MACHINE LEARNING & INTRUSION DETECTION: HYPE OR REALITY?
|
|
- Martha Simon
- 8 years ago
- Views:
Transcription
1 MACHINE LEARNING & INTRUSION DETECTION: 1
2 SUMMARY The potential use of machine learning techniques for intrusion detection is widely discussed amongst security experts. At Kudelski Security, we looked into this topic, and this briefing paper provides an overview of the possibilities and limitations of machine learning. We conclude that although pure machine learning is not well suited for general network intrusion detection today, it is relevant for more specific tasks such as user behavior analysis or specific endpoint security problems. Kudelski Security is developing machine learning-based methods for specific problems where it is more cost-effective than classical methods, and will continue to monitor the evolution of machine learning.
3 TABLE OF CONTENTS INTRODUCTION 2 A SUMMARY OF MACHINE LEARNING 2 SUPERVISED LEARNING 2 UNSUPERVISED LEARNING 3 SUCCESSFUL APPLICATION OF MACHINE LEARNING 4 POTENTIAL BENEFITS FOR INTRUSION DETECTION 4 INTRUSION DETECTION 5 HOW IS INTRUSION DETECTION CURRENTLY CARRIED OUT? 5 CAVEAT EMPTOR 6 WHAT ABOUT ACADEMIC RESEARCH? 6 CONCLUSION 7 1
4 INTRODUCTION Machine learning (ML) occupies a central place within current debates on cybersecurity. While its value as a marketing asset is clear, there remains a lack of visibility on the real value and cost-effectiveness of ML in its application to cybersecurity. This paper is a response to that knowledge gap. We investigated the application of ML that generates the most interest and raises the most questions: intrusion detection (ID) in loose terms, the process of looking for attack attempts on a network. Intrusion detection can be seen as a classification problem, with an aim of distinguishing legitimate traffic from malicious traffic. ML often works well on this kind of problem, but its adoption as a standard tool for ID will depend on whether it works well on the particular kind of classification problem encountered in ID itself. A SUMMARY OF MACHINE LEARNING According to renowned artificial intelligence expert and Stanford computer science professor Andrew Ng, ML is the science of getting computers to act without being explicitly programmed. In other words, ML is a set of techniques to categorize or find patterns within data. At its most fundamental level, ML uses algorithms that learn from example data and enables us to make predictions on new or unseen data. ML learns on the job, hence the eponymy. There are two main types of ML: supervised and unsupervised. SUPERVISED LEARNING Supervised learning approximates a complex function or process from a list of example data, called training data. This is best understood with an example: Let s suppose we need to predict if a house that has been put on the market will be sold within the next six months, and that we ll be basing our prediction on sales data pertaining to the size and price of other houses as well as the sale (or not) within six months of their listing. The way supervised learning works for this problem is simple. We first plot the points (x,y) = (price, size) for each house on a graph and illustrate the houses sold within six months as pink dots and the others as green stars, as shown in Figure 1. A training phase then consists in telling the algorithm which houses were sold quickly and which ones were not. The algorithm then learns the relationship between a house s price, size and whether it was sold within the specified timeframe. In our example, this information is depicted in the dark blue curve shown in Figure 1. Figure 1: Supervised learning 2
5 Using this information, we should be able to predict with some certainty whether or not the particular house under consideration will be sold within the next six months. In Figure 1, a new house would correspond to a new data point. If this data point is to the left of the curve, we can predict that the house will be sold within six months (as was the case for the pink dots). If the data point, however, is to the right of the curve, we can predict that it will not be sold in the next six months (as was the case for the green stars). Another common example of supervised learning is that of spam detection. Following a training period where we tell the system which s are spam and which ones are not, a spam detection system will learn what spam looks like and will be able to predict whether incoming s are spam or not. The fundamental idea in supervised learning is that each data point has a label: The houses from our first example were either sold within six months or not sold within six months. The s from our second example were either spam or not spam. Supervised ML is not perfect, and will make classification errors spam s predicted as non-spam, or non-spam s predicted as spam. Classification errors are not a problem, however, if the probability of correct guess is sufficiently high. We can probably tolerate 5% of the spam we receive being filtered as non-spam, but will not tolerate 5% of legitimate s being classified as spam and deleted automatically. UNSUPERVISED LEARNING Unsupervised learning works on the same principle as supervised learning, but without labels. In this case, an algorithm is simply fed with the raw data and automatically groups data points according to how similar they are. Figure 2: Unsupervised learning Based on some mathematical notions of distance, data points that are close to each other are classified as similar. Similarity can be deduced in Figure 2: The points in the blue cluster are close to each other, as are the points in the pink and green clusters. Unsupervised learning goes beyond grouping similar points, to discovering patterns and relationships within data. One significant advantage of unsupervised learning is its freedom from human bias in the exploration of relationships. Without restricting our classification with labels, a machine might find a relationship that a human would not have thought of. 3
