KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.

Slides:

Advertisements

Similar presentations

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Advertisements

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Introduction to Network Analysis and Sniffer Pro

Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

SOCIAL NETWORK INFORMATION CONSOLIDATION Developers:  Klasquin Tomer  Nisimov Yaron  Rabih Erez Advisors:  Academic: Prof. Elovici Yuval  Technical:

Multi-criteria infrastructure for location-based applications Shortly known as: Localization Platform Ronen Abraham Ido Cohen Yuval Efrati Tomer Sole'

Securing Android-based Devices T+91 KB-IDS - Prototype Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for Android Version.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

KB-IDS Application Design Document1 KB-IDS – Application Design Document Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

ACADEMIC ADVISOR DR. YUVAL ELOVICI TECHNICAL ADVISOR ASAF SHABTAI TEAM MAOR GUETTA, ARKADY MISHIEV Distributed - KBTA: A Distributed Framework for efficient.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

PARALLEL COMPUTATION OF KNOWLEDGE-BASED TEMPORAL ABSTRACTION Academic advisor Dr. Yuval Elovici Technical advisor Asaf Shabtai Team Maor Guetta, Arkady.

Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.

Company: Deutsche Telekom Academic advisor: Yuval Elovici Technical advisor: Assaf Shabtai Project Team:Limor Segev Eran Frieman Carmel Karni Limor Segev,

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

Generic Simulator for Users' Movements and Behavior in Collaborative Systems.

Host Intrusion Prevention Systems & Beyond

Intrusion Detection System Marmagna Desai [ 520 Presentation]

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Motivation. Part of Deutsche Telekom project:

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.

Honeypot and Intrusion Detection System

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.

Technical Advisor - Mr. Roni Stern Academic Advisor - Dr. Meir Kelah Members: Shimrit Yacobi Yuval Binenboim Moran Lev Lehman Sharon Shabtai.

Event Management & ITIL V3

Guide to Network Defense and Countermeasures

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >

Technical Advisor - Mr. Roni Stern Academic Advisor - Dr. Meir Kelah Members: Shimrit Yacobi Yuval Binenboim Moran Lev Lehman Sharon Shabtai.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.

7.5 Intrusion Detection Systems Network Security / G.Steffen1.

Performance Validation of Mobile IP Wireless Networks Presented by Syed Shahzad Ali Advisor Dr. Ravi Pendse.

SECURING SELF-VIRTUALIZING ETHERNET DEVICES IGOR SMOLYAR, MULI BEN-YEHUDA, AND DAN TSAFRIR PRESENTED BY LUREN WANG.

Roles & Responsibilities

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

INTRODUCTION TO JAVA AND ANDROID. Slide 2 Our Ecosystem Java Eclipse Android SDK.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

Nguyen Thi Thanh Nha HMCL by Roelof Kemp, Nicholas Palmer, Thilo Kielmann, and Henri Bal MOBICASE 2010, LNICST 2012 Cuckoo: A Computation Offloading Framework.

A Software Energy Analysis Method using Executable UML for Smartphones Kenji Hisazumi System LSI Research Center Kyushu University.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.

Enterprise Security Management Franklin Tinsley COSC 481.

Andromaly Verifying user activity on Android-powered devices using anomaly detection TeamTechnical advisorAcademic advisor Eran Rosenwig Gili Asis Asaf.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

About Me Name: Yaokai Feng, from Kyushu University

Proventia Network Intrusion Prevention System

Honeypot in Mobile Network Security

Security Methods and Practice CET4884

ARD Presentation January, 2012 BodyPointer.

Fastdroid Produced by : Firas Abdalhaq Mohammad Amour Supervised by : Dr. Raed Alqadi.

