Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
1 Telstra in Confidence Managing Security for our Mobile Technology.
The State of Security Management By Jim Reavis January 2003.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.
Cryptography and Network Security
Digital Automata Unit 7-1 Managing the Digital Enterprise By Professor Michael Rappa.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Active methods for network defense Vinod Yegneswaran SRI International (joint work with Prof. Paul Barford, University of Wisconsin)
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Cryptography and Network Security (CS435) Part One (Introduction)
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Module 11: Designing Security for Network Perimeters.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
Cryptography and Network Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SIEM Rotem Mesika System security engineering
Characteristics of Internet Background Radiation
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Network-based Intrusion Detection, Prevention and Forensics System
Firewalls.
Intrusion Detection & Prevention
Data Mining & Machine Learning Lab
Introduction to Internet Worm
Presentation transcript:

Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005

wail.cs.wisc.edu2 Motivation - the good Network security analysts have many tasks –Abuse monitoring –Audit and forensic analysis –Firewall/ACL configuration –Vulnerability testing –Policy –Liaison Network management End host management

wail.cs.wisc.edu3 Motivation - the bad Adversaries are smart Vulnerabilities and threats are significant –Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al. ‘04) –Scans Billions per day Internet-wide and growing (Yegneswaran et al. ‘03) –Viruses No longer clearly defined (eg. Agobot) –DDos Bot-nets consisting of hundreds of thousands of drones

wail.cs.wisc.edu4 Motivation - the ugly (sort of) Network intrusion detection systems (NIDS) –Static signatures - hard to tune and maintain –Lots of alarms –Scalability problems Firewalls and intrusion prevention systems –Limited capability Bulletin boards and commercial services –May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) –A step in the right direction

wail.cs.wisc.edu5 Objective Network situational awareness based on self- directed network intrusion detection –“The degree of consistency between one’s perception of their situation and reality” –“An accurate set of information about one’s environment scaled to a specific level of interest” –Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic –Front-end for firewalls/IPS

wail.cs.wisc.edu6 Mechanisms Data sharing between networks –Eg. DOMINO (Yegneswaran et al., NDSS ‘04) Monitoring unused address space –Eg. iSink (Yegneswaran et al., RAID ‘04) –Eg. BroSA (Yegneswaran et al. ‘05) Automatic generation of resilient signatures –Eg. Nemean (Yegneswaran et al., USENIX Security ‘05)

wail.cs.wisc.edu7 DOMINO architecture Hierarchical overlay network –Descending order of security and trust Data sharing –XML-based schema –Summary exchange protocol extends IDMEF –Push or pulling periodically Data/alert fusion and filtering –Subject of on-going research (eg, Barford et al. Allerton, ‘04)

wail.cs.wisc.edu8 Unused address monitoring Packets are (nearly) all malicious –There have been some very weird misconfigurations Enables active responses –Key for understanding details Widely available –We monitor four class B’s and one class A –Useful in large and small Easier to share this data

wail.cs.wisc.edu9 iSink architecture Passive component: Argus –libpcap-based monitoring tool Active component: based on Click modular router –Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic –Source/destination filtering

wail.cs.wisc.edu10 Activities on ports (port 135) Distribution of exploits varies with network –170 byte requests on Class A –Blaster, RPC-X1 all 3 networks –Welchia LBL –Empty connections UW Networks

wail.cs.wisc.edu11 Real-time honeynet reports Bro plug-in for situational summary generation –Periodic reports New events High variance events Low variance events Top profiles –Adaptive NetSA in depth –Identify large events quickly –On-going

wail.cs.wisc.edu12 Semantics-aware signatures Objective: automated generation of resilient NIDS signatures –Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen –Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data –Session and application protocol semantic awareness (Sommer & Paxson, ‘03)

wail.cs.wisc.edu13 Nemean architecture Data abstraction –Transport normalizer –Aggregation –Service normalizer Clustering –Group sessions/connections using similarity metric Signature generation –Machine learning to build finite state automata

wail.cs.wisc.edu14 Signature example (Welchia) Multistage attack (3 steps) –GET /  200 OK –SEARCH /  411 Length Required –SEARCH /AAAA… Start Get / 200 Search / 411 Search / 411 Get / 200 Search /AAAAA[more] 400 Search /AAAAA[more] 400 Search /AAAAA[more] 400

wail.cs.wisc.edu15 Summary Malicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection –Distributed data sharing –Unused address space monitoring –Automated semantics-aware signature generation