6 SUCCESSFUL APPLICATION OF MACHINE LEARNING ML has proven value in its market application in some specific cases. The most renowned successes relate most commonly to recommendation systems, such as those used by Netflix and Amazon. Figures 3 and 4: Machine learning-based recommendation systems (Netflix and Amazon) Sources: and Netflix uses ML to present clients with suggestions of movies or TV shows they may like, using data of previous movie/tv choices, or of favorites selected from a given list (note that this occurs in the training phase). This case, illustrated in Figure 3, is an instance of supervised learning, whereby the movies that have been watched are labeled as movies liked. Once the client has provided sufficient information about their preferences, the algorithm will learn from this information and be able to predict what else they may like to watch 1. In another case of supervised learning, Amazon uses ML to identify products a customer may want to purchase (see Figure 4). The system looks at the products they purchased (in the training phase) and at other products they bought as well. The principal behind this idea is to push additional products to the customer that they may end up buying. ML has proven to be of great help in other situations as well, such as optical character recognition (OCR), spam detection (as mentioned previously) and fraud detection (as demonstrated by Paypal). POTENTIAL BENEFITS FOR INTRUSION DETECTION There are two main potential benefits of using ML to detect intrusions. First, that ML should enable the detection of unknown or previously unseen attacks by learning what intrusions look like. This is not possible with the standard methods used today that need a precise description of what to look for. Second, that ML may adapt in response to new attacks. This benefit derives from ML s ability to learn from new data as it is generated. In principle, this is a great strength. It would allow a system to keep on working even in a context of evolving threats, with only minimal human intervention to modify the algorithm. 1 Netflix actually created an open competition for the best algorithm to predict user ratings based on previous ratings. The winners received a million dollars. 4
7 INTRUSION DETECTION There is a wide range of threat detection and intrusion methods, which are grouped into two categories: misuse detection and anomaly detection. Misuse detection is the simplest. It uses explicit descriptions of what is bad. Typically, this is done with signatures, black lists, or other indicators of compromise. Any new incoming data point is checked against all indicators. If nothing is flagged, it is considered benign. Anomaly detection is more subtle. It assumes that attack traffic is inherently different from benign traffic. The goal is therefore to detect any anomalies. The subtlety lies in the fact that there is no explicit description to serve as a benchmark for comparison. ML has to look instead for something that in some way stands out. The fact that ML does not need an explicit description of what to look for would make it a useful tool to detect anomalies again, in principle. HOW IS INTRUSION DETECTION CURRENTLY CARRIED OUT? Most ID systems in use today are based on misuse detection. Signature lists are founded on the experience and knowledge of experts and on established heuristics. Sandboxing is also used to detect an attack. For example, a file can be opened or a program can be run in an isolated environment so as to detect any strange (unwanted) behavior that might ensue. If opening the file or running the program does not trigger any unusual behavior, it is considered to be safe. If it does, however, an alarm is raised, and no damage is caused to the target system. In any case, the system is looking for attacks that we know exist and that we are able to recognize. An obvious challenge arises when an attacker slightly modifies some known malware, so that it is not detected using these standard methods. If the attack is modified sufficiently enough to generate a different signature, then no flag will appear. It is precisely in this instance that ML could be useful. Some technology vendors already claim to use ML to detect intrusions. They rarely (if ever) specify their techniques and methods, as these are proprietary. Without direct access to their systems, it is almost impossible to understand what they are doing and how they do it. Furthermore, and maybe even more importantly, they do not release statistics that measure their solution effectiveness. We have no way of assessing how well these methods perform compared to standard techniques. This highlights what is probably the most relevant issue for businesses: We do not need new solutions to detect intrusions that can already be detected by standard techniques. Rather, we need to see if and how ML can detect attack attempts that bypass these standard techniques. Figure 5: Intrusion detection Pareto curve 5
