===!"§ Deutsche Telekom THE UTC-IMON PROJECT Users and Terminals Characterization, Identification and Monitoring On a Net Net Anomaly Detection System.

Slides:



Advertisements
Similar presentations
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
Advertisements

MIS 2000 Class 20 System Development Process Updated 2014.
Project Management Methodology Procurement management.
INVESTMENT GAME IN SOCIAL NETWORK Academic Advisor: Dr. Yuval Alovici Professional Advisor: Dr. Mayer Goldberg Team Members: Ido Bercovich Dikla Mordechay.
Chapter 19: Network Management Business Data Communications, 4e.
SOCIAL NETWORK INFORMATION CONSOLIDATION Developers:  Klasquin Tomer  Nisimov Yaron  Rabih Erez Advisors:  Academic: Prof. Elovici Yuval  Technical:
Business trip scheduler ARD Lital Badash Yanir Quinn Eran Banouz.
Team: Maya Zalcberg Diana Attar Levona Hershtik Academic advisor: Prof. Ehud Gudes ADD Presentation.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
People Technical AdvisorsAcademic AdvisorFinal Project By Prof. Shlomi Dolev Prof. Ehud Gudes Boaz Hilemsky Dr. Aryeh Kontorovich Moran Cohavi Gil Sadis.
1 Steve Chenoweth Tuesday, 10/18/11 Week 7, Day 2 Right – One view of the layers of ingredients to an enterprise security program. From
Academic Advisor: Prof. Ronen Brafman Team Members: Ran Isenberg Mirit Markovich Noa Aharon Alon Furman.
KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.
Motorola Israel Project: Authentication Center for SDP Federation ARD The Team: Alina Mirinzon Dadi Suissa Gabi Brontvin Raz Zieber.
SmartSQL AlfaTech Software Solutions Application Requirements Document  Radi Bekker  Vladimir Goldman  Marina Shaevich  Alexander Shapiro Team Members:
Academic Advisor: Dr. Yuval Elovici Technical Advisor: Polina Zilberman Team Members: Dmitry Kaganov Rostislav Pinski Eli Shtein Alexander Gorohovski.
Chapter 10 Server Administration1 Ch. 10 – Server Administration MIS 431 – created Spring 2006.
Strabismus Checking System The Team: Lior Barak Omri Mosseri Application Requirements Document.
Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.
Computer Security: Principles and Practice
seminar on Intrusion detection system
Generic Simulator for Users' Movements and Behavior in Collaborative Systems.
Department Of Computer Engineering
Monitoring systems COMET types MS55 & MS6 MS55/MS6 Configuration.
Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
ShelterPoint™ Data-Entry Workflows. ShelterPoint v5.2.3.
Automatic Software Testing Tool for Computer Networks ARD Presentation Adi Shachar Yaniv Cohen Dudi Patimer
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Motivation. Part of Deutsche Telekom project:
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Project Analysis Course ( ) Week 2 Activities.
Using Windows Firewall and Windows Defender
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
What is FORENSICS? Why do we need Network Forensics?
T. Rowe Price, Invest With Confidence and the Bighorn Sheep logo is a registered trademark of T. Rowe Price Group, Inc. Please dial from.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Module 7: Fundamentals of Administering Windows Server 2008.
| e n a b l i n g | i n t e r a c t i v e | a d a p t i v e | O V E R V I E W Providing secure access to real-time data via the Internet Focused on delivering.
Introduction With TimeCard users can tag SharePoint events with information that converts them into time sheets. This way they can report.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Technical Advisor - Mr. Roni Stern Academic Advisor - Dr. Meir Kelah Members: Shimrit Yacobi Yuval Binenboim Moran Lev Lehman Sharon Shabtai.
Discovery 2 Internetworking Module 5 JEOPARDY John Celum.
1 OPOL Training (OrderPro Online) Prepared by Christina Van Metre Independent Educational Consultant CTO, Business Development Team © Training Version.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department Prepared By Ahmed Obaid Wassim Salem Supervised.
Computer Emergency Notification System (CENS)
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Simplify TeleHealth - Copyright 2012 Emerge.MD inc - Confidential Single Sign On via Active Directory Federation Services 4.6 Release (March 2014) Updates.
Technical Advisor - Mr. Roni Stern Academic Advisor - Dr. Meir Kelah Members: Shimrit Yacobi Yuval Binenboim Moran Lev Lehman Sharon Shabtai.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Management System For Graduate Students Projects Day Presentation – June 2011.
Company: Amdocs Academic advisor: Ehud Gudes Technical advisor :Gabby Shimony Team: Uzi Lewin Elina Shlangman.
Role Of Network IDS in Network Perimeter Defense.
1. On the homepage, click the “Register” link below the Login box in the left navigation bar. Registration Step 1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Technician Table Editor Company: DVTel Academic advisor: Professor Ehud Gudes Technical advisor: Menny Even Danan Team: Olga Peled Doron Avinoam.
Andromaly Verifying user activity on Android-powered devices using anomaly detection TeamTechnical advisorAcademic advisor Eran Rosenwig Gili Asis Asaf.
Chapter 19: Network Management
Systems Analysis and Design
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
The MPAS project Multi-agent Pathfinding Algorithms Simulator
Simulation Of Traffic Jams
Presentation transcript:

