Presentation is loading. Please wait.

Presentation is loading. Please wait.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz."— Presentation transcript:

1 Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

2 GOALS 1.Discuss the characteristics of a Behavior Intrusion Detection Systems 2.Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets. 3.Provide the results. 4.Analyze the behavior of protocols when firewall enabled/disabled. 5.Present an approach to prioritize suspicious packets. 6.How to enhance Behavior IDS

3 WHAT IS IDS? IDS is concerned with the detection of hostile actions towards a computer system or network. There are two types:  Anomaly detection (Behavior IDS)  Signature detection

4 OVERVIEW OF BIDS They can be described as an alarm for strange system behavior. Based on statistics. Advantages  They don’t need to know the details of an attack  Dynamic, they are automatically updated Disadvantages  Many false positives are generated during the sensor training  The training must be extensive so that the baseline is accurate

5 OVERVIEW OF BIDS Anomalies to be detected:  Traffic to unused ports  Non standard service assigned to one standard port (port 80 set for peer sharing)  Too much UDP/TCP traffic  More bytes coming to a HTTP server than outgoing bytes

6 Measure timing for DNS, ICMP and HTTP/HTTPS Establish a baseline for different packet sequences Label packets outside the baseline for further analysis IDS Outer (FC4) Intra1 (XP) Internet DLink SW2 DNS Server Web Server Intranet (10.0.0.0/24) DLink SW1 Intra2(win2003) DMZ (192.168.0.0/24) HP5000 SW Firewall IDS Inner (FC4) Firewall (FC4) THE PROJECT IDS Sensor DB IDS Sensor

7 ICMP Intra1 (XP) ICMP Request ICMP Reply Firewall D C B A SERVER IDS Inner

8 DNS DNS SERVER DNS Request DNS Reply Firewall IDS Inner D C B A Intra1 (XP)

9 HTTP

10 SERVER HELLO CERTIFICATE SERVER KEY EXCHANGE CERTIFICATE REQUEST SERVER HELLO DONE HTTPS

11 Units are in seconds. In a normal distribution, approximately 99.7% of the population will be in the interval defined by works well for the upper bound, but the lower bound is defined by Using the formula above, we get a confidence interval  3  DATA OBTAINED  1   3 

12 Firewall Blue-enabled Pink-disabled Packets outside the range in a circle 3 times standard deviation ICMP Time (sec) Packet Sequence Number

13 Firewall Blue-enabled Pink-disabled Packets outside the range in a circle 3 times standard deviation DNS Time (sec) Packet Sequence Number

14 Firewall enabled Blue-HTTP Pink-HTTPS Packets outside the range in a circle 3 times standard deviation HTTP vs. HTTPS Time (sec) Packet Sequence Number

15 HTTP vs. HTTPS Firewall disabled Blue-HTTP Pink-HTTPS Packets outside the range in a circle 3 times standard deviation Time (sec) Packet Sequence Number

16 HTTP vs. HTTPS

17 Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound. Label the suspicious packets and give them priorities based on their distance from the confidence interval. Upper boundLower bound PROPOSED APPROACH  3   1 

18 Firewall enabled ICMP 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

19 Firewall enabled DNS 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

20 Firewall enabled HTTP 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

21 Firewall enabled HTTPS 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

22 The suspicious packets are defined. Then prioritize/label the packets based on the distance from the mean. How do we know it’s an attack? Define a behavior for each kind of attack, e.g. worms SUSPICIOUS PACKETS

23 Based on “ A behavioral approach to worm detection” [20] Need to look for this pattern of information –behavioral signature- in the database. WORMS BEHAVIOR CA A:? -> C:D C:? -> E:D Host A and C and E are infected D is port number

24  What to do with the packet? How to know if it is from an intruder?  What data do we need to store?  How to collect the data towards an automated process?  How can SNORT create the intervals automatically?  Implement the approach in SNORT’s source code  Analyzing other protocols FUTURE WORK

25  Analyzing other scenarios like an internet server instead of a local server  Analyze wireless communication  DNSSecure  Behavioral signatures for other attacks FUTURE WORK

26 Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives. The intervals work in the studied protocols, results may change for other protocols. Intervals need to be tested using attacks like DDoS, worms, etc. HTTP and HTTPS graphs are different because more information is exchanged and timing varies. CONCLUSION

27 Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003 Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and Julia Allen Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002 Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003 REFERENCES

28 QUESTIONS?

Download ppt "Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
seminar on Intrusion detection system

seminar on Intrusion detection system

Similar presentations

Ads by Google