8 Consider the Pareto curve in Figure 5. It depicts the rule that states: 80% of the results come from 20% of the effort. With regard to ML, this means two things: First, activities to detect intrusions are currently performing well. On Figure 5, we are positioned at the green dot. This illustrates that we are able to detect a high number of intrusions with existing efforts 2. Second, however, this also means that if we want to climb the curve and get better results, we will need to leverage more advanced tools and techniques. CAVEAT EMPTOR Given the potential of ML to detect intrusions and its ability to detect new attacks and evolve in response to developments in the cyberthreat landscape, it would be safe to assume that it is a standard cybersecurity tool of every organization. If Amazon and Netflix can get their ML systems to work, so too should security technology vendors. This is unfortunately not the case, for several reasons: First, ML is better at finding similarities than it is at finding differences, which is why it works well for Amazon s recommendation system, for example. Amazon seeks to find products that are typically purchased together, not products that are not purchased together. By definition, ID systems operate in a malicious environment. Attackers will try leverage ML s ability to evolve over time in order to train the system to learn that malicious elements are benign, and that something that is in reality different (bad), is read as something similar (good). This particular caveat would not apply to recommendation systems. The risk that users will go out of their way to make Netflix mistakenly suggest unsuitable movies, is negligible. Second, a challenge arises from the results that are generated. Anomaly detection is different to misuse detection, in which you can simply identify which rule or signature was triggered and therefore establish why a particular event has been flagged. With ML-based anomaly detection, the system will just tell you that one data point network packet, URL, file, for example looks like other data points. But it won t necessarily tell you which value or pattern caused the similarity. Therefore, knowing what to do with the results of ML-based anomaly detection is not obvious. There needs to be a way to help analysts in dealing efficiently with the flagged data points. As stated previously, ML s ability to carry out anomaly detection is based on an assumption that attacks or intrusions are somehow different from benign, or normal, traffic. We are faced with a difficult question, however: what is normal and can it be described? This is challenging due to the variety in so-called normal traffic from different ports, protocols, sources, destinations, encrypted or unencrypted payloads, length of files, sessions, and so on. The picture becomes even more complicated when you add the issues of virtualization and bring-your-own-cloud. Without clarity on what normal traffic looks like, it is hard to detect abnormal traffic. A third challenge arises from the high cost of errors in ID systems. Put simply, false positives (also known as false alarms) waste time. Analysts need to go through all the outputs in order to establish that the data point is benign. False negatives (also known as missed attacks), however, can be extremely dangerous. WHAT ABOUT ACADEMIC RESEARCH? Many academic papers discuss the use of ML as a tool for ID. It is hard to find relevance in these papers because the datasets that inform the discussions are inaccurate. In many cases, academic researchers use the DARPA and KDD datasets, which are used for training and testing ML models. DARPA is an artificial dataset created in 1998 by MIT s Lincoln Lab. KDD is a subset of DARPA and was created in Both of these datasets have been criticized for many different reasons, but the simple fact that they are artificial and were created more than 15 years ago means that they cannot be considered even remotely relevant today. 2 Note that what we mean by effort here is everything from research to implementation. 6
