Presentation is loading. Please wait.

Presentation is loading. Please wait.

************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification:"— Presentation transcript:

1 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 1 2003-2004 Final Year Project Presentation DY1 Machine Learning for Computer Security Applications by Lam Ho-yu advised by Dr. Yeung Dit-yan

2 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 2 What is computer security? Computer Security = Firewall? Is it secure? 7-eleven examples…

3 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 3 Intrusion Detection System (IDS) Real world: Surveillance Camera Computer Networks: IDS to monitor network This project: computer security application = Intrusion Detection System (IDS)

4 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 4 Presentation Flow Problems of current IDS technology Objectives of this project Scenario – the key idea of this project System framework Another approach Active Support Vector Machine (ASVM) Active Support Vector Machine (ASVM)

5 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 5 Problems of Current IDS Low-level Large Quantity False alerts – Password typo vs. Password guessing? Heavy workload for network security officers 172.16.113.50/portmap pm_getport: sadmind -> 0/udp 952442110.022445 SensitivePortmapperAccess rpc: 202.77.162.213/659 > 172.16.112.10/portmap pm_getport: sadmind -> 56255/udp 952442110.098242 SensitivePortmapperAccess rpc: 202.77.162.213/660 > 172.16.112.50/portmap pm_getport: sadmind -> 56261/udp 952443968.102596 ContentGap 194.27.251.21/13525 > 172.16.112.194/telnet content gap (< 92797/14296) A part of “alert.log” of Bro

6 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 6 Objectives To allow easier separation between false alerts and real alerts To transform alerts to a more user-friendly representation To relief operator’s workload by automation

7 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 7 Notion of Scenario A typical attack usually takes several steps 1. Scan for candidate machines 2. Exploration – Gather information of the machine 3. Exploitation – Break into the machine 4. Escalation – gain more control (super-user) 5. Do anything the intruders want!! Operators want to see logical steps that the intruder is taking

8 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 8 The System Framework

9 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 9 Learning Components Clustering – Group similar alerts together Correlation – Group alerts that are in the same scenario Multi-Layer PerceptronsDecision Tree

10 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 10 Key Results Total Clusters: 236 Alert count in clusters: 835 ***********************Correlation Results************************* Total Scenarios: 182 Alert count in Scenarios: 236 --------------- Confusion Matrix --------------- Processed Results DesiredTrueFalseTotal ------------------------------------------------------ True1261127 False130578708 ------------------------------------------------------ Total256579835 ------------------------------------------------------ Processed Results DesiredTrueFalseTotal ------------------------------------------------------ True99.21%0.7874%15.21% False18.36%81.64%84.79% ------------------------------------------------------ Total30.66%69.34%

11 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 11 Screen Shot

12 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 12

13 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 13 Q & A

14 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 14 Thank you!

15 ************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification: TELNET access * Classification URL: http://www.whitehats.com/info/IDS08 * * Creation time: 0xc39e21e6.0x5b14b00 (2004-01-01 12:34:46.355+0800) * Detection time: 0xbc6f91f9.0x2202900 (2000-03-07 22:34:33.132+0800) * Analyzer ID: 1124004886740625120 * Analyzer model: Prelude NIDS * Analyzer version: 0.8.6 * Analyzer class: NIDS * Analyzer manufacturer: The Prelude Team http://www.prelude- ids.org * Analyzer OS type: Linux * Analyzer OS version: 2.4.18-27.8.0 * Node[unknown]: * Process: pid=1291 name=prelude-nids * * Impact severity: low * Impact completion: NULL * Impact type: other * Impact description: Not Suspicious Traffic * *** Source information ******************************************************** * Source spoofed: unknown * Node[unknown]: * Addr[ipv4-addr]: 172.16.112.50 * Service: port=23 (telnet) protocol=tcp * *** Target information ******************************************************** * Target decoy: unknown * Node[unknown]: * Addr[ipv4-addr]: 194.7.248.153 * Service: port=4221 protocol=tcp * *** Additional data within the alert ****************************************** * Ethernet header: 0:50:da:b7:6:88 -> 0:10:7b:38:46:3b [ether_type=ip (2048)] * Ip header: 172.16.112.50 -> 194.7.248.153 [hl=20,version=4,tos=0,len=55,id=32892,ttl=64,prot=6,frag=[DF ]] * Tcp header: 23 -> 4221 [flags=PUSH ACK,seq=1733573269,ack=464246126,win=33580] * Payload header: size=15 bytes * Payload Hexadecimal Dump: ff fd 18 ff fd 1f ff fd 23 ff fd 27 ff fd 24........#..'..$ * Detection Plugin Name: SnortRules * Detection Plugin Author: The Prelude Team * Detection Plugin Contact: prelude-devel@prelude-ids.org * Detection Plugin Description: Snort signature parser. * Snort rule ID: 716 * Snort rule revision: 5 * ************************************************************** ****************** Figure An alert of Prelude 15 Active Support Vector Machine Identify the “most useful” test data and ask the user to classify it for training Most useful? Random sampling Random sampling SVM-based sampling SVM-based sampling False Alerts True Alerts margin Test data

Download ppt "************************************************************** ****************** * Alert: ident=2635 * Classification type: unknown * Classification:"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.

Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM

Similar presentations

Ads by Google