashan
Honeyd Build it Create a script/program to simulate one
Presentation transcript:

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006

2 The Problem The number and sophistication of attacks is increasing It is hard to “know” that a system is intact If a system is compromised, what happened? How do we instrument systems for a very high level of security or surveillance? How can we analyze the data?

3 Sebek and Honeynet Honeynet project –An architecture for hacker surveillance –Correlates Kernel logging and network activity Integrates kernel logging, packet capture, and IDS detects –Tunable and extensible kernel logging Replace system call table entries (Linux) Load time filtering Windows XP – Less full feature implementation –Honeywall to control the risk of observing intrusions.

4 Our Setup

5 Hacking Windows and Linux Metasploit framework Not a lot of success in hacking Linux Several successful exploits for Windows Problems with Windows Sebek

6 Data Capture Tools Windows XP Windows Perfmon trace facility SysInternals –Process Explorer –Filemon Sebek Honeynet Snort IDS

7 The Data Process creation / deletion –Process ID and parent process ID XP Process Tree Network connections File system activity –(open, close, read, write) Keystrokes IDS Events

8 XP Process Tree

9 Analysis

10 Analysis (cont)

11 Performance Observations No formal performance analysis No noticeable performance impact If extensive logging is turned on then there is an impact – You can’t log everything

12 Conclusions A modest amount of logging can greatly aid in forensics or detection OS behavior/design can be leveraged –XP Process Tree Combining multiple data sources is needed Honeynet is a good architecture with incomplete tools –Augmenting Sebek with identified data is needed

13 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.