Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peng Ning CSC 600 Fall 2001 (Friday, 10/26/2001) Research Topics in Network Security, Secure E-Commerce and Temporal Databases.

Published byPhilippa Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Peng Ning CSC 600 Fall 2001 (Friday, 10/26/2001) Research Topics in Network Security, Secure E-Commerce and Temporal Databases."— Presentation transcript:

1 Peng Ning CSC 600 Fall 2001 (Friday, 10/26/2001) Research Topics in Network Security, Secure E-Commerce and Temporal Databases

2 Web Resource n Details can be found at http://www.csc.ncsu.edu/faculty/ning/research.html

3 Outline n Intrusion Detection u Abstraction-based Intrusion Detection u Decentralized Detection of Distributed Attacks u Correlating Alerts Using Prerequisites of Intrusions n Secure E-Commerce Applications u Reliable Fair Exchange Protocols n Temporal Databases and Data Mining u Calendar Algebra u Multiple Granularity Support in Temporal Databases and Data Mining

4 Abstraction-based Intrusion Detection

5 What Is Intrusion Detection n Intrusion u A set of actions aimed to compromise the security goals, namely F Integrity, confidentiality, or availability, of a computing and networking resource n Intrusion detection u The process of identifying and responding to intrusion activities

6 Why Do We Need Intrusion Detection? n n Approaches to protecting information systems u u Prevention F F E.g., Encryption, Authentication, Access control F F Fail to protect our systems due to flaws in design and development processes u u Detection & Response F A second line of defense F Better understanding of the security of information systems.

7 What Is Abstraction n By Webster’s New World Dictionary of American English u Formation of an idea, as of the qualities or properties of a thing, by mental separation from particular instances or material objects. n In intrusion detection, abstraction is important to u Hide the difference between heterogeneous systems u Hide unnecessary details

8 Current Situation n Problems u Abstraction as a preparation process u Abstraction is an error-prone process u Not enough system support n What we need u Abstraction as a dynamic process u System support for abstraction

9 A Hierarchical Framework for Abstraction and Intrusion Detection n Essential concepts u System view F What is the essential information u Signature F What is the pattern that we care about related to the essential information (i.e., system views) u View definition F How and what do we provide essential information

10 Make It A Dynamic Process n Abstraction is an on-going process. TCPDOSAttacks LandTeardrop SYN flooding Ping of Death Known specific attacks Abstracted attacks

11 Make It A Dynamic Process (Cont’d) n A hierarchical framework for event abstraction and attack specification IPPacket Signature for Land Signature for Teardrop View Def. 1View Def. 2 TCPDOSAttacks Signature for Ping of Death View Def. 3 Signature for SYN flooding View Def. 5 Sig Signature for TCP Packets TCPPacket View Def. 4

12 Decentralized Detection of Distributed Attacks

13 Centralized Approach Limited Scalability

14 Hierarchical Approach Attack A B

15 Decentralized Approach Attack A B

16 Dependency between the Events in a Signature youngerequal n1n1 n2n2 n3n3 System view: SysView1 Assignment: var_IP := VictimIP var_Port := VictimPort Timed condition: True System view: SysView2 Assignment: var_SrcIP := SrcIP var_SrcPort := SrcPort var_DstIP := DstIP var_DstPort := DstPort Timed condition: SrcIP = var_IP and (SrcPort = var_Port or var_Port = -1) and LocalIP[e.begin_time](DstIP) and Trust[e.begin_time](var_IP) System view: SysView3 Timed condition: SrcIP = var_SrcIP and SrcPort = var_SrcPort and DstIP = var_DstIP and DstPort = var_DstPort

17 Workflow Tree n The nodes are all the events in the signature n The edges satisfy the following conditions: u given two events n 1 and n 2 in the signature, n 2 is a descendant of n 1 if n 1 requires n 2, and u there exists a subtree that contains all and only the positive events in the signature. n2n2 n1n1 n3n3 n4n4 n5n5

18 Detecting the Mitnick Attack Variable values and timestamps Network monitor Host BHost A detection task n 1 detection task n 2 detection task n 3 Workflow tree n1n1 n2n2 n3n3 TCPDOSAttack Events Local TCP connections Local TCP connections

19 CARDS – An Experimental System n Coordinated Attacks Response & Detection System (CARDS) u A prototype system for the abstraction-based intrusion detection. n Three kinds of components u Signature managers: Generate and decompose specific signatures u Monitors: Cooperatively detect attacks u Directory Service: System wide information

20 CARDS Architecture … Signature Managers … … Monitors Target systems Directory Service register retrieve distribute tasks detect attacks Probes

21 Correlating Alerts Using Prerequisites of Intrusions

22 Motivation n Current IDSs focus on detecting low-level security related events u Large number of alerts u Large number of false alerts u Low-level alerts are presented independently, though there may be logical steps or intrusion strategies behind them. u Unable to detect novel or unknown attacks.

23 Observation n Attacks are not isolated. Earlier stages of a series of attacks usually prepare for the later stages. n Examples: u IP sweep: discover what hosts are accessible from the network. u Port scanning: discover what services are provided by each host. u Network-born buffer overflow attack: try to gain additional privileges (remote to user, user to root, etc.) u Installation of Trojan horse program: prepare for later attacks. u Modification of system configuration: try to create backdoors for later attacks.

