Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IUT– Network Security Course 1 Network Security Firewalls.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
FLAME: A Flow-level Anomaly Modeling Engine
Anomaly Based Intrusion Detection System
Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.
Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 15 Denial of Service Attacks
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
Online Chinese Character Handwriting Recognition for Linux
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao,
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.
Distributed Denial of Service Attacks
A Dos Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Department of EECS, Northwestern University.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.
Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,
DoS/DDoS attack and defense
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Intrusion Detection with Neural Networks my awesome graphic ↑
Statistical based IDS background introduction
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Statistical based IDS background introduction

Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description Feature extraction Statistical method introduction Result analysis

Project goals Related work –Internet has various network attacks, including denial of service attacks and port scans, etc. –Overall traffic detection –Flow-level detection Our goals – Detect both attacks at the same time – Differentiate DoS and port scans

Attack introduction TCP SYN flooding - An important form of DoS attacks - Exploit the TCP’s three-way handshake mechanism and its limitation in maintaining half-open connection - Feature: spoofed source IP - Recent reflected SYN/ACK flooding attacks

Attack introduction Port scan - horizontal scan - Vertical scan - Block scan Feature: real source IP address

Statistical IDS architecture Learning part Detection part

Data description DARPA98 data –The first standard corpora for evaluation of network intrusion detection systems. –From the Information Systems Technology Group ( IST ) of MIT Lincoln Laboratory,ISTLincoln Laboratory –Under Defense Advanced Research Projects Agency ( DARPA ITO ) and Air Force Research Laboratory ( AFRL/SNHS ) sponsorshipDARPA ITOAFRL/SNHS –Seven weeks of training data –Two weeks of detection data

Data description DARPA98 data format > : S ACK : (0) win Time stamp: Source IP address + port: Destination IP address + port: TCP flag: S (maybe other : R, F, P) - ACK flag: ACK - Other part of packet header: : (0) win 512

Feature extraction Calculate the metrics in every 5 minute traffic Metrics -For example: SYN-SYN_ACK pair SYN-FIN + SYN-RST active pair traffic volume SYN packet volume …… Good Luck

Statistical method Statistical based IDS Goals: Using statistical metrics and algorithm to differentiate the anomaly traffic from benign traffic, and to differentiate different types of attacks. - Advantage: detect unknown attacks - Disadvantage: false positive and false negative

Hidden Markov Model (HMM) HMM is a very useful statistical learning model. It has been successfully implemented in the speech recognition. - Advantage 1. analyzing sequence data (using observation probability and transition probability to represent) 2. unsurprised data training and surprised data training 3. high accuracy - Disadvantage comparatively long training time

Double Gaussian model Introduction - Two Gaussion distribution models are used to represent two classes of behaviors - Get the two probabilities of current behavior using different two-class Gaussian parameters - Compare them. The current behavior belongs to the larger probability class. Training period - Get the two-class Gaussian parameters Detection period - Use two-class Gaussian parameters to get probabilities and compare them

Double Gaussian model Advantage –Simple, easy to understand –Fast Disadvantage –No sequence characteristic

Result analysis Evaluation - Important quantitative analysis: false positive + false negative - Looking at metric value, and finding the reasons - Repeating experiments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.