School of Computer Science and Information Systems

Slides:



Advertisements
Similar presentations
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Advertisements

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Chapter 14 Intrusion Detection. Hacker Capabilities.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Network Intrusion Detection System (NIDS)
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
CompTIA Security+ Study Guide (SY0-401)
Snort – IDS / IPS.
CompTIA Security+ Study Guide (SY0-401)
INTRUSION DETECTION SYSTEMS
Lecture 2: Overview of TCP/IP protocol
Lecture 3: Secure Network Architecture
Wireshark(Ethereal).
Data Mining & Machine Learning Lab
Intrusion Detection Systems
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

School of Computer Science and Information Systems Identifying Malicious Web Requests through Changes in Locality and Temporal Sequence DIMACS Workshop on Security of Web Services and E-Commerce Li-Chiou Chen lchen@pace.edu School of Computer Science and Information Systems Pace University May 4th, 2005

Needs for anomaly detection in distributed network traces The fast spreading Internet worms or malicious programs interrupts web services Early detection and response is a vital approach These attacks are usually launched from distributed locations Network traces left at distributed locations are invaluable for searching clues of potential future attacks E.g. Dshield, the Honeynet Project © Li-Chiou Chen, 5/6/2005

Types of IDS Based on data Based on detection techniques Network-based IDS Monitors and inspects network traffic Host-based IDS Runs on a single host Based on detection techniques Signature-based IDS Uses pattern matching to identify known attacks Anomaly-based IDS Uses statistical, data mining or other techniques to distinguish normal from abnormal activities © Li-Chiou Chen, 5/6/2005

Outline Toolkits for inferring anomaly patterns from distributed network traces Previous works Changes of locality over time Markov chain analysis Preliminary results Summary Future works Focusing on anomaly detection in distributed network traces TIAP Malicious web requests © Li-Chiou Chen, 5/6/2005

Locality pattern analysis Sequence pattern analysis TIAP: Toolkits for inferring anomalous patterns in distributed network traces Network traces (web log, tcpdump, etc) Data conversion Alerts from other IDS or TIAP peers (using IDMEF) Locality pattern analysis Sequence pattern analysis Response module Alerts to other IDS or TIAP peers (using IDMEF) Alerts to administrators © Li-Chiou Chen, 5/6/2005

Web level IDS Anomaly detection Misuse detection Structure of a HTTP request (Kruegel and Vigna 03) Normality on streams of data access patterns (Sion et al 03) Misuse detection State transition analysis of HTTP requests (Vigna et al 03) Look for attack signatures (Almgren et al 01) © Li-Chiou Chen, 5/6/2005

Changes in locality patterns and temporal sequence patterns where the web request is sent, such as the source IP address, which web server is requested, such as the destination IP address Temporal sequence the order of requested objects during a given period of time © Li-Chiou Chen, 5/6/2005

Locality pattern analysis in distributed network traces ABAA ABCD KIKL ABPO t1: AB t2: .... t3: …. t4: …. © Li-Chiou Chen, 5/6/2005

An example: web traces in common log format from 6 web servers tstamp, ip, server, doc_tpe, user_agent 62978, 38.0.69.1, 1, 2, 3 62979, 38.0.69.1, 1, 2, 3 62979, 38.0.69.1, 2, 2, 3 63001, 38.0.69.1, 1, 2, 3 …….. ……… A session © Li-Chiou Chen, 5/6/2005

Data profiles 6 web servers (2 of them have links to each other, 4 of them are independent) One day web trace One session: a distinct IP, 10 minutes interval 193,070 HTTP requests, 11,177 sessions HTTP requests from outside of the organization © Li-Chiou Chen, 5/6/2005

Locality pattern analysis 86 sessions by only two web bots © Li-Chiou Chen, 5/6/2005

Markov chain analysis © Li-Chiou Chen, 5/6/2005 t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 ……………. N S N S S O S N S O S N S S N S S ………………….. sampling window 1 sampling window 2 N S O © Li-Chiou Chen, 5/6/2005

Data profiles 1 web servers One week web traces Window size 30 Reference list 30 © Li-Chiou Chen, 5/6/2005

Change of distinct IP over time- browsers © Li-Chiou Chen, 5/6/2005

Change of distinct IP over time- web bots © Li-Chiou Chen, 5/6/2005

Markov chain results 0.43(0.14) Old (O) 0.42(0.21) 0.43(0.17) 0.13 (0.10) 0.13 (0.08) New (N) Same (S) 0.40 (0.22) 0.06 (0.04) 0.83 (0.10) 0.18 (0.16) © Li-Chiou Chen, 5/6/2005

Illustration of the state transition probability © Li-Chiou Chen, 5/6/2005

Summary The preliminary locality pattern analysis works well with identifying distinct web bot access patterns The Markov chain analysis provides a way to infer attacks that utilize random IP addresses A combination of the two approaches is needed © Li-Chiou Chen, 5/6/2005

Ongoing works Incorporate the analytical results for malware or intrusion detections A distributed framework of data collection and information sharing for inferring malwares or intrusion attempts across servers/platforms/geographical locations Collection of attack logs for analytical purpose Use of the Intrusion Detection Message Exchange Format (IDMEF) for message changes among servers © Li-Chiou Chen, 5/6/2005

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.