Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network traffic based computer system user identification Dr Zsolt Illési associate professor College of Dunaújváros Open Source Intelligence.

Published byPhilippa Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "Network traffic based computer system user identification Dr Zsolt Illési associate professor College of Dunaújváros Open Source Intelligence."— Presentation transcript:

1 Network traffic based computer system user identification Dr Zsolt Illési associate professor College of Dunaújváros zsolt@illesi.hu Open Source Intelligence Areas of Development

2 Key Questions of Detection Provide Information About Who? (individual(s) involved) When? (timeline) What? (nature of events) Where? (scene) Why? (motivation) How? (used tools/ exploits) Open Source Intelligence Areas of Development

3 Incident Lifecycle Open Source Intelligence Areas of Development

4 Network Situational Awareness Cyber Attack Scenarios Situation-Aware and Context-Aware Network Applications CERTs and CSIRTs Security Event and Information Management Application Security, Audits and Penetration Testing Open Source Intelligence Areas of Development

5 Web Traffic Characterisation Intrusion Detection Systems Traffic Characterisation Techniques Web Analytics Security Incident Response Open Source Intelligence Areas of Development

6 Cyber Situational Awareness Tools & Techniques Fuzzy Logic Rough Set Artificial Neural Networks Artificial Intelligence Genetic Algorithm Evidence Theory (DST) Bayesian Networks & Set Theory Big Data Analytics Game Theory Graph Theory Open Source Intelligence Areas of Development

7 Identifying someone Prove that a signature is from a known person Prove that some network traffic is generated by a specific user Open Source Intelligence Areas of Development

8 Bayesian interpretation of network data Open Source Intelligence Areas of Development posterior knowledge new data prior knowledge posterior odds likehood ratio prior odds

9 Identification of WHO using a computer? (Assumptions) User(s) in action – one or more person – one or more computer system – carefully defined (limited) task performance Used network data – generic protocol data are available – payload (e.g. data) possibly encrypted Previous information (reference data model is available) Open Source Intelligence Areas of Development

10 Identification of WHO using a computer? (Tools) Network taps (specialised hardware or active network tool) Sniffers, and network traffic/data analysers (wireshark, tcpdump, tcpstat, tcptrace, CoralReef etc.) Scripting language for data pre-processing (Python, Pearl etc.) Number cruncher (Octave, Scilab, Matlab, Mathematica etc.) Open Source Intelligence Areas of Development

11 Identification of WHO using a computer? (Stages) Reference data network usage data collection (prior probability distribution) Definine the probability that a certain person (or computer system) uses the network (hypothesis testing; posterior distribution analysis) Open Source Intelligence Areas of Development

12 Identification of WHO using a computer? (Process) Raw network data collection Understand network data ( – packet sorting and analysis – data-flow and protocol statistics – network connection (source-destination pairing) Bayesian analysis (current data vs reference data) Open Source Intelligence Areas of Development

13 Pro’s and Con’s Constraints Single user No other (significant) interference to computer traffic (e.g background software activity) lack of adequate amount of reference data (directed network usage) Benefits 80%+ accuracy (pls consider the limitations!!!) Open Source Intelligence Areas of Development

14 Future development — Experiment Scope Greater reference data – number of persons – duration of network usage – mixed data with some other subjects Combine with logs (apply the results to log analisis fileld and enhance accuracy) Open Source Intelligence Areas of Development

15 Future Developments — Combined approach Hidden Markov model Gaussian mixture models Fuzzy Logic Artificial Neural Networks Data Mining Decision Trees Graph Theory etc. Open Source Intelligence Areas of Development

Download ppt "Network traffic based computer system user identification Dr Zsolt Illési associate professor College of Dunaújváros Open Source Intelligence."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Rulebase Expert System and Uncertainty. Rule-based ES Rules as a knowledge representation technique Type of rules :- relation, recommendation, directive,

Rulebase Expert System and Uncertainty. Rule-based ES Rules as a knowledge representation technique Type of rules :- relation, recommendation, directive,
Background Reinforcement Learning (RL) agents learn to do tasks by iteratively performing actions in the world and using resulting experiences to decide.

Background Reinforcement Learning (RL) agents learn to do tasks by iteratively performing actions in the world and using resulting experiences to decide.
Hidden Markov Models Reading: Russell and Norvig, Chapter 15, Sections 15.1-15.3.

Hidden Markov Models Reading: Russell and Norvig, Chapter 15, Sections
Data Mining Glen Shih CS157B Section 1 Dr. Sin-Min Lee April 4, 2006.

Data Mining Glen Shih CS157B Section 1 Dr. Sin-Min Lee April 4, 2006.
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
DASHBOARDS Dashboard provides the managers with exactly the information they need in the correct format at the correct time. BI systems are the foundation.

DASHBOARDS Dashboard provides the managers with exactly the information they need in the correct format at the correct time. BI systems are the foundation.
Department Of Computer Engineering

Department Of Computer Engineering
Network Simulation Internet Technologies and Applications.

Network Simulation Internet Technologies and Applications.
Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.

Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Data Mining. 2 Models Created by Data Mining Linear Equations Rules Clusters Graphs Tree Structures Recurrent Patterns.

Data Mining. 2 Models Created by Data Mining Linear Equations Rules Clusters Graphs Tree Structures Recurrent Patterns.

Similar presentations

Ads by Google