Presentation is loading. Please wait.

Presentation is loading. Please wait.

KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov."— Presentation transcript:

1 KB-IDS

2 Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov

3 Background An IDS is used to detect malicious behaviors that indicates a breach in the security of a computer system The Knowledge-based Temporal-Abstraction (KBTA) method in which a computational mechanism extracts meaningful conclusions from raw time-stamped data and knowledge. Android is an operating system for mobile devices, based on the Linux kernel, developed by Google. It allows development of applications in Java, controlling the phone via Google-developed Java libraries.

4 Problem Domain In the modern age Smartphones as well as the threats they are susceptible to, are a growing trend This strengthens the need for sophisticated defense mechanisms to protect them

5 Current Situation Mobile devices lack the computational strength needed to support PC-like security solutions Android, being an open source and open platform introduces new potential risks and types of attacks Android has some inherent security mechanisms that cannot cope with all possible threats Due to application sandboxing, conventional methods such as AntiVirus are futile. There is a need for a different solution…

6 Proposed Solution - HIDS

7 Knowledge-based Temporal Abstraction Developed by Prof. Yuval Shahar, 1997 Knowledge (KBTA Security ontology) Four inference mechanisms: - Temporal Context Forming - Contemporaneous Abstraction - Temporal Interpolation - Temporal Pattern Matching Higher Level Meaningful Temporal Information: - Contexts - Abstractions - Temporal Patterns Time-Stamped Raw Data: - Primitive Parameters - Events

8 KBTA – cont. Time T1T1 T2T2 T3T3 I1I1 I2I2 TCP Packets Sent ( ) Primitives Abstractions Patterns Worm Pattern Internet Connection Mode Context Contexts Events T0T0 TCP Packets Sent State = HIGH Events ( ) Wi-Fi Connection High Medium Low

9 Func. Requirements - Agent Registration/Login Ability to register with the Control Center. Ability to login to the Control Center and to receive configuration for the various installed components Monitor Every predefined time window, the agent samples state parameters, and counts the number of system/user events that occurred in the time-window. Send monitored data The agent will send the monitored data to the analysis servers and the Control Center at the end of each predefined time window. Receive alerts Ability to receive alerts along with any associated data from the Threat Weighting Unit.

10 Func. Requirements – Analysis Servers Receive and analyze monitored data Ability to receive and analyze the data received from the agent and output a conclusion regarding the existence of a threat Send analysis result Ability to send the analysis result to the Threat Weighting Unit

11 Func. Requirements – KBTA Server KBTA processing Ability to incrementally process the received data according to the KBTA method supporting the following elements: - Primitive - Event - Context - State - Trend - Pattern Configure monitored patterns Ability to set which patterns will be computed and monitored for threat presence

12 Func. Requirements – Threat Weighting Unit Weight Threat Assessments Ability to receive threat assessments (along with any associated data) from multiple local analysis servers and weight them, outputting a single assessment. Alert Ability to dispatch an alert (along with any associated data) to both the agent and the Control Center in case of threat detection

13 Non-Func. Requirements Gathering a feature batch (maximum 40) by the agent should take less than 10 seconds. CPU usage by the HIDS should be under 10% The HIDS should take at most 10MB on the data partition of the device The HIDS will be developed in Java using the Android SDK For demo and testing purposes, a real device will be supplied by DT Labs

14

15 Collect features, Analyze Data and Weight Assessments Primary actors: Android Description: After a time trigger the agent collects the monitored feature values and sends them to all of the local analysis servers. Each of the servers analyzes the data and outputs a threat assessment. The assessments are weighted by the TWU and if a threat is found, an alert along with any associated data, is dispatched to the agent and the Control Center. Trigger: A time trigger from Android Pre-conditions: The agent is installed on the device and is running Post-conditions: If a threat is found, an alert along with any associated data has been dispatched

16

17

18 Risks Risk: The HIDS consumes too much CPU Solution: Reducing the quantity of the features collected by the agent and/or decreasing the collection rate Risk: The HIDS consumes too much memory Solution: Reducing the time frame for keeping raw data in the KBTA’s memory Risk: The HIDS consumes too much bandwidth Solution: Lessening the amount of data transmitted to and from the Control Center

19 The End And so Android lived happily ever after…

Download ppt "KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov."

Similar presentations

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.

Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick.

Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
SOCIAL NETWORK INFORMATION CONSOLIDATION Developers:  Klasquin Tomer  Nisimov Yaron  Rabih Erez Advisors:  Academic: Prof. Elovici Yuval  Technical:

SOCIAL NETWORK INFORMATION CONSOLIDATION Developers:  Klasquin Tomer  Nisimov Yaron  Rabih Erez Advisors:  Academic: Prof. Elovici Yuval  Technical:
Multi-criteria infrastructure for location-based applications Shortly known as: Localization Platform Ronen Abraham Ido Cohen Yuval Efrati Tomer Sole'

Multi-criteria infrastructure for location-based applications Shortly known as: Localization Platform Ronen Abraham Ido Cohen Yuval Efrati Tomer Sole'
Securing Android-based Devices T+91 KB-IDS - Prototype Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for Android Version.

Securing Android-based Devices T+91 KB-IDS - Prototype Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for Android Version.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
KB-IDS Application Design Document1 KB-IDS – Application Design Document Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for.

KB-IDS Application Design Document1 KB-IDS – Application Design Document Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
ACADEMIC ADVISOR DR. YUVAL ELOVICI TECHNICAL ADVISOR ASAF SHABTAI TEAM MAOR GUETTA, ARKADY MISHIEV Distributed - KBTA: A Distributed Framework for efficient.

ACADEMIC ADVISOR DR. YUVAL ELOVICI TECHNICAL ADVISOR ASAF SHABTAI TEAM MAOR GUETTA, ARKADY MISHIEV Distributed - KBTA: A Distributed Framework for efficient.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
PARALLEL COMPUTATION OF KNOWLEDGE-BASED TEMPORAL ABSTRACTION Academic advisor Dr. Yuval Elovici Technical advisor Asaf Shabtai Team Maor Guetta, Arkady.

PARALLEL COMPUTATION OF KNOWLEDGE-BASED TEMPORAL ABSTRACTION Academic advisor Dr. Yuval Elovici Technical advisor Asaf Shabtai Team Maor Guetta, Arkady.
Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.

Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.
Company: Deutsche Telekom Academic advisor: Yuval Elovici Technical advisor: Assaf Shabtai Project Team:Limor Segev Eran Frieman Carmel Karni Limor Segev,

Company: Deutsche Telekom Academic advisor: Yuval Elovici Technical advisor: Assaf Shabtai Project Team:Limor Segev Eran Frieman Carmel Karni Limor Segev,

Similar presentations

Ads by Google