Presentation is loading. Please wait.

Presentation is loading. Please wait.

Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.

Published byHollie Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005."— Presentation transcript:

1 Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005

2 wail.cs.wisc.edu2 Motivation - the good Network security analysts have many tasks –Abuse monitoring –Audit and forensic analysis –Firewall/ACL configuration –Vulnerability testing –Policy –Liaison Network management End host management

3 wail.cs.wisc.edu3 Motivation - the bad Adversaries are smart Vulnerabilities and threats are significant –Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al. ‘04) –Scans Billions per day Internet-wide and growing (Yegneswaran et al. ‘03) –Viruses No longer clearly defined (eg. Agobot) –DDos Bot-nets consisting of hundreds of thousands of drones

4 wail.cs.wisc.edu4 Motivation - the ugly (sort of) Network intrusion detection systems (NIDS) –Static signatures - hard to tune and maintain –Lots of alarms –Scalability problems Firewalls and intrusion prevention systems –Limited capability Bulletin boards and commercial services –May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) –A step in the right direction

5 wail.cs.wisc.edu5 Objective Network situational awareness based on self- directed network intrusion detection –“The degree of consistency between one’s perception of their situation and reality” –“An accurate set of information about one’s environment scaled to a specific level of interest” –Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic –Front-end for firewalls/IPS

6 wail.cs.wisc.edu6 Mechanisms Data sharing between networks –Eg. DOMINO (Yegneswaran et al., NDSS ‘04) Monitoring unused address space –Eg. iSink (Yegneswaran et al., RAID ‘04) –Eg. BroSA (Yegneswaran et al. ‘05) Automatic generation of resilient signatures –Eg. Nemean (Yegneswaran et al., USENIX Security ‘05)

7 wail.cs.wisc.edu7 DOMINO architecture Hierarchical overlay network –Descending order of security and trust Data sharing –XML-based schema –Summary exchange protocol extends IDMEF –Push or pulling periodically Data/alert fusion and filtering –Subject of on-going research (eg, Barford et al. Allerton, ‘04)

8 wail.cs.wisc.edu8 Unused address monitoring Packets are (nearly) all malicious –There have been some very weird misconfigurations Enables active responses –Key for understanding details Widely available –We monitor four class B’s and one class A –Useful in large and small Easier to share this data

9 wail.cs.wisc.edu9 iSink architecture Passive component: Argus –libpcap-based monitoring tool Active component: based on Click modular router –Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic –Source/destination filtering

10 wail.cs.wisc.edu10 Activities on ports (port 135) Distribution of exploits varies with network –170 byte requests on Class A –Blaster, RPC-X1 all 3 networks –Welchia LBL –Empty connections UW Networks

11 wail.cs.wisc.edu11 Real-time honeynet reports Bro plug-in for situational summary generation –Periodic reports New events High variance events Low variance events Top profiles –Adaptive NetSA in depth –Identify large events quickly –On-going

12 wail.cs.wisc.edu12 Semantics-aware signatures Objective: automated generation of resilient NIDS signatures –Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen –Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data –Session and application protocol semantic awareness (Sommer & Paxson, ‘03)

13 wail.cs.wisc.edu13 Nemean architecture Data abstraction –Transport normalizer –Aggregation –Service normalizer Clustering –Group sessions/connections using similarity metric Signature generation –Machine learning to build finite state automata

14 wail.cs.wisc.edu14 Signature example (Welchia) Multistage attack (3 steps) –GET /  200 OK –SEARCH /  411 Length Required –SEARCH /AAAA… Start Get / 200 Search / 411 Search / 411 Get / 200 Search /AAAAA[more] 400 Search /AAAAA[more] 400 Search /AAAAA[more] 400

15 wail.cs.wisc.edu15 Summary Malicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection –Distributed data sharing –Unused address space monitoring –Automated semantics-aware signature generation

Download ppt "Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)

Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google