Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scientific Systems SSCI #1301 DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001 Intelligent Active Profiling for Detection and Intent Inference of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Scientific Systems SSCI #1301 DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001 Intelligent Active Profiling for Detection and Intent Inference of."— Presentation transcript:

1 Scientific Systems SSCI #1301 DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001 Intelligent Active Profiling for Detection and Intent Inference of Insider Threat in Information Systems Joao B. D. Cabrera and Raman K. Mehra Scientific Systems Company, Inc. Lundy Lewis Wenke Lee Aprisma Inc. North Carolina State Univ. SBIR Phase I Topic No. SB002-039 Contract No. DAAH01-00-C-R027

2 Scientific Systems Motivation Network Management Systems and Security * Large infrastructure already in place to perform Network, System, and Applications Management. * Building blocks: SNMP Management, RMON – Standardized tools, widely utilized. * COTS NMSs available that automate several functions: Aprisma’s SPECTRUM Platform, HP’s OpenView, … * Vendors offer NMS solutions integrated with Firewalls, IDSs, Security Scanners, PKI Infrastructure, Anti-Virus Software, etc.

3 Scientific Systems Motivation (cont.) * Management: Fault, Configuration, Accounting, Performance, Security (FCAPS). * NMSs provide a powerful capability for data collection at several levels and time scales. * Lot of emphasis on Fault, Configuration and Performance – Several tools already available. * Utilization of NMSs for Security not fully realized … * Faults, Performance and Security cannot be studied separately …

4 Scientific Systems Motivation (cont.) * A security breach may deteriorate performance and cause a fault … * A fault may render the system vulnerable to attacks … * Deterioration of performance may make users impatient, and more willing to violate security policies to get their jobs done.

5 Scientific Systems Motivation (cont.) * Many of the tools designed for Fault Management and Security Monitoring can be adapted for Security Management. * Alarm Infrastructure already available – Tools to monitor Information Systems and set Alarms * The SSCI/Aprisma/NCSU team has investigated the use of COTS NMS for the Detection of Precursors of Distributed Denial-of-Service Attacks; Precursors were found at the level of MIB traffic variables – Paper available upon request.

6 Scientific Systems Objective Detecting and Responding to Insider Threats * Objective: Investigate the application of NMSs for the monitoring, detection and response of Security Violations carried out by Insiders. * Misuse/Intrusion Tolerance is achieved by having an adequate and timely response. * Technology: Statistical Pattern Recognition and AI for the design of detectors and classifiers; Network Management Systems for data collection and response coordination. * Approach: Utilize the Benchmark Problem for proof-of- concept studies; examine the applicability of NMSs and peripherals for response.

7 Scientific Systems Towards Adequate and Timely Response Adequate: 1.High Accuracy – Few False Alarms, Lots of Detections. 2.Distinguish among attacks – Different attacks elicit different types of response. 3.Distinguish faults from attacks. Timely: Detect the Attack before it is too late to respond.

8 Scientific Systems Question 1: What threats/attacks are your project considering ? * Insider Attacks: Password stealing, unauthorized database access, email snooping, etc. * For proof-of-concept purposes, we will be investigating the Benchmark Problem of System Calls made by Privileged Processes. * However, the technologies and tools we are developing are applicable to any situation in which the observables are sequences of possibly correlated categorical variables.

9 Scientific Systems Question 2: What assumptions does your project make ? 1. Data sets corresponding to normal, malicious and faulty behavior are available for the construction and testing of detection schemes – Training Stage and Testing Stage. 2. The observables for normal, malicious and faulty behavior are sequences of categorical variables. 3. Patterns of malicious activity exist, are detectable, and are learnable by special purpose algorithms – to investigate. 4. If 3. is possible, there is time to take preventive action when malicious activity is detected – to investigate: we may need to redesign the Alarming Infrastructure to enable timely response.

10 Scientific Systems Question 3: What policies can your project enforce ? * If the detection system accuses the presence of malicious activity, a response will be triggered. * For the specific case of the Benchmark Problem typical responses would be to kill the process, or delay its execution till time out. * If the Intent Inference capability is achieved, the response will be suited to the type and gravity of the attack.

11 Scientific Systems Benchmark Problem Detect malicious activity by monitoring System Calls made by Privileged Processes in Unix * Originally suggested by C. Ko, G. Fink, and K. Levitt – 1994. * Extensively studied by the UNM Group (S. Forrest and others), starting with “A Sense of Self for Unix Processes” – 1996. * Programs: sendmail, lpr, ls, ftp, finger … * Data sets are available for downloading. * These data sets can be used for proof-of-concept studies in the Phase I effort – there is data corresponding to faults and data corresponding to multiple types of malicious activities.