24 Correlating Alerts Using Prerequisites of Attacks n The approach u Identify the prerequisites and the impacts of attacks u Example: F Sadmind Buffer Overflow attack F Prerequisites: Exist vulnerabilities in Sadmind service F Impact: The attacker may gain root access u Correlate attacks by matching prerequisites of later attacks with impacts of earlier ones.

25 Challenges n The attackers do not have to get all the information by attacks. n The intrusion detection systems may miss some attacks. n There are false alarms. n Identifying prerequisites and impacts of attacks is a knowledge engineering process and requires substantial work.

26 Reliable Fair Exchange Protocols

27 What Is Fair Exchange n Data exchange is usually the crux of an e- transaction n Applications u electronic payment systems u certified mail u contract signing u non-repudiation of message transmission

28 What Is Fair Exchange (Cont’d) n Fair Exchange: u Problem: Exchange items between mutually distrusted parties. u An exchange is fair if at the end of the exchange, either each player receives the item it expects or neither player receives any additional information about the other's item.

29 Popular Fair Exchange Protocols n Exchange protocols that use a Trusted Third Party (TTP) u Exchange with on-line TTPs u Exchange with off-line TTPs n Gradual exchange protocols TTP AB the normal channel the trusted channel

30 What Is the Current Problem? n System failure u Fairness cannot be assured if there is a system failure during an exchange. n Our goal is to systematically survive system failures

31 Our Solutions n Distributed Transaction processing u A transaction is a sequence of operations that either commits or aborts u Atomicity can mask all the failures that may happen during the execution of a transaction n Message logging u Pessimistic message logging: ensures fairness, but costs too much u Optimistic message logging: cheaper, but cannot ensure fairness u Semantics-based message logging: exploits exchange semantics to reduce logging costs without losing fairness F Point of no return

32 Calendar Algebra

33 Why Do We Need Calendar Algebra n Applications need flexible way to represent and reason about time granularities n Examples u A manager wants to know the sales data for this business month (or this Christmas season). u A secretary needs to arrange a meeting on the first business day next month. u Thanksgiving day is the fourth Thursday in November.

34 Calendar Algebra n Goals u Can generate granularities from a single “bottom granularity” u Reflect the ways that people construct new granularities from existing ones u Provide the ability for people to add/change granularities in the system

35 Calendar Algebra By Examples n Grouping operation day week … -1 0 1 2 … 7 8 9 … 14 … … 0 1 2 … anchor Group size

36 Calendar Algebra By Examples (cont’d) n Altering Tick operation period anchor alteration day week … 0 1 … 7 8 … 14 15 … 21 … … 1 2 3 … day WeirdWeek … 0 1 … 7 8 … 1314 … 20 21 … … 1 2 3 …

37 Examples n To define month on the basis of day (9 operations) u Group granularity day into 31-day groups u For every 12 groups, shrink the 2 nd by 3 days u For every 12 groups, shrink the 4 th by 1 day u …

38 Calendar Algebra By Examples (cont’d) n Shifting operation GMT-Hour … 5 6 … 10 … 15 … 20 … USEast-Hour …0 1 … 5 … 10 … 15 …

39 Calendar Algebra By Examples (cont’d) n Combing operation u Business month can be formed by combining all business days within each month. b-day month b-month

40 Calendar Algebra By Examples (cont’d) n Anchored grouping operation u Each academic year starts from the last Monday of August and ends the day before the next academic year. lastMondayOfAugust day AcademicYear

41 Calendar Algebra By Examples (cont’d) n Subset operation u The years in the 20 th century are the years from 1900 to 1999. year 20CenturyYear 1899 1900 … 1999 2000 1900 … 1999

42 Calendar Algebra By Examples (cont’d) n Selecting operations u Select-down u Select-up u Select-by-intersect

43 Calendar Algebra By Examples (cont’d) n Set operations

44 Temporal Data Mining

45 Calendar-based Patterns n Calendar-based patterns are patterns described in terms of calendar units (e.g., year, month, day, etc.) n Examples: u Every Monday and Tuesday u Every first Monday of every month u Every Thanksgiving day

46 Applications of Calendar Patterns to Data Mining n Discovery of event patterns u Can be directly described by calendar-based patterns. n Temporal Association Rule u Example: F Turkey and pumpkin pie are frequently sold together in the week before Thanksgiving.

47 Web Resources n http://www.csc.ncsu.edu/faculty/ning/ http://www.csc.ncsu.edu/faculty/ning/

Download ppt "Peng Ning CSC 600 Fall 2001 (Friday, 10/26/2001) Research Topics in Network Security, Secure E-Commerce and Temporal Databases."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Advanced Topics COMP163: Database Management Systems University of the Pacific December 9, 2008.

Advanced Topics COMP163: Database Management Systems University of the Pacific December 9, 2008.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
©Silberschatz, Korth and Sudarshan1.1Database System Concepts Chapter 1: Introduction Purpose of Database Systems View of Data Data Models Data Definition.

©Silberschatz, Korth and Sudarshan1.1Database System Concepts Chapter 1: Introduction Purpose of Database Systems View of Data Data Models Data Definition.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
seminar on Intrusion detection system

seminar on Intrusion detection system
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

Similar presentations

Ads by Google