Presentation is loading. Please wait.

Presentation is loading. Please wait.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

Published byOsborne Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS."— Presentation transcript:

1 Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS

2 Content 1.Introduction 2.Examples and Analysis 3.Prototype Design 4.More to come 5.Conclusion

3 Introduction Penetration into computer systems continues at a high rate despite substantial progress in security research and technology No reason to assume that this level of “insecurity” will change Most penetrations are done by individuals or small teams Only lately has personalization entered into security consideration

4 Our research into personalization in areas such as: –User command lines behavior (e.g., UNIX) –User browser patterns as reflected by URL sequences –User work habits Provides a basis for: –User classification –Abnormality observation –Detection of deviation from regular behavior –Changes in patterns

5 Examples and Analysis www.fada.com www.fada.com/address.html www.fada.com/cline.html www.fada.com/cline-bisttram.html www.fada.com/cline-stella2.html www.fada.com/karges.html www.fada.com/karges1.html www.fada.com/karges3.html www.fada.com/karges8.html www.fada.com/mmfa.html www.fada.com/mmfa1.html www.fada.com/mmfa9.html

6 Comments on Example 1 Assumptions: –Access to server is through home page www.fada.com –Knowledge of structure and content of server pages www.fada.com Provides the following: –Detailed access starts from server page address.html –Page cline.html leads to two links: –Cline-bisttrom.html and –Cline-stella.html The example demonstrates “reasonable” behavior

7 Example 2 www.fada.com/mmfa9.html www.fada.com/rehs10.html www.fada.com/stern3.html www.fada.com/address.html www.fada.com/trotter41.html www.fada.com/cantor8.html

8 Access starts straight from a couple of internal pages (i.e., nodes of the tree) It continues by a visit to a link off the home page Summary: –The behavior does not follow regular access patterns –The behavior is difficult to explain –This access may indicate suspicious behavior Comments on Example 2

9 Other Types of Entry Modes In addition to URLs, one should watch out for: –FTP access –E-mail –Potential Logins –Other protocols access: e.g., port scanning On a “sound” server: FTPs port are predefined E-mail, except for bugs, can be protected against Port scanning is already trapped by IDS

10 Prototype Design We face suspicious behavior with two tools –Automatic recognition Machine Learning Data Mining Automatic recognition may be trained on “regular’ access patterns and attempt detection of “irregular” access patterns –So far, results are good, but not great – enough penetration is undetected

11 Behavior Analysis Application A JAVA application that classifies behavior is partially done and operational –It shows a high level of detection of irregular behavior The approach is promising and has a proven track record Web Browser communication performance improved by 20% by changing cache to use Next URL Prediction Prediction is based on the underlining assumption of “regularity” of behavior

12 Observation URL, IP packets, and Port scanning look like an algorithm (or a program) without termination –Example 1 can be written as: Initialize; www.fada.com Initialize; www.fada.com/address.html Loop; rest of URLs The loop is a while that selects links in www.fada.com/address.html for viewing The selection criterion is personal –Example 2 seems as an unordered set of program statements Therefore Example 2 does not seem to be a “regular” access pattern

13 Prototype Design Details STEPS 1.Analyze Server pages hierarchy 2.Analyze each page for links and sources (i.e. src ) files 3.Build an identification engine based on 1.Behavior categorization 2.Page hierarchy 3.Isolation of individual users to identifying agents 4.Construct input benchmarks 5.Continue work on Other Types of Entry Modes

14 More to come Examples of more complex relationships to be explored –Server pages link to other servers pages –Same source (IP) for different communication types –Accessing different locations on tree concurrently –Can be done by using two copies of the browser –The two sessions will have different Ids but may be cooperating –The agents monitoring the two browsers must collaborate URLs and FTPs from same source at the same time Multiple FTPs –Similar case to multiple browsers...

15 Conclusion A substantial prototype will be completed by end of Summer Complex relationships will be explored: –Threats will be enumerated –Potential detection will be proposed –Prototype will include some of these results Open areas will be reported on in detail

Download ppt "Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS."

Similar presentations

F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.

Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Chapter 12: Web Usage Mining - An introduction

Chapter 12: Web Usage Mining - An introduction
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.

Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Personalized Ontologies for Web Search and Caching Susan Gauch Information and Telecommunications Technology Center Electrical Engineering and Computer.

Personalized Ontologies for Web Search and Caching Susan Gauch Information and Telecommunications Technology Center Electrical Engineering and Computer.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Product Retrieval Statistics Canada / Statistique Canada Chuck Humphrey ACCOLEDS/DLI Training December, 2001.

Product Retrieval Statistics Canada / Statistique Canada Chuck Humphrey ACCOLEDS/DLI Training December, 2001.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Similar presentations

Ads by Google