Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd.

Slides:

Advertisements

Similar presentations

Module X Session Hijacking

Advertisements

Computer Architecture

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Chapter 19: Network Management Business Data Communications, 4e.

Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

seminar on Intrusion detection system

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Lecture 11 Intrusion Detection (cont)

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Remote Monitoring and Desktop Management Week-7. SNMP designed for management of a limited range of devices and a limited range of functions Monitoring.

Switching Techniques Student: Blidaru Catalina Elena.

Correlations, Alarms and Policies

A Brief Taxonomy of Firewalls

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

What is FORENSICS? Why do we need Network Forensics?

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Chapter Nine The Session Layer. Objectives We’ll see how a new session is created, maintained, and dismantled. The process of logon authentication will.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

CSC8320. Outline Content from the book Recent Work Future Work.

A Review by Raghu Rangan WPI CS525 September 19, 2012 An Early Warning System Based on Reputation for Energy Control Systems.

Event Management & ITIL V3

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Operating system Security By Murtaza K. Madraswala.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

V0.0CPSC415 Biometrics and Cryptography1 Placement of Encryption Function Lecture 3.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

SOFTWARE DESIGN. INTRODUCTION There are 3 distinct types of activities in design 1.External design 2.Architectural design 3.Detailed design Architectural.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Cryptography and Network Security Sixth Edition by William Stallings.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Intrusion Detection System

DEEJAM : Defeating Energy-Efficient Jamming in IEEE based Wireless Networks Paper Authors: Anthony D. Wood John A. Stankovic Gang Zhou Presented.

A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.

Role Of Network IDS in Network Perimeter Defense.

An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Forms of Network Attacks Gabriel Owens COSC 352 February 24, 2011.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

Database and Cloud Security

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Security Methods and Practice CET4884

Chapter 2: System Structures

Outline Introduction Characteristics of intrusion detection systems

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.

Shifting from “Incident” to “Continuous” Response

Wenyu Ren, Timothy Yardley, Klara Nahrstedt

Presentation transcript:

Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd

 What are they?  Code that migrates from machine to machine  How are they utilized?  Examples  Searching  Visiting several resources that contain data.  Sorting the data, and combining it into a payload.  Computation done remotely.  Communication  Can also be used to deliver data.

 Advantages:  Reactive/Adaptive  Reliability  Autonomous  Efficient  Disadvantages  Nontraditional  Lack of Standards  Complexity  Security

 Trustworthiness  Agent trustworthiness  Sandbox  Fairly good solution  Agency trustworthiness  Encryption  Keep 'payload' secure.  Difficult  Focus of this work.

 System for monitoring network data for the purpose of detecting compromised resources.  Four threat levels organized by severity  Level 1: Observation  Situation normal  CAN monitors network passively via Probe agent dispatches  Level 2: Investigation  Anomalous data observed by the passive monitoring system.  Actively monitor the anomalous nodes by dispatching team of Commander and Detective agents  Level 3: Confirmation  Active monitoring has also detected anomalies.  Attempt to confirm state of the nodes in question.  Takes the form of a Secret agent  Level 4: Resolution  System has detected compromise.  Attempt to resolve:  Alert Human  “Log” activity but permit  Block activity  Shut down node (DDOS, out of band signal…)

 MAIDs relies upon anomaly detection, what if a node is entirely passive?  Pollination is a scheme to detect passive, ‘mole- like’ attackers.  Inspired by Bee:  Bee’s visiting flowers to get nectar  Incidentally, they gain pollen  They also deposit pollen  Pollen on the bee’s provides a roadmap of where they’ve been

 Agent Pollination  Agents visit nodes in the course of activities  Agents gain pollen  Against leave pollen behind  Amount of pollen represents the time spent at nodes  Sequence of pollen represents road-map of where the agent has been  Implications  Incorrect or missing sequences are new anomalies and represent ‘issues’ that require investigation  Amount of pollen can represent the types of data an agent is interested in when cross-referenced with the types of data stored at various nodes  Nodes with practically no pollen might indicate a node that has no resources and is sniffing passing agents  Standard inference models can be utilized to generate even more anomalous triggers for MAIDS

 Manipulate Open System Interconnection OSI transport layer by either  Appending additional packets containing pollen information to the sequence representing the agent  Manipulating the packets themselves via packet tagging  Pollination does not need to be active everywhere; can only pollinate ‘sensitive’ nodes and thus track ‘important’ data  Degree of pollination can vary depending on threat level, as can consequences to agents with suspicious pollen patterns  Pollination patterns can be periodically changed to make it more difficult to spoof

 Situation normal.  Probes distributed  Record communication.  Do not move.  Agents visit network.  Normal agent behavior.  During this process, they pick up data from the probes.  Central Authority Node  Compares data from the probes as it arrives naturally.  Mines for anomalies.

 Anomalies detected.  Could be nothing; 'lag.'  Deploy a set of agents  Detective agents  Actively monitor  Commander Agent  Takes information from detective agents and analyzes it for anomalies

 Anomalies still detected.  Deploy a “Secret Agent”  Designed to appear externally as a regular agent.  Executes predetermined series of actions, reports observed results, if possible.  Detective agents observe the 'actual' results  Commander agent analyzes results  Agency exonerated  Elevation of threat level.

 Level 4 assumes compromise has occurred  This situation must be resolved.  Possible avenues of resolution:  Human Intervention  Redirect output to a 'vault' for later analysis  Attempt to fool agency into thinking it is still actually part of the network.  Blockade output of node.  Protect the network, and agents, by preventing access to or from the suspected node.  Automated attack on the node.  The appropriate response depends upon the network.

 Simply ask for human aid.  This can be thought of as raising an alert.  No automated action taken by the system.  This step is implied in all other possible resolutions.

 “Saves” the output of the node for later analysis.  Limited action against node is taken.  Attempts to obscure the fact that the compromise is detected until a human decides what action to take.

 This response takes active steps to protect the network by preventing communication with the affected node.  This could itself be detrimental to the network; leading to bottlenecks or failure.

 If data is of an especially sensitive nature; it might be desirable to attempt to remove the affected device from the network by offensive means.  Again, this could damage the network.