9 CONCLUSION We believe that machine learning techniques are not well suited today for pure network intrusion detection systems that only analyze network traffic. As stated already, this is mainly due to the high volume and variety of data passing through a network, making it hard to define what is normal. That said, machine learning would most likely be helpful in user-centric or endpoint behavioral analysis. This could be done in several different ways. First, a profile could be built for each user of a network. This would make it possible to detect attacks by finding discrepancies in user activity for each person. Second, profiles could be created per group or hierarchy. For example, within a company, there could be an IT group as well as HR and legal groups. If it became apparent that a staff member from HR was using the network for IT, it might signify that there is something to investigate. At Kudelski Security, we re developing machine learning methods for specific problems related to intrusion detection. Nevertheless, our products will only rely on machine learning where it is more cost-effective than more simple methods. At the moment, one of our promising applications relates to privacy-preserving user behavior modeling on a network that is, how to build profiles of legitimate users in order to detect unauthorized ones, but without using any privacy-sensitive information. ABOUT KUDELSKI SECURITY Kudelski Security, a division of the Kudelski Group (SIX: KUD.S), is an innovative, independent Swiss provider of tailored cybersecurity solutions to financial institutions, the defense sector, government administrations, and the media industry. The team of over 130 security experts delivers end-to-end cybersecurity consultancy, products and services, leveraging over 20 years experience in advanced threat detection, attack prevention, asset and reputation protection and security assessments. Kudelski Security is headquartered in Switzerland. Its global reach and multi-disciplinary incident response is reinforced by key international partnerships. Follow us on Linkedin Follow us on Visit our Blog Visit our Website Limitations on Use This document is provided for marketing and general informational purposes only and should not be relied upon or construed as advice to implement or undertake any specific activities relating to its subject matter. Further consultation with Kudelski Security is recommended to ensure that particular factual situations and other relevant factors are appropriately assessed Kudelski Group / All rights reserved Kudelski and Kudelski Security are trademarks of Kudelski Group 7
10 NAGRAVISION SA Route de Genève CH-1033 Cheseaux Switzerland Phone: Fax: MASTER YOUR RISKS, SHAPE YOUR FUTURE!
KUDELSKI SECURITY DEFENSE. www.kudelskisecurity.com
KUDELSKI SECURITY DEFENSE Cyber Defense Center connection for remote information exchange with local monitoring consoles Satellite link Secure Data Sharing, a data-centric solution protecting documents
More informationINTRUSION PREVENTION AND EXPERT SYSTEMS
INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationSecure Because Math: Understanding ML- based Security Products (#SecureBecauseMath)
Secure Because Math: Understanding ML- based Security Products (#SecureBecauseMath) Alex Pinto Chief Data Scientist Niddel / MLSec Project @alexcpsec @MLSecProject @NiddelCorp MLSec Project / Niddel MLSec
More informationThreatSpike Dome: A New Approach To Security Monitoring
ThreatSpike Dome: A New Approach To Security Monitoring 2015 ThreatSpike Labs Limited The problem with SIEM Hacking, insider and advanced persistent threats can be difficult to detect with existing product
More informationTHE EVOLUTION OF SIEM
THE EVOLUTION OF SIEM WHY IT IS CRITICAL TO MOVE BEYOND LOGS Despite increasing investments in security, breaches are still occurring at an alarming rate. 43% Traditional SIEMs have not evolved to meet
More informationReputation based Security. Vijay Seshadri Zulfikar Ramzan Carey Nachenberg
Reputation based Security Vijay Seshadri Zulfikar Ramzan Carey Nachenberg Agenda Reputation Based Security The Problem Reputation Concept Implementing Reputation Deploying Reputation Conclusion 2 The Problem
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationAdvanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series
Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion
More informationHunting for the Undefined Threat: Advanced Analytics & Visualization
SESSION ID: ANF-W04 Hunting for the Undefined Threat: Advanced Analytics & Visualization Joshua Stevens Enterprise Security Architect Hewlett-Packard Cyber Security Technology Office Defining the Hunt
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationCIS 433/533 - Computer and Network Security Intrusion Detection
CIS 433/533 - Computer and Network Security Intrusion Detection Professor Kevin Butler Winter 2011 Computer and Information Science Intrusion An Authorized Action (or subversion of auth)... That Can Lead
More informationWEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES
WEB PROTECTION Features SECURITY OF INFORMATION TECHNOLOGIES The web today has become an indispensable tool for running a business, and is as such a favorite attack vector for hackers. Injecting malicious
More informationBio-inspired cyber security for your enterprise
Bio-inspired cyber security for your enterprise Delivering global protection Perception is a network security service that protects your organisation from threats that existing security solutions can t
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationBridging the gap between COTS tool alerting and raw data analysis
Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading
More informationFrom Network Security To Content Filtering
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
More informationA Survey on Intrusion Detection System with Data Mining Techniques
A Survey on Intrusion Detection System with Data Mining Techniques Ms. Ruth D 1, Mrs. Lovelin Ponn Felciah M 2 1 M.Phil Scholar, Department of Computer Science, Bishop Heber College (Autonomous), Trichirappalli,
