Presentation is loading. Please wait.

Presentation is loading. Please wait.

Curtis A. Carver Jr., John M.D. Hill, John R. Surdu, and Udo W. Pooch

Published byAde Teguh Muljana Modified over 6 years ago

Similar presentations

Presentation on theme: "Curtis A. Carver Jr., John M.D. Hill, John R. Surdu, and Udo W. Pooch"— Presentation transcript:

1 Curtis A. Carver Jr., John M.D. Hill, John R. Surdu, and Udo W. Pooch
A Methodology for Using Intelligent Agents to provide Automated Intrusion Response Curtis A. Carver Jr., John M.D. Hill, John R. Surdu, and Udo W. Pooch

2 West Point Information Assurance Workshop
Agenda Motivation Previous Work AAIRS Architecture Future Work Summary 11/23/2018 West Point Information Assurance Workshop

3 An Alternate Approach to Intrusion Response

4 Motivation (1 of 4) The number of information system attacks is increasing and becoming increasingly sophisticated. CERT Security Incidents per Year 11/23/2018 West Point Information Assurance Workshop

5 West Point Information Assurance Workshop
Motivation (2 of 4) Intuitively, the faster a system responds to an intrusion, the less the likelihood of damage. Intrusion simulation research by Cohen confirms this intuition. The faster the response to an detected intrusion, the lower the probability that the system will eventually be compromised. 11/23/2018 West Point Information Assurance Workshop

6 West Point Information Assurance Workshop
Motivation (3 of 4) Correlation of Type of Attacker and Compromise time 11/23/2018 West Point Information Assurance Workshop

7 West Point Information Assurance Workshop
Motivation (4 of 4) There is a growing need for automated intrusion response systems. Unfortunately, current intrusion response systems provide little beyond decision tables for automating responding to intrusions. 11/23/2018 West Point Information Assurance Workshop

8 Previous Work Intrusion Response Systems
Many intrusion detection systems incorporate an intrusion response system. These systems can be classified as notification systems, manual response systems, or automatic response systems. A survey of 56 systems revealed: 33 Notification Systems 8 Manual Response Systems 15 Automatic Response Systems Of the fifteen automatic response systems, all but two employ a simple decision table. The two exceptions are Cooperating Security Monitors (CSM) and Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD). 11/23/2018 West Point Information Assurance Workshop

9 Monitored System Response Toolkit System Admin Tool
Intrusion Detection System Policy Specification Logger Interface Tactics Master Analysis Response Taxonomy Analysis AAIRS Architecture

10 AAIRS Architecture Plan Generation (1 of 2)
This plan consists of a response goal, one or more plan steps, and associated tactics for accomplishing the plan steps. The response goal is specified by the system administrator and provides a general response approach. Plan steps are techniques for accomplishing a response goal. Tactics are methods for carry out a plan step. The tactics can be further decomposed into a number of implementations that are environment dependent. 11/23/2018 West Point Information Assurance Workshop

11 AAIRS Architecture Plan Generation (2 of 2)
Goal: Analyze an attack Plan step: Gather evidence Preserve evidence Slow the attack Tactics: Enable additional logging Remote logging Logging to unchangeable media Process accounting Enable additional IDS Employ a honey-pot Trace the connection Implementation: Remote log to Limbo Remote log to St Peter 11/23/2018 West Point Information Assurance Workshop

12 AAIRS Architecture (Adaptation)
Interface Agent Adapts degree of trust in IDS. Analysis Agent Adapts course of action based on history of incident. Adapts response guidance based on perceived type of attacker. Tactics Agent Adapts tactics based on the success of previously employed techniques. 11/23/2018 West Point Information Assurance Workshop

13 Agent Components and Types
Monitored System Response Toolkit System Admin Tool Intrusion Detection System Policy Specification Reactive Interface/Filter Tactics Agents Goal-based Plan Execution Logger Interface Agent Reactive w/memory Interface Master Analysis Agent Utility Classifier Response Taxonomy Agent Reactive Classifier Analysis Agents Utility Planner Agent Components and Types

14 West Point Information Assurance Workshop
Summary The number of information system attacks is increasing and becoming increasingly sophisticated. Automated intrusion response is becoming increasingly important and stateless decision tables are not sufficient given the threat. The methodology discussed provides a framework for the development of adaptive, agent-based, intrusion response systems. 11/23/2018 West Point Information Assurance Workshop

Download ppt "Curtis A. Carver Jr., John M.D. Hill, John R. Surdu, and Udo W. Pooch"

Similar presentations

An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.

An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Information Flow: Tactical Network Design and Bandwidth Management University XXI Texas A&M University University of Texas United States Army.

Information Flow: Tactical Network Design and Bandwidth Management University XXI Texas A&M University University of Texas United States Army.
June 2010 At A Glance The Room Alert Adapter software in conjunction with AVTECH Room Alert™ devices assists in monitoring computer room environments as.

June 2010 At A Glance The Room Alert Adapter software in conjunction with AVTECH Room Alert™ devices assists in monitoring computer room environments as.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
The Information Systems Audit Process

The Information Systems Audit Process
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network security policy: best practices

Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Incident Handling and Response Breakout Overview.

Incident Handling and Response Breakout Overview.

Similar presentations

Ads by Google