1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Guide to Network Defense and Countermeasures Second Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Toyota InfoTechnology Center U.S.A, Inc. 1 Mixture Models of End-host Network Traffic John Mark Agosta, Jaideep Chandrashekar, Mark Crovella, Nina Taft.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
FirePOWER Services for ASA Sizing Guidance and Performance Discussion
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
1 Toward Sophisticated Detection With Distributed Triggers Ling Huang* Minos Garofalakis § Joe Hellerstein* Anthony Joseph* Nina Taft § *UC Berkeley §
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
Copyright: UC Riverside 1 CS-279-I: Design Project In Computer Science Computer Networks Michalis Faloutsos EBU II 332
Lecture 11 Reliability and Security in IT infrastructure.
Security administrators The experts need better tools too!
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
“There is nothing more important than our customers” Network Anomaly Behavioral Detection Dragon Securtiy Command Console – DSCC Zdeněk Pala ECIE certified.
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
A User Experience-based Cloud Service Redeployment Mechanism KANG Yu.
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
IIT Indore © Neminah Hubballi
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
What is FORENSICS? Why do we need Network Forensics?
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Honeypot and Intrusion Detection System
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
Security Vulnerabilities in A Virtual Environment
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other.
Role Of Network IDS in Network Perimeter Defense.
1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.
IS3220 Information Technology Infrastructure Security
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Enterprise Security Management Franklin Tinsley COSC 481.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
7. Performance Measurement
BotTracer: Bot User Detection Using Clustering Method in RecDroid
Parallel Autonomous Cyber Systems Monitoring and Protection
Distributed Network Traffic Feature Extraction for a Real-time IDS
Securing the Network Perimeter with ISA 2004
Basics of Intrusion Detection
Security in Networking
Digital Pacman: Firewall Edition
Roland Kwitt & Tobias Strohmeier
Home Internet Vulnerabilities
Intrusion detection systems?
Histogram Summary Process Steps
Histogram Summary Process Steps
Presentation transcript:

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft, Intel Research Michalis Faloutsos, UC Riverside/stopthehacker.com Ling Huang, Intel Research Frederic Giroire, INRIA

2 Problem: How should we configure behavioral HIDS across an enterprise?  Enterprise laptops run HIDS Each device can have its own threshold  Key question: does “one size fit all”? Users Firewall Enterprise Internet SysAdmin Server HIDS = Host Intrusion Detection Systems

3 Motivation: so far, monoculture!  Why?  We polled sys admins: "easier to manage” no method on how to set them otherwise harder to interpret results, if not mono Term: monoculture = homogeneous

4 Contributions  We challenge the practice of monoculture  Measure enterprise behavior: 350 laptops  We observe that User behavior is diverse Diversity is better than monoculture in HIDS  We propose a new approach: partial diversity A little diversity goes a long way!

5 Roadmap  What you would expect…

6 Our data collection  User traffic: 350 laptops of enterprise employees 5 weeks in Q1 of 2007 Collected all packet headers Collection tool runs on laptop  Malicious traffic: Collected traces from machines with known botnets on them

7 Measured key detection features  We study features used in real systems  Selection of features is an orthogonal question

8 Threat Models  #1: Attacker knows nothing about user behavior  #2: Attacker monitors user behavior and builds histograms of behavior for typical HIDS feature Attacker cannot know the instantaneous value of a feature, only its histogram Attacker selects volume of malicious traffic to “hide” inside normal traffic

9 Defining the optimization goal  Far from obvious: FN (False Negatives) vs FP (False Positives) failing to detect vs false alarms  Our Utility provides a flexible definition Sysadmins need to decide this User i, with threshold Ti, w is relative importance of FN or FP

10 Results, at last…

11 User behavior varies a lot!  Focus on the tail behavior of users 99%, 99.9%  Spans 4 orders of magnitude

12 What about other features?  All features vary a lot!

13 Different users could detect different types of attacks  Is the feature activity correlated?  Not necessarily  Conclusion: All users are important Synthesizing alarms is non-trivial Some users are "light" in terms of the maximum number of UDP connections, but "heavy" in TCP connections

14 An uber-policy for enterprise diversity  We propose a tunable policy Monoculture: one threshold for all Full diversity: one threshold per user Partial diversity: one threshold per group  We use 8 groups  Partial diversity subsumes the other two a key question: grouping users

15 Partial Diversity: grouping  Our goal here: there exists a grouping with good results for diversity  k-means clustering did not work well: skewed distribution with wide and continues spread  Heuristic: follow the nature of the distribution: the top 15%, split into 4 subgroups bottom 85% split into 4 subgroups  Experimented with 2,3,5,8  We show only the 8 group case (best results)

16 Evaluation approach  Train using real data  Test with malicious traces superimposed  Evaluation method: Train on previous week -> thresholds Apply thresholds on current week  Interesting: Weekly thresholds vary! a 99th perc. threshold for previous week does not guarantee 1% false positive this week

17 Diversity is good  Partial diversity is almost as good as full diversity! For w= 0.4, recall:

18 What if w varies? Still good.

19 Limiting the attacker’s opportunity: measuring the stealth traffic  Naïve attacker will be detected  Clever attacker will be “limited”

20 Conclusions  Time to revisit the question of diversity  Diversity can offer benefits  We propose Partial Diversity: striking the balance in a tunable way  Our work as a first step in providing a framework to compare initial techniques to establish thresholds

21 Future Work  Finetune the different parts user grouping in partial diversity approach Utility function for users and network  Select and use multiple features together  Deploy the approach in a real network

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.