===!"§ Deutsche Telekom THE UTC-IMON PROJECT Users and Terminals Characterization, Identification and Monitoring On a Net Net Anomaly Detection System Company: Deutsche Telekom Academic advisor: Yuval Elovici Technical advisor : Asaf Shabtai & Yuval Fledel Project Team:Raz Kitzoni Aryhe Segal Eliad Barzi Mati Kochen

Page 1 ===!"§ Deutsche Telekom In world based on communication and computing, one of the main aspects is security. Today the standard user authentication protection doesn't protect against masquerading attacks Background – The Problem

Page 2 ===!"§ Deutsche Telekom We ’ ll try to present the problem and the need for our system by presenting a scenario we like to refer to as : “ Bathroom Attack ” (A.K.A Crap Attack) Background – The Problem – cont.

Page 3 ===!"§ Deutsche Telekom Imagine a Normal shinny day. Our “Normal” employee, lets call him RAZ, is working in his cubical … Background – The Problem – cont.

Page 4 ===!"§ Deutsche Telekom When he finds himself having to answer a basic call of nature…. 00 Background – The Problem – cont.

Page 5 ===!"§ Deutsche Telekom In his absence his open terminal is commandeered by his nemesis, lets call him ZAR, who misuses RAZ privileges… 00 Background – The Problem – cont.

===!"§ Deutsche Telekom Problem

Page 7 ===!"§ Deutsche Telekom The Solution UTC-IMON The UTC-IMON system is a security tool which extends the existing layer of standard user authentication protection. Using network traffic observation UTC-IMON identifies and monitors users and terminals.

Page 8 ===!"§ Deutsche Telekom The Problem Domain The UTC-IMON will be connected to the main communication channel of the organization net. The system would be sniffing and listening to the data running through the channel. In turn this analyzed data would be used to identify an “order in the chaos” of users behavior

Page 9 ===!"§ Deutsche Telekom The Problem Domain – cont.

Page 10 ===!"§ Deutsche Telekom UTC-IMON (in a nutshell) UTC-IMON sniffs the network using WireShark, identify and monitor users and their terminals, Characterizing them by analyzing their network conversations. Based on the collected information, the system is able to notice and notify on a a possible threat in cases of a change in user behavior.

Page 11 ===!"§ Deutsche Telekom UTC-IMON (in a nutshell) – cont. The 2 major stages of the system are: 1.Training stage: when a new user is identified, UTC-IMON starts learning his behavior, creating a representing profile. 2.Detection stage: in this stage the system is constantly checking user behavior looking for a divert from a profile. In such cases the system alerts the appropriate authority. UTC-IMON keeps learning and updating users profile while activated.

Page 12 ===!"§ Deutsche Telekom Functional Requirements n Research Requirement The process of developing the system evolves a comprehensive stage of research in the fields of data mining and anomaly detection. Main requirement: * Traffic recorder. * Traffic analyzer (converts traffic to different behavior profiles). * behavior examiner (checks how good the analysis was).

Page 13 ===!"§ Deutsche Telekom Functional Requirements – cont. n Implementation Requirement After the research part is over and conclusions been made, the Implementation part starts Main Requirements User Management Requirements: * User manipulation - creation, modification and removal. * User statistics and details display. Profile Feature Requirements: * Profile manipulation. * Profile statistics and details display.

Page 14 ===!"§ Deutsche Telekom Functional Requirements – cont. Identification and Monitoring Requirements: * Alert manipulation - notification, approval and removal. * Alert statistics and details display. Configuration & Settings Requirements: * System configuration – algorithms, defaults and settings. * Configuration statistics and details display. Reports Requirements: * Different reports and system statistics for the adjustment and fitting of the system.

Page 15 ===!"§ Deutsche Telekom Non-Functional Requirements n Speed: * The Data analyze algorithm would be half a second up to 15 minutes according to the system initialization. * It takes up to 1 minute to show the analyzed data on the screen after processing. n Capacity: The system should support up to 200 user profiles. n Throughput: In all the system should be able to monitor up to 20,000 packets per second. n Reliability: The system creates a restore point once a given predefined time. Enabling reconstruction of the system in case the system collapse.

Page 16 ===!"§ Deutsche Telekom Non-Functional Requirements n Safety & Security: The gathered information will be encrypted and handled by authorized personal. n Usability: The configuration and notifications to the Admin and Domain Expert would be simple and understandable. The common user isn’t aware of the system presence. n Availability: In all the system should be available 99.9% of the time.

