Presentation is loading. Please wait.

Presentation is loading. Please wait.

1- GRAM - BASED PAYLOAD ANOMALY DETECTOR 1- GRAM - BASED PAYLOAD ANOMALY DETECTOR U SE OF MODELS U SE OF MODELS 1.M EAN B YTE F.

Published byEmory Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "1- GRAM - BASED PAYLOAD ANOMALY DETECTOR 1- GRAM - BASED PAYLOAD ANOMALY DETECTOR U SE OF MODELS U SE OF MODELS 1.M EAN B YTE F."— Presentation transcript:

1

2

3

4

5

6

7

8

9

10

11

12

13 1- GRAM - BASED PAYLOAD ANOMALY DETECTOR 1- GRAM - BASED PAYLOAD ANOMALY DETECTOR U SE OF MODELS U SE OF MODELS 1.M EAN B YTE F REQUENCY 2.B YTE F REQUENCY S TANDARD D EVIATION S AME VALUES COMPUTED FOR INCOMING PACKETS --> COMPARED TO MODEL VALUES S AME VALUES COMPUTED FOR INCOMING PACKETS --> COMPARED TO MODEL VALUES POSEIDON B UILT ON THE PAYL ARCHITECTURE B UILT ON THE PAYL ARCHITECTURE E MPLOYS A N EURAL N ETWORK TO CLASSIFY PACKETS E MPLOYS A N EURAL N ETWORK TO CLASSIFY PACKETS S ELF -O RGANIZING M APS S ELF -O RGANIZING M APS

14 V ULNERABLE TO MIMICRY ATTACKS (O NLY MODELS 1- GRAM BYTE DISTRIBUTION ) V ULNERABLE TO MIMICRY ATTACKS (O NLY MODELS 1- GRAM BYTE DISTRIBUTION ) A DDITIONAL BYTES ADDED TO MATCH MODELS A DDITIONAL BYTES ADDED TO MATCH MODELS POSEIDON - F AIL M ORE RESILIENT TO MIMICRY ATTACKS (SOM AND PAYL TOGETHER ) M ORE RESILIENT TO MIMICRY ATTACKS (SOM AND PAYL TOGETHER ) A TTACK PORTION OF PAYLOAD SMALL ENOUGH --> ASSIGNED TO A CLUSTER WITH MODELS OF REGULAR TRAFFIC ( SIMILAR BYTE FREQUENCY ) A TTACK PORTION OF PAYLOAD SMALL ENOUGH --> ASSIGNED TO A CLUSTER WITH MODELS OF REGULAR TRAFFIC ( SIMILAR BYTE FREQUENCY )

15 H IGHER - ORDER N - GRAMS USED (N > 1) H IGHER - ORDER N - GRAMS USED (N > 1) B INARY -B ASED N-G RAM ANALYSIS B INARY -B ASED N-G RAM ANALYSIS U SE OF B LOOM F ILTERS U SE OF B LOOM F ILTERS L ESS MEMORY USED = U SE OF HIGER - ORDER N - GRAMS L ESS MEMORY USED = U SE OF HIGER - ORDER N - GRAMS M ORE PRECISE THAN FREQUENCY - BASED ANALYSIS (PAYL) M ORE PRECISE THAN FREQUENCY - BASED ANALYSIS (PAYL) M C PAD "M ULTIPLE - CLASSIFIER P AYLOAD - BASED A NOMALY D ETECTOR " "M ULTIPLE - CLASSIFIER P AYLOAD - BASED A NOMALY D ETECTOR " 2-G RAM A NALYSIS 2-G RAM A NALYSIS S UPPORT V ECTOR M ACHINE (SVM) CLASSIFIERS S UPPORT V ECTOR M ACHINE (SVM) CLASSIFIERS

16 B LOOM F ILTER S ATURATES DURING TRAINING B LOOM F ILTER S ATURATES DURING TRAINING A TTACK LEVERAGES SEQUENCE OF N - GRAMS THAT HAVE BEEN OBSERVED DURING TESTING A TTACK LEVERAGES SEQUENCE OF N - GRAMS THAT HAVE BEEN OBSERVED DURING TESTING M C PAD - F AIL T RIES TO GIVE WIDE REPRESENTATION OF THE PAYLOAD T RIES TO GIVE WIDE REPRESENTATION OF THE PAYLOAD 1.A PPROXIMATE REPRESENTATION 2.U SE OF DIFFERENT CLASSIFIERS

