Presentation is loading. Please wait.

Presentation is loading. Please wait.

UCDavis SecLab MURI October 2002 1 Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UCDavis SecLab MURI October 2002 1 Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab."— Presentation transcript:

1 UCDavis SecLab MURI October 2002 1 Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab

2 UCDavis SecLab MURI October 2002 2 Why Study Automated Response? Immediate: contain the attack quickly –Kill the offending process –Slow down the attacker –Roll back to a safe state, etc. Cleanup - needs to be done carefully –Weighing cost of response against potential attack damage –High cost of false positives – can be used for DOS attacks Prevent the same attack from happening on this system –Report the attack to other security systems (firewalls, IDS’s, JIGSAW, HACQIT, etc). Long term: generalize the attack and warn others –Synthesize an attack signature and report it. –Deceive and study the attacker.

3 UCDavis SecLab MURI October 2002 3 Autonomic Responses: –not open –lock the file –delete the file –kill the process(es) –alert Complex Responses: –start a combination of response actions –start checkpointing –change permissions –reboot the system –block the user –slow down the process(es) –roll back –return a random result –perform a random action –operate on a fake file Example: Responses to open()

4 UCDavis SecLab MURI October 2002 4 Sample Responses

5 UCDavis SecLab MURI October 2002 5 Areas a Response Action Affects: –Data Integrity: deleting files, killing the process, etc. –Confidentiality: changing permissions, etc. –Availability: slowing down a process, disabling certain calls, etc. Level of a Response Action: –Single process –Group of Processes –User –Group –System –Network Categorizing Response

6 UCDavis SecLab MURI October 2002 6 Example: Selecting the Response System Spec-Based IDS System Spec-Based IDS System Spec-Based IDS Response Broker

7 UCDavis SecLab MURI October 2002 7 Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Spec-Based IDS Incident System Spec-Based IDS Incident Response Broker

8 UCDavis SecLab MURI October 2002 8 Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. System Spec-Based IDS Incident Response Broker System Data

9 UCDavis SecLab MURI October 2002 9 Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality System Data

10 UCDavis SecLab MURI October 2002 10 Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality Pick the Least Costly One –Look at the whole chain –Estimate resources used: level hierarchy System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality Respond

11 UCDavis SecLab MURI October 2002 11 Example: Selecting the Response Incident Data: –Resources involved –Specs violated –Suggested responses System Data: –Resource ownership –Level of threat, etc. Which Responses Satisfy our Rules? –Integrity –Confidentiality Pick the Least Costly One –Look at the whole chain –Estimate resources used: level hierarchy …or Pick the Least Costly Way to Preserve System Spec-Based IDS Incident Response Broker Security Principles: Integrity Confidentiality RespondPreserve

12 UCDavis SecLab MURI October 2002 12 Response: Project Plan Current progress –Defined the problem and the scope of study –Initial experiments with spec-based IDS’s: hard-coding response –Developing response hierarchy –Web page: http://wwwcsif.cs.ucdavis.edu/~balepin Work to be done –Formalizing response model –Implementing response on a spec-based IDS –Testing and evaluating performance –Applying response model to other systems

Download ppt "UCDavis SecLab MURI October 2002 1 Automated Intrusion Response Project Ivan Balepin, Karl Levitt UC Davis Computer Security Lab."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Controls for Information Security

Controls for Information Security
Department Of Computer Engineering

Department Of Computer Engineering
1 Action Automated Security Breach Reporting and Corrections.

1 Action Automated Security Breach Reporting and Corrections.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj

Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Thursday, January 23, 2014 10:00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department.

1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department.
Signature Based and Anomaly Based Network Intrusion Detection

Signature Based and Anomaly Based Network Intrusion Detection

Similar presentations

Ads by Google