More informationActive Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge
Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge This paper will present a case study of Lumeta s participation in an open
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationSPAM FILTER Service Data Sheet
Content 1 Spam detection problem 1.1 What is spam? 1.2 How is spam detected? 2 Infomail 3 EveryCloud Spam Filter features 3.1 Cloud architecture 3.2 Incoming email traffic protection 3.2.1 Mail traffic
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationGOING BEYOND BLOCKING AN ATTACK
Websense Executive Summary GOING BEYOND BLOCKING AN ATTACK WEBSENSE TRITON VERSION 7.7 Introduction We recently announced several new advanced malware and data theft protection capabilities in version
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationBenefits of Machine Learning. with Behavioral Analysis in Detection of Advanced Persistent Threats WHITE PAPER
Benefits of Machine Learning with Behavioral Analysis in Detection of Advanced Persistent Threats WHITE PAPER Overview The Evolution of Advanced Persistent Threat Detection Computer viruses have plagued
More informationENABLING FAST RESPONSES THREAT MONITORING
ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,
More informationOutline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002
Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Page 1 Page
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationData Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila
Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008 Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems.
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationIntegrating MSS, SEP and NGFW to catch targeted APTs
#SymVisionEmea #SymVisionEmea Integrating MSS, SEP and NGFW to catch targeted APTs Tom Davison Information Security Practice Manager, UK&I Antonio Forzieri EMEA Solution Lead, Cyber Security 2 Information
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationEXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY
EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY Dean Frye Sourcefire Session ID: SEC-W05 Session Classification: Intermediate Industrialisation of Threat Factories Goal: Glory,
More informationHybrid Intrusion Detection System Using K-Means Algorithm
International Journal of Computer Sciences and Engineering Open Access Review Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Hybrid Intrusion Detection System Using K-Means Algorithm Darshan K. Dagly 1*, Rohan
More informationCyber Watch. Written by Peter Buxbaum
Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs
More informationA very short history of networking
A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationCHAPTER 1 INTRODUCTION
21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless
More information203.4770: Introduction to Machine Learning Dr. Rita Osadchy
203.4770: Introduction to Machine Learning Dr. Rita Osadchy 1 Outline 1. About the Course 2. What is Machine Learning? 3. Types of problems and Situations 4. ML Example 2 About the course Course Homepage:
More informationSecurity Intelligence. Information Sharing Strategies Using Trusted Collaboration
Security Intelligence Information Sharing Strategies Using Trusted Collaboration Executive Summary Human-source intelligence (HUMINT) has been used for thousands of years by adversaries to thwart an enemy
More informationCombating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
More informationSymantec Protection Suite Add-On for Hosted Email and Web Security
Symantec Protection Suite Add-On for Hosted Email and Web Security Overview Your employees are exchanging information over email and the Web nearly every minute of every business day. These essential communication
More informationSystem Specification. Author: CMU Team
System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationWebroot Security Intelligence. The World s Most Powerful Real-Time Network Security Services
Webroot Security Intelligence The World s Most Powerful Real-Time Network Security Services Table of Contents The World s Most Powerful Real-Time Network Security Services Table of Contents 2 Introduction
More informationMata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework. FIRST Conference Berlin, 19 June 2015
Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework FIRST Conference Berlin, 19 June 2015 1 Security in Real Life 2 3 Car Alarms Network Security Alarms 4 Our responsibility
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationKaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing
Kaspersky Fraud Prevention platform: a comprehensive solution for secure Today s bank customers can perform most of their financial operations online. According to a global survey of Internet users conducted
More informationTechnology Brief Demystifying Cloud Security
Demystifying Cloud Security xo.com Demystifying Cloud Security Contents Introduction 3 Definition of the cloud 3 Cloud security taxonomy 4 Cloud Infrastructure Security 5 Tenant- based Security 5 Security
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationThe Symantec Approach to Defeating Advanced Threats