17

18

19 R EAL - LIFE DATA FROM DIFFERENT NETWORK ENVIRONMENTS ( CURRENTLY OPERATING ) R EAL - LIFE DATA FROM DIFFERENT NETWORK ENVIRONMENTS ( CURRENTLY OPERATING ) F OCUS ON ANALYSIS OF BINARY PROTOCOLS F OCUS ON ANALYSIS OF BINARY PROTOCOLS 1.T YPICAL L AN (W INDOWS - BASED NETWORK SERVICES ) 2.P ROTOCOLS FOUND IN ICS

20

21 D ETECTION R ATE D ETECTION R ATE F ALSE P OSITIVE R ATE F ALSE P OSITIVE R ATE

22 N UMBER OF CORRECTLY DETECTED PACKETS WITHIN THE ATTACK SET N UMBER OF CORRECTLY DETECTED PACKETS WITHIN THE ATTACK SET N UMBER OF DETECTED ATTACK INSTANCES N UMBER OF DETECTED ATTACK INSTANCES A LARM = TRUE POSITIVE IF ALGORITHM TRIGGERS AT LEAST ONE ALERT PACKET PER ATTACK INSTANCE A LARM = TRUE POSITIVE IF ALGORITHM TRIGGERS AT LEAST ONE ALERT PACKET PER ATTACK INSTANCE F ALSE P OSITIVE R ATE R ELATE TO DETECTION RATE R ELATE TO DETECTION RATE I NSTEAD OF PERCENTAGE, USE NUMBER OF FALSE POSITIVES PER TIME UNIT I NSTEAD OF PERCENTAGE, USE NUMBER OF FALSE POSITIVES PER TIME UNIT T WO T HRESHOLDS : T WO T HRESHOLDS : 1.10 F ALSE POSITIVES PER DAY 2.1 F ALSE P OSITIVE PER MINUTE

23 S IGNATURE - BASED IDS S IGNATURE - BASED IDS U SED TO VERIFY ALERTS ARE FALSE POSITIVES U SED TO VERIFY ALERTS ARE FALSE POSITIVES

24

25 U SED TO VERIFY IMPLEMENTATIONS U SED TO VERIFY IMPLEMENTATIONS PAYL PAYL A NAGRAM A NAGRAM HTTP (AS) U SED FOR BENCHMARKS WITH M C PAD U SED FOR BENCHMARKS WITH M C PAD 66 D IVERSE ATTACKS 66 D IVERSE ATTACKS 11 S HELLCODES 11 S HELLCODES

26 N ETWORK TRACES FROM U NIVERSITY NETWORK N ETWORK TRACES FROM U NIVERSITY NETWORK A VG. D ATA R ATE : ~40M BPS A VG. D ATA R ATE : ~40M BPS F OCUS ON SMB/CIFS PROTOCOL MESSAGES WHICH ENCAPSULATE RPC MESSAGES F OCUS ON SMB/CIFS PROTOCOL MESSAGES WHICH ENCAPSULATE RPC MESSAGES A VG. P ACKET R ATE : ~22/ SEC A VG. P ACKET R ATE : ~22/ SEC SMB (AS) S EVEN A TTACK I NSTANCES S EVEN A TTACK I NSTANCES E XPLOIT 4 DIFFERENT VULNERABILITIES : E XPLOIT 4 DIFFERENT VULNERABILITIES : 1. MS 04-011 2. MS 06-040 3. MS 08-067 4. MS 10-061

