UCDavis SecLab MURI October 2002 1 Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab.

Slides:



Advertisements
Similar presentations
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Advertisements

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Access Control Chapter 3 Part 5 Pages 248 to 252.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Chapter 17 Controls and Security Measures
Controls for Information Security
Department Of Computer Engineering
1 Action Automated Security Breach Reporting and Corrections.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Using Windows Firewall and Windows Defender
Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department.
Signature Based and Anomaly Based Network Intrusion Detection
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
JMU GenCyber Boot Camp Summer, Defense Logging Auditing Response.
Security System Ability of a system to protect information and system resources with respect to confidentiality and integrity.
1 Action Automated Security Breach Reporting and Corrections.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Mark Shtern.  Secure your infrastructure using IDS, application firewalls, or honeypots  Plant your flag on opponent’s machine  Prevent intruders from.
1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO x4242 Cloud Network Defense.
Introduction to Information Security
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
Chap1: Is there a Security Problem in Computing?.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Module 10: Implementing Administrative Templates and Audit Policy.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
Role Of Network IDS in Network Perimeter Defense.
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.
Some Great Open Source Intrusion Detection Systems (IDSs)
 What threat assessments are  What vulnerability assessments are  What exploit assessments are.
Proactive Incident Response
CS457 Introduction to Information Security Systems
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Secure Software Confidentiality Integrity Data Security Authentication
Security in Networking
By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection & Prevention
LINUX SECURITY Dongmei Wu ID: /25/00.
Intrusion Prevention Systems
Network hardening Chapter 14.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Improving Data Security & Protection Using Data Provenance Figure 1
WTF… About the unsecurity of IoT
Presentation transcript:

UCDavis SecLab MURI October Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab

UCDavis SecLab MURI October Why Study Automated Response? Immediate: contain the attack quickly –Kill the offending process –Slow down the attacker –Roll back to a safe state, etc. Cleanup - needs to be done carefully –Weighing cost of response against potential attack damage –High cost of false positives – can be used for DOS attacks Prevent the same attack from happening on this system –Report the attack to other security systems (firewalls, IDS’s, JIGSAW, HACQIT, etc). Long term: generalize the attack and warn others –Synthesize an attack signature and report it. –Deceive and study the attacker.

UCDavis SecLab MURI October Autonomic Responses: –not open –lock the file –delete the file –kill the process(es) –alert Complex Responses: –start a combination of response actions –start checkpointing –change permissions –reboot the system –block the user –slow down the process(es) –roll back –return a random result –perform a random action –operate on a fake file Example: Responses to open()

UCDavis SecLab MURI October Sample Responses

UCDavis SecLab MURI October Areas a Response Action Affects: –Data Integrity: deleting files, killing the process, etc. –Confidentiality: changing permissions, etc. –Availability: slowing down a process, disabling certain calls, etc. Level of a Response Action: –Single process –Group of Processes –User –Group –System –Network Categorizing Response

UCDavis SecLab MURI October Example: Selecting the Response System Spec-Based IDS System Spec-Based IDS System Spec-Based IDS Response Broker

UCDavis SecLab MURI October Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Spec-Based IDS Incident System Spec-Based IDS Incident Response Broker

UCDavis SecLab MURI October Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. System Spec-Based IDS Incident Response Broker System Data

UCDavis SecLab MURI October Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality System Data

UCDavis SecLab MURI October Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality Pick the Least Costly One –Look at the whole chain –Estimate resources used: level hierarchy System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality Respond

UCDavis SecLab MURI October Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality Pick the Least Costly One –Look at the whole chain –Estimate resources used: level hierarchy …or Pick the Least Costly Way to Preserve System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality RespondPreserve

UCDavis SecLab MURI October Response: Project Plan Current progress –Defined the problem and the scope of study –Initial experiments with spec-based IDS’s: hard-coding response –Developing response hierarchy –Web page: Work to be done –Formalizing response model –Implementing response on a spec-based IDS –Testing and evaluating performance –Applying response model to other systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.