ALERT CLASSIFICATION TO REDUCE FALSE POSITIVES IN INTRUSION DETECTION

Size: px
Start display at page:

Download "ALERT CLASSIFICATION TO REDUCE FALSE POSITIVES IN INTRUSION DETECTION"

Transcription

1 ALERT CLASSIFICATION TO REDUCE FALSE POSITIVES IN INTRUSION DETECTION July 2006 Dissertation zur Erlangung des Doktorgrades der Fakultät für Angewandte Wissenschaften der Albert-Ludwigs-Universität Freiburg im Breisgau Tadeusz Pietraszek Institut für Informatik, Albert-Ludwigs-Universität Freiburg Georges-Köhler-Allee 52, Freiburg i. Br., Germany

2 Dekan: Erstreferent: Zweitreferent: Prof. Dr. Jan G. Korvink Prof. Dr. Luc De Raedt Prof. Dr. Johannes Fürnkranz Tag der Disputation:

3 A new star has been discovered, which doesn t mean that things have gotten brighter or that something we ve been missing has appeared.... Wis lawa Szymborska, Surplus [Szy00]

4

5 Erklärung Ich erkläre hiermit, dass ich die vorliegende Arbeit ohne unzulässige Hilfe Dritter und ohne Benutzung anderer als der angegebenen Hilfsmittel angefertigt habe. Die aus anderen Quellen direkt oder indirekt übernommenen Daten und Konzepte sind unter Angabe der Quelle gekennzeichnet. Insbesondere habe ich hierfür nicht die entgeltliche Hilfe von Vermittlungsoder Beratungsdiensten (Promotionsberaterinnen oder Promotionsberater oder anderer Personen) in Anspruch genommen. Niemand hat von mir unmittelbar oder mittelbar geldwerte Leistungen für Arbeiten erhalten, die im Zusammenhang mit dem Inhalt der vorgelegten Dissertation stehen. Die Arbeit wurde bisher weder im In- noch im Ausland in gleicher oder ähnlicher Form einer anderen Prüfungsbehörde vorgelegt. Desweitern habe ich mich nicht bereits und bewerbe ich mich auch nicht gleichzeitig an einer in- oder ausländischen wissenschaftlichen Hochschule um die Promotion. I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other university or institution. Zürich, Switzerland July 4, 2006 Tadeusz Pietraszek 5

6 6

7 Contents Acknowledgments Abstract Zusammenfassung List of Figures List of Tables v vii ix xi xiii 1 Introduction Motivation False Positives Existing Solutions Introducing the Analyst: The Global Picture of Alert Management Why Learning Alert Classifiers Works and Why It is a Difficult Learning Problem Classifying Alerts: False Positives, True Positives or Other Classes? Thesis Statement and Contributions Overview Intrusion Detection and Machine-Learning Background Intrusion Detection Intrusion Detection Systems Two examples of IDSs Conclusions Machine Learning Classification Basic Techniques Evaluating Classifiers ROC Analysis Unsupervised Techniques Summary State of the Art Multiple Facets of Related Work Building IDSs Using Machine Learning Spam Filtering i

8 ii CONTENTS 3.4 Interface Agents Alert Correlation Frequent Episodes & Association Rules Sensor Profiling CLARAty Data Mining and Root Cause Analysis Summary Datasets Used Datasets Available Datasets Used & Alert Labeling Alert Representation DARPA 1999 Data Set Data Set B MSSP Datasets Summary Adaptive Alert Classification ALAC Adaptive Learner for Alert Classification Recommender Mode Agent Mode Background Knowledge Choosing Machine-Learning Techniques Learning an Interpretable Classifier from Examples Background Knowledge and Efficiency Confidence of Classification Applying RIPPER to ALAC Cost-Sensitive and Binary vs. Multi-Class Classification Batch-Incremental Learning ALAC Evaluation Evaluation Methodology Background Knowledge Results Obtained with DARPA 1999 Data Set Results Obtained with Data Set B Understanding the Rules Conclusions Summary Abstaining Classifiers using ROC Analysis Introduction Background ROC-Optimal Abstaining Classifier Cost-Based Model Bounded Models Bounded-Abstention Model Bounded-Improvement Model Experiments Constructing an Abstaining Classifier

9 CONTENTS iii Testing Methodology Results Cost-Based Model Results Bounded Models Alternative Representations to ROC Curves Precision-Recall and ROC Curves DET Curves Cost Curves Related Work Conclusions and Future Work ALAC+ An Alert Classifier with Abstaining Classifiers ALAC Meets with Abstaining Classifiers The Problem with Rule Learners ALAC+ Evaluation Choosing Evaluation Models for ALAC Setting System Parameters Cost Results Conclusions Summary Combining Unsupervised and Supervised Learning Why Unsupervised Learning Makes Sense Retrospective Alert Analysis Subsequent Alert Classification CLARAty Algorithm Description Generalization Hierarchies CLARAty Algorithm Cluster Descriptions and Filtering Automated Cluster-Processing System CLARAty Evaluation Evaluation Methodology Setting System Parameters Cluster Persistency Number of Clusters and Total Coverage Automated Cluster Processing Cluster Precision and Recall Clustering Precision and Recall Charts Conclusions Combining Clustering with ALAC in a Two-Stage Alert-Classification System CLARAty and ALAC Evaluation ROC analysis DARPA 1999 Data Set Data Set B MSSP Datasets Conclusions Summary