27 D ATA S ET TRACES FROM ICS OF REAL - WORLD PLANT : 30 D AYS OF OBSERVATION D ATA S ET TRACES FROM ICS OF REAL - WORLD PLANT : 30 D AYS OF OBSERVATION A VG. T HROUGHPUT ON NET : ~800K BPS A VG. T HROUGHPUT ON NET : ~800K BPS M AX S IZE OF M ODBUS /TCP MESSAGE : 256 BYTES M AX S IZE OF M ODBUS /TCP MESSAGE : 256 BYTES A VG. S IZE OF M ODBUS /TCP MESSAGE : 12.02 BYTES A VG. S IZE OF M ODBUS /TCP MESSAGE : 12.02 BYTES A VG. P ACKET R ATE : ~96/ SEC A VG. P ACKET R ATE : ~96/ SEC M ODBUS (AS) 163 A TTACK I NSTANCES 163 A TTACK I NSTANCES E XPLOIT A MULTITUDE OF VULNERABILITIES OF THE M ODBUS /TCP IMPLEMENTATION E XPLOIT A MULTITUDE OF VULNERABILITIES OF THE M ODBUS /TCP IMPLEMENTATION T WO FAMILIES OF EXPLOITED VULNERABILITIES : T WO FAMILIES OF EXPLOITED VULNERABILITIES : 1.U NAUTHORIZED U SE 2.P ROTOCOL E RRORS

28

29

30

31 A NAGRAM - 0.00% FALSE POSITIVE RATE AND LOWEST FALSE POSITIVE RATE OF ALL TESTED ALGORITHMS A NAGRAM - 0.00% FALSE POSITIVE RATE AND LOWEST FALSE POSITIVE RATE OF ALL TESTED ALGORITHMS M C PAD - HIGHEST FALSE POSITIVE RATE AND IS IMPOSSIBLE TO LOWER M C PAD - HIGHEST FALSE POSITIVE RATE AND IS IMPOSSIBLE TO LOWER A LL FALSE POSITIVES VERIFIED THROUGH SNORT ( NONE ARE TRUE POSITIVES ) A LL FALSE POSITIVES VERIFIED THROUGH SNORT ( NONE ARE TRUE POSITIVES )

32

33 PAYL AND POSEIDON FAIL TO DETECT ATTACK THAT EXPLOITS MS 06-040 PAYL AND POSEIDON FAIL TO DETECT ATTACK THAT EXPLOITS MS 06-040 W HEN FALSE POSITIVE BELOW 2% W HEN FALSE POSITIVE BELOW 2%

34

35

36 W HY A NAGRAM WORKS SO WELL ? W HY A NAGRAM WORKS SO WELL ? 1.V ALID READ REQUEST 2.A TTACK INSTANCE 3.S MALLEST POSSIBLE M ODBUS MESSAGE ALLOWED BY PROTOCOL SPECIFICATION

37

38 A TTACKS CORRECTLY DETECTED A TTACKS CORRECTLY DETECTED H IGH RATE OF FALSE POSITIVES H IGH RATE OF FALSE POSITIVES H IGH COST TO INDEPENDENTLY DEPLOY ON REAL ENVIRONMENT H IGH COST TO INDEPENDENTLY DEPLOY ON REAL ENVIRONMENT M ODBUS A NAGRAM INDEPENDENTLY DETECTS ALMOST EVERY ATTACK INSTANCE A NAGRAM INDEPENDENTLY DETECTS ALMOST EVERY ATTACK INSTANCE F ALSE POSITIVE RATE LOWER THAN THE 10 ALERTS PER DAY THRESHOLD F ALSE POSITIVE RATE LOWER THAN THE 10 ALERTS PER DAY THRESHOLD C AN BE DEPLOYED IN REAL ENVIRONMENT C AN BE DEPLOYED IN REAL ENVIRONMENT

39

40

Download ppt "1- GRAM - BASED PAYLOAD ANOMALY DETECTOR 1- GRAM - BASED PAYLOAD ANOMALY DETECTOR U SE OF MODELS U SE OF MODELS 1.M EAN B YTE F."

Similar presentations

U.S. Army Research Laboratory

U.S. Army Research Laboratory
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.

Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.
Backtracking Algorithmic Complexity Attacks Against a NIDS

Backtracking Algorithmic Complexity Attacks Against a NIDS
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.

B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
1 Polymorphic Blending Attacks By Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov and Wenke Lee Presented by Jelena Mirkovic Topic 1.

1 Polymorphic Blending Attacks By Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov and Wenke Lee Presented by Jelena Mirkovic Topic 1.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
By Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel --James O’Reilly presenting.

By Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel --James O’Reilly presenting.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Similar presentations

Ads by Google