PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam.

Slides:

Advertisements

Similar presentations

Cyber-Security: Some Thoughts

Advertisements

CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Intrusion Detection Systems and Practices

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq

12/6/2010CS Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.

Report on statistical Intrusion Detection systems By Ganesh Godavari.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Project Description The project basically consists of three main components-Attacker, Defender, and Observer. Our project scenario is the following: A.

The Research Process. Purposes of Research  Exploration gaining some familiarity with a topic, discovering some of its main dimensions, and possibly.

Lecture 11 Intrusion Detection (cont)

2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,

INTRODUCTION Patrick Norman. World Trends Smart World – Smart Grids (Power, etc.) – Mobile – Integration between physical and digital world.

Application of SAS®! Enterprise Miner™ in Credit Risk Analytics

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

FORESEC Academy FORESEC Academy Security Essentials (III)

What is FORENSICS? Why do we need Network Forensics?

HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

Honeypot and Intrusion Detection System

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.

Classification Presenter Name Presenter Title TDA Troubleshooting sharing.

Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

I can be You: Questioning the use of Keystroke Dynamics as Biometrics —Paper by Tey Chee Meng, Payas Gupta, Debin Gao Presented by: Kai Li Department of.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Failure Mode & Effect Analysis FMEA Lecture 11. What is FMEA? Failure mode and effect analysis is an Advanced Quality Planning tool that: examines potential.

Knowledge Discovery and Data Mining 19 th Meeting Course Name: Business Intelligence Year: 2009.

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

IS3220 Information Technology Infrastructure Security

© 2006, iPolicy Networks, Inc. All rights reserved. Security Technology Correlation Proneet Biswas Sr. Security Architect iPolicy Networks

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Profiling: What is it? Notes and reflections on profiling and how it could be used in process mining.

Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.

NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

IDS Intrusion Detection Systems

Machine Learning for Cloud Security

Technology & Analytics

Formation of relationships Matching Hypothesis

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Motivation and Problem Statement

Spearman’s Rank Correlation Coefficient

Intrusion Detection Systems

Capture and Publish Knowledge

A framework for ontology Learning FROM Big Data

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam

Challenges to Troubleshooting Compromised Network  Time consuming to find vulnerabilities  Difficult to determine planted exploits  Uncertain of the degree of damage

Motivation for Profiling Hackers  Can profiling the attacker’s skill level assist with risk management?  Understand the level of threat  Know the possibilities of vulnerabilities  Reduce time and resource to investigate the “what if” scenarios

Approach - Hypothesis of Skilled Attacker’s Behavior  Avoid IDS detection if they know the rule set in advance  Avoid common techniques to reduce chances of detection  Establishes many short connections  If these hypothesis are true, then there must be patterns to group attackers based on their behavior!

Exploratory Approach Data Acquisition/Separation Data Standardization/Formatting Cluster Analysis

Phase 1 – Data Acquisition/Separation Competition Snort Alerts Logs Updated Snort Alerts Logs TCP Connection DataIDS Alerts Data Competition PCAP Captures Team A’s Pcap Team B’s Pcap Team A Connection Info Team B Connection Info Snort Application

Phase 2 – Data Standardization Team A Connection Info Updated Snort Alerts Logs Data Aggregation using R Statistical Tool Competition Snort Alerts Logs CSV Format Team A’s Aggregated Data by Time Period

Phase 2 – Example of Actual Aggregated Data This is the aggregated data for two teams connecting to one service

Results – Graph of the Aggregated Data

Phase 3 – Cluster Analysis Using R Find correlation between attributes Add weights Team A’s Aggregated Data by Time Period Team B’s Aggregated Data byTime Period Team C’s Aggregated Data by Time Period Cluster Data Euclidean Distance Cluster Analysis Results + Graphs

Phase 3 - Example of Actual Cluster Data This is the cluster data of all teams connecting to one service

Results – Euclidean Cluster Graph Team# flags submitted

Results – K-Mean Cluster K-Mean Cluster Plot Team# flags submitted

Limitations of Current Approach  Rely on competition data (time period, team subnet info)  Assume attackers know of competition alerts in advance  Assume submitted flags is reliable criteria to measure attacker’s skills  Inconsistency between different services

Future Work for Improvement  Experiment with varying time period (5 minutes, 15 minutes, 30 minutes)  Increase updated alert rules to capture more events  Add additional features (Andrew and Nikunj’s TCP stream distance)  Weigh the correlation between attributes  Explore other R’s analysis

Questions?