WHITE PAPER: THE SYMANTEC APPROACH TO DEFEATING ADVANCED........... THREATS............................. The Symantec Approach to Defeating Advanced Threats Who should read this paper For security practioners
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationHigh End Information Security Services
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
More informationCombating a new generation of cybercriminal with in-depth security monitoring
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationNetwork Intrusion Detection Systems
Network Intrusion Detection Systems False Positive Reduction Through Anomaly Detection Joint research by Emmanuele Zambon & Damiano Bolzoni 7/1/06 NIDS - False Positive reduction through Anomaly Detection
More informationHow To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationCONSULTING IMAGE PLACEHOLDER
CONSULTING IMAGE PLACEHOLDER KUDELSKI SECURITY CONSULTING SERVICES CYBERCRIME MACHINE LEARNING ECOSYSTEM & INTRUSION DETECTION: CYBERCRIME OR REALITY? ECOSYSTEM COSTS BENEFITS BIG BOSS Criminal Organization
More informationObservation and Findings
Chapter 6 Observation and Findings 6.1. Introduction This chapter discuss in detail about observation and findings based on survey performed. This research work is carried out in order to find out network
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationWebsense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Express Websense Hosted Web Security
Web Security Gateway Web Security Web Filter Express Hosted Web Security Web Security Solutions The Approach In the past, most Web content was static and predictable. But today s reality is that Web content
More informationKEITH LEHNERT AND ERIC FRIEDRICH
MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They
More informationWebsense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security
Web Security Gateway Web Security Web Filter Hosted Web Security Web Security Solutions The Approach In the past, most Web content was static and predictable. But today s reality is that Web content even
More informationBest Practices in Account Takeover
WHITEPAPER Best Practices in Account Takeover July 2013 2 Table of Contents Introduction 3 Account Takeover is Painful 4 Differences between Account Takeover and Account Compromise 4 Why Account Compromise
More informationWhen less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński
When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński 1 Agenda Spear-Fishing the new CEO Fear How to Fight Spear-Fishing It s All About the Data Evolution of the bad guys
More informationProxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009
Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy
More informationSecuring the Intelligent Network
WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers.
More informationTOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY
TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY An Inside Job Cyberthreats to your business are usually blamed on outsiders nefarious programmers writing malicious code designed to pilfer your
More informationThe Truth about False Positives
An ISS Technical White Paper The Truth about False Positives 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Overview In the security industry, many security analysts remark that
More informationREVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationSecuring the endpoint and your data
#SymVisionEmea #SymVisionEmea Securing the endpoint and your data Piero DePaoli Sr. Director, Product Marketing Marcus Brownell Sr. Regional Product Manager Securing the Endpoint and Your Data 2 Safe harbor
More informationWhen attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher
TrendLabs When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher Advanced persistent threats (APTs) refer to a category
More informationThe Value of QRadar QFlow and QRadar VFlow for Security Intelligence
BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationData Loss Prevention in the Enterprise
Data Loss Prevention in the Enterprise ISYM 525 Information Security Final Paper Written by Keneth R. Rhodes 12-01-09 In today s world data loss happens multiple times a day. Statistics show that there
More informationHow To Protect Yourself From A Threat From Social Media
Actionable Intelligence Hides Within Social Media Data Leverage Real-Time Social Media Data to Improve Security, Stop Information Leaks, Identify Problems, Neutralize Threats Twitter. Facebook. Email.
More informationWEBSENSE EMAIL SECURITY SOLUTIONS OVERVIEW
WEBSENSE EMAIL SECURITY SOLUTIONS OVERVIEW Challenge The nature of email threats has changed over the past few years. Gone are the days when email security, better known as anti-spam, was primarily tasked
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationReview on Analysis and Comparison of Classification Methods for Network Intrusion Detection
Review on Analysis and Comparison of Classification Methods for Network Intrusion Detection Dipika Sharma Computer science Engineering, ASRA College of Engineering & Technology, Punjab Technical University,
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst
ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More information