12 Scientific Systems Benchmark Problem (cont.) *Process: The sequence of calls – Example: open, read, mmap, mmap, getrlimit, … *Problem: Given data sets corresponding to normal processes and abnormal processes, produce a scheme to distinguish normal from abnormal. * Sequences of correlated categorical variables – representative of other problems in computer security – user profiling, alarm correlations, etc. * There are 182 possible system calls in the SunOS 4.1.x … *“Typical” sendmail processes make about 1,000 to 50,000 calls …

13 Scientific Systems Benchmark Problem (cont.) *UNM Finding: A relatively small dictionary of short sequences (1318 sequences of length 10 for sendmail) provides a very good characterization of normality for several Unix processes. * The dictionary is constructed using a Training Set of Normal behavior. * Sequences not belonging to this dictionary are called abnormal sequences. * Intrusions are detected if a process contains “too many” abnormal sequences on a given interval – the Locality Frame.

14 Scientific Systems Benchmark Problem (cont.) * A process is flagged as containing an intrusion if the number of abnormal sequences inside at least one Locality Frame is above a threshold.

15 Scientific Systems Benchmark Problem (cont.) * UNM approach is very simple; However, other methods: - Data Mining (RIPPER) -Hidden Markov Models lead to roughly the same results. * Recent work by Lee and others – 2001 IEEE Symposium on Security and Privacy – have associated this finding with the regularity of normal processes. * The first n-1 calls on a sequence determines the last call with high accuracy – Normal processes are highly predictable.

16 Scientific Systems Benchmark Problem (cont.) * Additionally, experiments by Lee and others – 2001 IEEE Symposium on Security and Privacy - with the 1999 DARPA Intrusion Detection Dataset have shown that classification accuracy is not improved by adding other features … * Main Message: These short sequences are the “right” patterns to look when constructing classifiers for these types of programs. * It is still a matter of investigation if this same approach works for other types of programs.

17 Scientific Systems Benchmark Problem (cont.) * There is still a lot of room for improvement and investigations – Important issues for having an Adequate and Timely Response: 1.Fusion of classifiers – Can accuracy be improved by fusing multiple classifiers ? 2.Intent Inference – Can we distinguish among attacks ? 3.Distinguishing attacks from faults.

18 Scientific Systems Fusion of Classifiers * Combine several classifiers or anomaly detectors, designed using different methods and/or different features. * Features: Anomaly Counts corresponding to different sequence lengths and different Locality Frame sizes. * Each individual anomaly detector announces a GOF – Goodness of Fit – to the normal data. * These GOFs need to be combined in some way – Simplest solution: Voting Scheme. We utilize a Probabilistic Approach which was shown to be successful for Automatic Target Recognition.

19 Scientific Systems Fusion of Classifiers (cont.)

20 Scientific Systems Intent Inference * We pose the problem of Intent Inference as distinguishing between types of attacks using the sequences of system calls. * From the statistical point of view, this is a classification problem. The main issue is to determine if there are features that cluster the different types of attacks.

21 Scientific Systems Distinguishing Attacks from Faults * It is conceptually the same problem as Intent Inference. * Faults represent one class, while Attacks represent another class.

22 Scientific Systems Summary and Conclusions * We plan to investigate the application of NMSs for the Monitoring, Detection and Response of Security Violations carried out by Insiders. * Intrusion/Misuse Tolerance is achieved by having an adequate and timely response. * Statistical Pattern Recognition and AI will be used for the design of anomaly detectors and classifiers. * We will investigate schemes capable of discriminating among types of attacks and distinguishing faults from attacks. * Classifier Fusion will be investigated, as a tool for increasing accuracy.

23 Scientific Systems SPECTRUM Security Manager Lundy Lewis Director of Research January 17, 2001

24 Scientific Systems Solution Functionality Provides distributed multi-vendor management of Firewalls, Intrusion Detection Systems (IDSs), Security Scanners, PKI, Directories, Packet Sniffers, and Anti-Virus to create a cohesive security solution Monitors information from security devices. –correlates all information –executes commands such as setting filters in Firewalls, revoking account or PKI certificate, etc. to protect the infrastructure

25 Scientific Systems Response to Intrusion: SSM correlates security events SSM automatically starts audit trail SSM provides alarm notification through SPECTRUM SSM provides probable cause/solution and can provide automated responses SSM provides decision support

26 Scientific Systems SSM Architecture Acts as a knowledge hub Accepts information from any source because XML is the standard for communication Adopts a “plug-in” approach that is the basis for extensibility Selection of components based on specific needs

27 Scientific Systems Contact Joao Cabrera Lundy Lewis Scientific Systems Company Aprisma Inc. 500 W. Cummings Park, Suite 3000 486 Amherst Street Woburn, MA 01801 Nashua, NH 03063 cabrera@ssci.com lewis@aprisma.com

Download ppt "Scientific Systems SSCI #1301 DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001 Intelligent Active Profiling for Detection and Intent Inference of."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.

Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google