1. Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023

2. Neural Techniques IPS tools are based on static rules alone IPS tools are based on static rules alone Neural Techniques seek to classify all new events and highlight those that appear most threatening Neural Techniques seek to classify all new events and highlight those that appear most threatening Neural Techniques allow the security expert to be the final arbiter Neural Techniques allow the security expert to be the final arbiter

3. Fuzzy Clustering Fuzzy Clustering Creates a baseline profile of the network in various states by “training” itself Creates a baseline profile of the network in various states by “training” itself Establishes patterns and does not determine an exact profile of what a user does Establishes patterns and does not determine an exact profile of what a user does Uses algorithms that identify these patterns and separates clusters accordingly Uses algorithms that identify these patterns and separates clusters accordingly Kernel Classifier Kernel Classifier Determines which existing cluster a new event most likely belongs to Determines which existing cluster a new event most likely belongs to Classifies events according to how far away they are from the norm (any existing cluster) Classifies events according to how far away they are from the norm (any existing cluster) Events farthest away bubble to the top where administrators take manual action Events farthest away bubble to the top where administrators take manual action Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of time Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of time The Neural Security Layer

4. Clusters Clusters A set of XML files that become model filters or knowledge base for the network resource being monitored A set of XML files that become model filters or knowledge base for the network resource being monitored The knowledge base is continually updated based on: The knowledge base is continually updated based on: Results of day-to-day activities Results of day-to-day activities Data from third-party sources, such as IDS signatures Data from third-party sources, such as IDS signatures

5. Six Steps to Producing Security Intelligence 1) Designate Data: Data can be system log entries or any other raw or formatted measure of activity in the environment. 2) Model Analyst Expertise: Variables, weights, centers and pertinent even knowledge comprise the analytic or data mining model are configured based on the specific analysis requirements and the unique attributes of the particular environment. 3) Train Model: Process of organizing the designated security data into multi-dimensional “event vectors” within the context of the analytic models. This establishes the baseline activity. 4) Generate Knowledge: Live or offline data is compared against the contents of the training baseline and classified accordingly. 5) Teach Model: User-supervision and infusion of expert knowledge essential to accurate event classification and system base-lining and to filter out non-threatening anomalous activity. 6) Leverage Knowledge: System output is invaluable for the real-time or offline analysis, detection and prevention of any type of potentially internal and external criminal activity or system misuse.

6. Neural Security (NS) Tool Monitors activity on Microsoft Internet Information Server (IIS) Web servers Monitors activity on Microsoft Internet Information Server (IIS) Web servers Preconfigured to monitor activity on a single IIS server or an entire server farm Preconfigured to monitor activity on a single IIS server or an entire server farm In training mode, examines IIS logs to determine normal activity of the server and creates its clusters In training mode, examines IIS logs to determine normal activity of the server and creates its clusters Comes with a knowledge base of known IIS exploits Comes with a knowledge base of known IIS exploits Unlike rule-based security systems, NS quickly adapts to each unique installation and will continue to adapt as more information is added to its knowledge base Unlike rule-based security systems, NS quickly adapts to each unique installation and will continue to adapt as more information is added to its knowledge base

7. Neural Security (NS) Tool Training Mode Training Mode Organize IIS-specific data into clusters that reflect normal use patterns (both trusted and untrusted) within the server environment Organize IIS-specific data into clusters that reflect normal use patterns (both trusted and untrusted) within the server environment Process or organizing clusters guided through the use of a built- in knowledge base of published attack signatures Process or organizing clusters guided through the use of a built- in knowledge base of published attack signatures Monitor Mode Monitor Mode Compare all incoming requests to IIS against the Training Database to determine whether it falls within acceptable distance of trusted activity Compare all incoming requests to IIS against the Training Database to determine whether it falls within acceptable distance of trusted activity Within limits of trusted activity: Process Continues Within limits of trusted activity: Process Continues Outside limits of trusted activity: Initiate whatever action has been configured e.g. post an on-screen alert, block untrusted connection or shut down IIS Outside limits of trusted activity: Initiate whatever action has been configured e.g. post an on-screen alert, block untrusted connection or shut down IIS

8. Neural Security (NS) Tool Maintenance Maintenance Proper classification of events is essential Proper classification of events is essential Maintain as Security Alerts are displayed, or Maintain as Security Alerts are displayed, or Review Security Alert Log periodically Review Security Alert Log periodically After re-classification of events, “Re-Train” database After re-classification of events, “Re-Train” database NS remembers correct classification and characteristics of events, which is then applicable to the analysis of subsequent events NS remembers correct classification and characteristics of events, which is then applicable to the analysis of subsequent events