Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Published bySidney Jowett Modified over 10 years ago

Similar presentations

Presentation on theme: "Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County."— Presentation transcript:

1 Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County

2 Intrusion Detection Systems (IDS) Network IDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network Host IDS monitors the inbound and outbound packets from the device only Signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats Anomaly based IDS will monitor network traffic and compare it against an established baseline 2

3 Existing Limitations Network IDS: Network Speed affected if you analyze all inbound and outbound traffic. Host IDS: Slows productivity. Signature based IDS: Signature database keeps increasing in size. Anomaly based IDS: Training models is hard. 3

4 Ping Broadcast Attack Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim) 4

5 Ping broadcast attacks 5 If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.

6 Points worth a mention One type of IDS cannot handle all types of attacks Application IDS cannot handle PING broadcast attacks, but network IDS can. Network rules are needed for dynamic network management When an attack is identified, write a rule for it. 6

7 Our Design Understandings Hetrogeneous IDS is the future Better load balancing and minimum packet loss is a requirement. Main Characteristics Isolating different IDS Traffic specific intrusion detection 7

8 Decentralized traffic based Heterogeneous Intrusion Detection eg. SNORT eg. OSSEC HIDS 8

9 Novelty 1. Smart Switch Block, Fork, Divert traffic. Small cache for faster throughput. 2. Decentralized Intrusion Detection Working with current open source IDS packages 3. Smart Hashing Destination specific hashing. Source specific hashing. Session specific hashing. 9

10 10

11 Intrusion Detection Algorithms Signature Extraction Detect changes in registry, use of dlls N-grams to train learning models and detect unknown viruses Instance-Based Learner, Vector Machines, Decision Trees etc. 11

12 A scalable multi-level feature extraction technique to detect malicious executables [5] 12 [5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham A scalable multi-level feature extraction technique to detect malicious executables

13 Extracting n-grams 13

14 We explore multiple paths Use semantic based searching for malicious code. Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence. Better feature extraction techniques for malicious and benign code. 14

15 Future Work: Evolution of Malware Use metasploit for N-gram analysis Test our detection techniques Apply identification technique for encrypted and altered versions of malware code. 15

16 Future Work: Detecting a process in execution Send tagged code and 16K memory dump Offload work to bluegrit Fast search according to signature + code sequence Reg-ex. Reply to server within reasonable time limits 16

17 Future Work: Current Progress Survey Infected Files. Repository Look for ways to reduce false negatives and false positives compared to previous approaches. [6] Parallel scalable detection. [6] Learning to Detect and Classify Malicious Executables in the Wild J. Zico Kolter KOLTER, Marcus A. Maloof 17

Download ppt "Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County."

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
0 - 0.

0 - 0.
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
IS 376 NOVEMBER 5, 2013 2013 DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.
Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.

Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Similar presentations

Ads by Google