1. 1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins

2. 2 Paper Background  Authors (Heberlein, Dias, Levitt, Mukherjee, Wood, and Wolber) all from CSC at UC Davis –One of the leading research institutions for security  Published in 1990  One of the seminal papers in intrusion detection / network security

3. 3 The Problem  How to keep computer networks secure against network attacks and intrustions?  Computer systems and networks were designed around trusted users  Cannot simply close off the network – need interconnection with “outside world”  Encryption, private keys, etc. cannot protect against all threats –e.g. legitimate users misusing privileges

4. 4 The Idea  A network security monitor that compares current network activity to historical behavior in order to detect usage anomalies –Capture network traffic –Analyze traffic based on historical activity patterns and/or pre-defined rules

5. 5 Discussion of Attacks  Preparation Phase –More prepared attackers are more difficult to defend against  Attack Phase –Target offers service that Attacker exploits –Target seeks to use service offered by Attacker  Post-Attack Phase

6. 6 Concept of the N.S.M.  4-D matrix, axes are: –Source –Destination –Service –Connection ID  Each cell in matrix represents a unique connection  Each cell contains: –Number of packets passed on the connection –Cumulative sum of the data carried by those packets

7. 7 Concept of the N.S.M. (2)  The traffic matrix can be compared against particular patterns to match types of attacks –Patterns must be generated for such attacks –Use probability distributions to determine which measurements are likely to indicate attacks  Rules can also be employed to develop patterns –e.g. rule looking for a login connection that only exchanges a few packets and terminates –Difficult to apply hierarchically

8. 8 N.S.M. Architecture  Packet catcher – captures all packets  Parser – extracts protocol info (addressing, service, etc.)  Matrix Generator – creates cells or increments counts in 4-D matrix constructed of linked-lists  Matrix Analyzer – examines matrix representing current traffic against “normal traffic” (masking) or by applying rules  Matrix Archiver – saves traffic matrix

9. 9 Results  Identified problems which were actually just abuse of network privileges –Full backups using FTP –Programs continually executing finger  Thrown off when a network file server went down  Detected several consecutive failed log-ins

10. 10 Difficulties  How do you train the monitor for a “normal” usage pattern? Who’s to say a security breach isn’t occurring while training?  Defining rules for non-trivial attacks will be difficult  Network traffic is not accessible when networks use non-broadcast media (think: switches vs. hubs)