Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
1 Reading Log Files. 2 Segment Format
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Ana Chanaba Robert Huylo
Week 8-1 Week 8: Denial of Service (DoS) What is Denial of Service Attack? –Any attack that causes a system to be unavailability. This is a violation of.
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Information Security and Computer Systems: An Integrated Approach Mark A. Holliday and Bill Kreahling, Dept of Mathematics and Computer Science Western.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Transmission Control Protocol TCP. Transport layer function.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Linux Networking and Security
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Distributed Denial of Service Attacks
Network Security: Lab#5 Port Scanners and Intrusion Detection System
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Open-Eye Georgios Androulidakis National Technical University of Athens.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
DoS/DDoS attack and defense
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Introduction to Information Security
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Denial of Service detection and mitigation on GENI
Port Scanning James Tate II
DDoS Attacks on Financial Institutions Presentation
Footprinting (definition 1)
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
Intro to Denial of Serice Attacks
Starting TCP Connection – A High Level View
Intrusion Detection Systems
Presentation transcript:

Information Fusion By Ganesh Godavari

Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status

Problem Definition Fusion of Intrusion Detection Data from Various Sensors distributed over a geographic area. Attacks events are interval based (recall Degrading Denial of Service). Note: Fusion is possible only if data can be correlated at both the sensor and intermediary nodes.

Possible Attack Scenarios Syn Attack Cause: vulnerability in some TCP/IP stack implementations. How does it work: The program sends an TCP SYN packet in large number and never completing the TCP handshake. This causes a large backlog and deteriorates the performance of the machine. Result: Systems performance may slowdown.

Contd.. Ping Flood Cause: vulnerability in some Operating Systems. How does it work: An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition. Result: Systems performance may slowdown.

Contd.. UDP Flood Attack Cause: Connectionless nature of UDP protocol How does it work: Attacker sends a UDP packet to a random port on the victim system. On receiving a UDP packet, OS will determine which application is waiting on the destination port. If there is no application that is waiting on the port, an ICMP (destination unreachable) packet is generated of to the source address. Result: Systems performance may slowdown.

Correlation Techniques Correlation of attacks –Similarities between the event attributes E.g. srcIP, dstIP Cannot detect non obvious attacks (need to check for temporal relationships!!) –Known attack Scenarios E.g. “ gesundheit!” signature of Stacheldraht DoS tool –Preconditions and consequences of individual attack E.g. “port-scan is performed on a machine to check for venerable ports, before an attack is launched on the ports”

Qualitative Temporal Relationships Non obvious patterns among events can be represented using Temporal relationships between interval-based events. Listed in the next side are the twenty-four relationships between intervals and 11 relationships between semi-intervals [1] [2][3]

24 relations between Events

Open Source Security Information Management OSSIM project Combines tools like – snort, Spade, Ntop, mrtg … –To provide a global picture of the IDS Correlation –Sequence of events Create rules: if (recv event A then event B then event C) do { Action } –Heuristic Algorithm State variable –“c” – level of compromise, probability that the machine is compromised –“a” – level of attack the system is subjected to

Correlation contd.. A value is assigned to the C or A variable for a machine on the network according to three rules: –machine 1 attacks machine 2 will increase the A of machine 2 and the C of machine 1. –If Attack is successful then value of C will increase for machines 1 and 2. –If events are internal then C increases for the originating machine.

Current Project Status Created a test-bed of 3 machines. Able to parse Snort Alerts. Need to correlate/fuse the alerts generated during an hour before sending to the intermediary nodes.

References ALLEN, J. F Maintaining Knowledge about Temporal Intervals. Commun. ACM, 26, 11: 832–843, November FREKSA, C Temporal reasoning based on semi-intervals. Artifi. Intell. 54, 199–227. PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG Abstraction- based intrusion detection in distributed environments. ACM Trans. on Info. and System Security (TISSEC) 4, 407 – 452.