Page 17 ===!"§ Deutsche Telekom Use Cases

Page 18 ===!"§ Deutsche Telekom Use Case 1 SectionPurpose NameSystem Training DescriptionSystem checks network throughput every fixed ∆t, and updates users profiles according to the new data. GoalTo train the system in order to be able to detect behavior anomaly in the future. Pre- Condition  The system is running and configured. Post- Condition Relevan users profiles were updated. Course of Action ActorSystem Timer signals the system to get the throuput from wireshark. The system extracts the relevant throughput data from Wireshark. The system extracts the relevant feature from the current data. The system updates relevant users profiles.

Page 19 ===!"§ Deutsche Telekom Use Case 1 - Sequence Diagram

Page 20 ===!"§ Deutsche Telekom Use Case 2 SectionPurpose NameAnomaly Detection DescriptionSystem checks network throughput every fixed ∆t, and alerts the administrator for anomaly if needed. GoalTo detect user behavior if necessary. Pre- Condition  The system is running and configured  The system finished the training phase for at least one user. Post- Condition Anomaly detected/Behaviour is normal. Course of Action ActorSystem Timer signals the system to get the throuput from wireshark. The system extracts the relevant throughput data from Wireshark. The system runs the anomaly detection algorithm in order to compare current users behavior with normal users behavior. The system decides normal behavior/ behavior anomaly and alerts the administrator in case of anomaly.

Page 21 ===!"§ Deutsche Telekom Use Case 2 - Sequence Diagram

Page 22 ===!"§ Deutsche Telekom Use Case 3 SectionPurpose NameNew User Creation DescriptionNew user addition to the system GoalTo handle unfamiliar user login by creating and adding new users to the system and start monitoring them. Pre-Condition  A user has logged in to the network.  The user does not exist in the system.  The network's administrator is logged in to ADS. Post-ConditionThe new user exists in the system and. Course of Action Alternative course (1) Alternative course (2) ActorSystem The system identifies a new user's login to the network and sends an alert to the network's administrator. The administrator receives the alert and chooses to add a the new user to the system. The system presents a new user's form with relevant fields. The administrator fills the user's details and approves. The system stores the user's information, creates an empty user profile, and asks the administrator if he wants to start monitoring the user. The administrator chooses to start the training process for the user. The system starts the training process for the user. ActorSystem The administrator chooses not to add the new user to the system.The system asks for approval The administrator approves. ActorSystem The administrator isn't logged in.The System adds the users to "pending users".

Page 23 ===!"§ Deutsche Telekom Use Case 3 - Sequence Diagram

Page 24 ===!"§ Deutsche Telekom Use Case 4 SectionPurpose NameAdministrator's system configurations change. DescriptionSystem configuration change made by an administrator GoalTo let the administrator manipulate system configurations by his personal preferences. Pre-Condition  Administrator is logged in. Post-ConditionSystem configuration has changed by the administrator's preferences. Course of Action Alternative course (1) Alternative course (2) Alternative course (3) ActorSystem The administrator chooses "set/change system configurations" System presents "Administrator's system configuration" form. The administrator changes the relevant fields, and presses "save changes" System asks for approval. Administrator approves.The system saves the new configuration. ActorSystem Administrator presses "restore defaults"The system loads it's default administrator configurations. ActorSystem The administrator does not approve the changes saving.System returns to form filling. ActorSystem The administrator chooses "quit without saving"System closes "administrator's system configuration form" without saving.

Page 25 ===!"§ Deutsche Telekom Use Case 4 - Sequence Diagram

Page 26 ===!"§ Deutsche Telekom Use Case 5 SectionPurpose NameDomain Expert's system configurations change. DescriptionSystem configuration change made by the domain expert. GoalTo let the domain expert manipulate system configurations in order to optimize it to a satisfactory condition. Pre-ConditionDomain expert is logged in to the system Post-ConditionSystem configuration has changed by the domain expert's preferences. Course of Action Alternative course (1) Alternative course (2) Alternative course (3) ActorSystem The domain expert chooses "set/change system configurations" System presents " Domain expert 's system configuration" form. The domain expert changes the relevant fields, and presses "save changes" System asks for approval. Domain expert approves.The system saves the new configuration. ActorSystem Domain expert presses "restore defaults"The system loads it's default domain expert configurations. ActorSystem The domain expert does not approve the changes saving.System returns to form filling. ActorSystem The domain expert chooses "quit without saving"System closes " domain expert's system configuration form" without saving.

Page 27 ===!"§ Deutsche Telekom Use Case 5 - Sequence Diagram

Page 28 ===!"§ Deutsche Telekom Possible Risks UTC-IMON success rate anomaly detection is critical. This depend mainly in the various features of the user behavior profile, that are identified an monitored. Not good enough statistics would make the system pointless.

Page 29 ===!"§ Deutsche Telekom The End Thanks & Good Luck (…BEWARE OF ZAR…)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.