Presentation is loading. Please wait.

Presentation is loading. Please wait.

F3 Collecting Network Based Evidence (NBE)

Published byAstrid Lovin Modified over 9 years ago

Similar presentations

Presentation on theme: "F3 Collecting Network Based Evidence (NBE)"— Presentation transcript:

1 F3 Collecting Network Based Evidence (NBE)
Dr. John P. Abraham Professor UTPA

2 NBE Proactive Reactive Collect To prevent attacks
Attack already happened. Collect Full content data Session data Alert data Statistical data

3 Full Content Data Similar to recording all conversations of suspects.
Collecting all computer activities. Intercept all packets and record. Takes a lot of disk space. Takes a lot of time for analysis Beyond the means of most organizations to collect full content data. Usually this is not done.

4 Session Data Similar to recording one conversation between suspects. Also retrieve phone company records for a summary of all conversations. You can get a summary of sessions with date and time, from source and destination addresses and how it was terminated.

5 Alert Data Analyzing NBE for a predefined items of interest.
For example, when a particular pair of source/destination addresses are encountered. Programmed to recognize bit patterns. It might trigger a precursor to an attack. Similar to a red light going off when a particular word is heard, such as OSAMA.

6 Statistical data Similar to time of the day of the regular calls between subjects, duration, etc. Most active IP addresses, ports, data length, etc.

7 A standard Intrusion scenario
Example Reconnaissance. Preliminary examination before an attack. Validate address and connectivity, enumerate services, and check for vulnerable versions of software. Reinforcement. Download attack tools. Attempt to elevate privileges at the target, perhaps using a backdoor. Consolidation. Use someone else’s IP address to connect to the victim. Or have the victim connect to a chat, and enter through that. Pillage. Steal info. Damage computer, etc.

8 Using full content data
Data collected using network security monitoring. By collecting every packet you could have a complete record of intruder’s actions, unless the intruder used encryption. The following questions could be answered: Is the web server compromised? What info was lost. Where did the intruder go to get the info. Find the backdoor

9 Using session data Sessions data is a summary of conversations.
Easiest form of data to understand and manipulate because packets are not collected nor examined. Scanmap3d is a visualization software for session data, available: Scanmap3d is a JAVA program, written as a concept demonstration for visualisation of network intrusion detection information. The program reads information from a MySQL database and produces a 3D map of network traffic. The visualisation is very useful for intrusion detection or network troubleshooting. The code is now in a stable enough state to be useful in analysing tcpdump/snort data within a mysql database.

10 Session data provides answers
Is the web server compromised? You can view suspicious connections. Usual web requests are inbound connections. Suspicious are outbound connections. Also using ports other than 80. Did the intruder visit other machines using the webserver? You can get this information from the sessions data. Is the intruder present now? How frequent are the visits?

11 Using Alert Data Intrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access. The two primary methods of monitoring are signature-based and anomaly-based. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way. Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods. Good to determine if the system was scanned.

12 Using Statistical Data
Information on unusual ports or protocols, amount of traffic, etc.

13 Data Collection Hubs. Forwards to all ports, a monitoring station can detect all packets. Operates under half duplex, so the speed suffers, perhaps can get about 60Mbps. Place it between the router and the next device (switch, firewall, etc). Taps. More expensive. Works the same way, with improved speed. Bridges. You can use a computer with two network ports, bridged to do the same as a tap. Switched port analyzer. Set a port as a mirror port

14 Collecting and Storing Traffic
Full content data tools: is the standard packet capture program. Use the program libpcap to make copies of traffic. For PCs may use wincap.org/windump or winPcap.org For analyzing, use and to view graphically, use There are freeware available to search in a dump.

15 Session Data tools Download argus from several versions available. Operates in live or batch mode. is designed to interpret traffic in batch mode. Tcpflow from circlemud can work with full content data and it can rebuild the contents of individual sessions.

Download ppt "F3 Collecting Network Based Evidence (NBE)"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Network Security Monitoring By Bea Wilds CS 522 6 Dec 06.

Network Security Monitoring By Bea Wilds CS Dec 06.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Similar presentations

Ads by Google