Java Embedded Network Intrusion Security

Cloud computing mechanisms

Microsoft Virtual Academy

Simulation Of Traffic Jams

Presentation transcript:

KB-IDS

Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov

Background An IDS is used to detect malicious behaviors that indicates a breach in the security of a computer system The Knowledge-based Temporal-Abstraction (KBTA) method in which a computational mechanism extracts meaningful conclusions from raw time-stamped data and knowledge. Android is an operating system for mobile devices, based on the Linux kernel, developed by Google. It allows development of applications in Java, controlling the phone via Google-developed Java libraries.

Problem Domain In the modern age Smartphones as well as the threats they are susceptible to, are a growing trend This strengthens the need for sophisticated defense mechanisms to protect them

Current Situation Mobile devices lack the computational strength needed to support PC-like security solutions Android, being an open source and open platform introduces new potential risks and types of attacks Android has some inherent security mechanisms that cannot cope with all possible threats Due to application sandboxing, conventional methods such as AntiVirus are futile. There is a need for a different solution…

Proposed Solution - HIDS

Knowledge-based Temporal Abstraction Developed by Prof. Yuval Shahar, 1997 Knowledge (KBTA Security ontology) Four inference mechanisms: - Temporal Context Forming - Contemporaneous Abstraction - Temporal Interpolation - Temporal Pattern Matching Higher Level Meaningful Temporal Information: - Contexts - Abstractions - Temporal Patterns Time-Stamped Raw Data: - Primitive Parameters - Events

KBTA – cont. Time T1T1 T2T2 T3T3 I1I1 I2I2 TCP Packets Sent ( ) Primitives Abstractions Patterns Worm Pattern Internet Connection Mode Context Contexts Events T0T0 TCP Packets Sent State = HIGH Events ( ) Wi-Fi Connection High Medium Low

Func. Requirements - Agent Registration/Login Ability to register with the Control Center. Ability to login to the Control Center and to receive configuration for the various installed components Monitor Every predefined time window, the agent samples state parameters, and counts the number of system/user events that occurred in the time-window. Send monitored data The agent will send the monitored data to the analysis servers and the Control Center at the end of each predefined time window. Receive alerts Ability to receive alerts along with any associated data from the Threat Weighting Unit.

Func. Requirements – Analysis Servers Receive and analyze monitored data Ability to receive and analyze the data received from the agent and output a conclusion regarding the existence of a threat Send analysis result Ability to send the analysis result to the Threat Weighting Unit

Func. Requirements – KBTA Server KBTA processing Ability to incrementally process the received data according to the KBTA method supporting the following elements: - Primitive - Event - Context - State - Trend - Pattern Configure monitored patterns Ability to set which patterns will be computed and monitored for threat presence

Func. Requirements – Threat Weighting Unit Weight Threat Assessments Ability to receive threat assessments (along with any associated data) from multiple local analysis servers and weight them, outputting a single assessment. Alert Ability to dispatch an alert (along with any associated data) to both the agent and the Control Center in case of threat detection

Non-Func. Requirements Gathering a feature batch (maximum 40) by the agent should take less than 10 seconds. CPU usage by the HIDS should be under 10% The HIDS should take at most 10MB on the data partition of the device The HIDS will be developed in Java using the Android SDK For demo and testing purposes, a real device will be supplied by DT Labs

Collect features, Analyze Data and Weight Assessments Primary actors: Android Description: After a time trigger the agent collects the monitored feature values and sends them to all of the local analysis servers. Each of the servers analyzes the data and outputs a threat assessment. The assessments are weighted by the TWU and if a threat is found, an alert along with any associated data, is dispatched to the agent and the Control Center. Trigger: A time trigger from Android Pre-conditions: The agent is installed on the device and is running Post-conditions: If a threat is found, an alert along with any associated data has been dispatched

Risks Risk: The HIDS consumes too much CPU Solution: Reducing the quantity of the features collected by the agent and/or decreasing the collection rate Risk: The HIDS consumes too much memory Solution: Reducing the time frame for keeping raw data in the KBTA’s memory Risk: The HIDS consumes too much bandwidth Solution: Lessening the amount of data transmitted to and from the Control Center

The End And so Android lived happily ever after…