10 iv CONTENTS 9 Summary, Conclusions and Future Work Summary Conclusions Future Work A Alert Correlation 151 A.1 Correlation Terminology A.2 Alert Correlation Systems A.2.1 Tivoli Aggregation and Correlation Component A.2.2 Probabilistic Alert Correlation A.2.3 Alert-Stream Fusion A.2.4 Hyper-alert Correlation A.2.5 Cooperative Intrusion Detection Framework A.2.6 Correlated Hacking Behavior A.2.7 M2D2 Formal Data Model A.2.8 Statistical Correlation Models A.2.9 Comprehensive IDS Alert Correlation B Abstaining Classifier Evaluation Results 161 C Clustering MSSP Datasets Results 173 Bibliography 184 Table of Symbols 199 Index 201

11 Acknowledgments efending a PhD is a one-man show, however, the process of pursuing one is definitely D not a one-person effort and I have a lot of people to thank for helping me in this stage of my life. First of all, I would like to thank my professor, Luc De Raedt, who saw value in my research and agreed to supervise it, providing support and giving directions for research. Being a remote PhD student working at IBM Zurich Research Lab is a special situation and I am really grateful that such an arrangement was possible. For all this and more, thank you, Luc. I would also like to thank Andreas Wespi, my former manager and mentor at IBM, for hiring me and supporting me during my PhD quest, always finding time for meetings and very thoroughly scrutinizing my work. I had greatly benefited from his experience in the field of intrusion detection and computer security. I would also like to thank Lucas Heusler, my current manager for giving me a lot of flexibility in doing my research, making the finishing of my PhD possible. During my PhD work I was greatly supported by my mentor, Klaus Julisch, who spent a considerable amount of time explaining the arcane of scientific work, forcing me to write and tirelessly correcting my scribbles. He also never hesitated to ask those difficult questions, which helped me to become a more mature researcher. I would like to thank the IBM Global Services Managed Security Services team, in particular Mike Fiori and Chris Calvert for allowing me to use their data and Jim Treinen and Ken Farmer for providing support on the technical side. I would also like to thank my friends at IBM, James Riordan & Daniela Bourges-Waldegg for being great friends, expanding my horizons (both scientific and non-scientific) through always interesting discussions and giving me (and other PhD students) a motto The goal of PhD is to finish it. I have had a great time with Diego Zamboni who, in spite of (or maybe rather because of) thinking of me as a very apt procrastinator and giving me motivation to work on my numerous pet projects, always found time to say Tadek, work on your thesis. During my stay in the lab, I have also met many interesting friends and colleagues: Chris Giblin, Marcel Graf, Christian Hörtnagl, Ulf Nielsen, Mike Nidd, René Pawlitzek, Ulrich Schimpel, Morton Schwimmer, Abhi Shelat, Dieter Sommer, Axel Tanner, and others, who provided an excellent and stimulating working environment and always had time for interesting discussions. Among my colleagues, special thanks go to my office-mate, Chris Vanden Berghe for putting up with me in one office during these three years, always-interesting discussions and arguments, and many interesting ideas that got born this way. I am also grateful to the friendly people who volunteered to read through, and give me invaluable comments on this dissertation and its earlier versions: my professor Luc De Raedt, Birgit Baum-Waidner, Axel Tanner (also for the help with the German abstract) and Andreas v

12 vi Preface Wespi. Without your help this thesis would not have gotten to this stage. Clearly, I am solely responsible for any mistakes that had remained in the report. Last but not least, I am deeply indebted to my family for their everlasting support while abroad and having by far more faith in me than anybody else, including myself! My special thanks go to Annie for being the best girlfriend and a wonderful life companion and for putting up with me during the hectic time while working on my PhD. Zürich, Switzerland July 4, 2006 Tadeusz Pietraszek

13 Abstract Intrusion Detection Systems (IDSs) aim at detecting intrusions, that is actions that attempt to compromise the confidentiality, integrity and availability of computer resources. With the proliferation of the Internet and the increase in the number of networked computers, coupled with the surge of unauthorized activities, IDSs have become an integral part of today s security infrastructures. However, in real environments IDSs have been observed to trigger an abundance of alerts. Most of them are false positives, i.e., alerts not related to security incidents. This dissertation deals with the problem of false positives in intrusion detection. We propose the novel concept of training an alert classifier using a human analyst s feedback and show how to build an efficient alert classifier using machine-learning techniques. We analyze the desired properties of such a system from the domain perspective and introduce ALAC, an Adaptive Learner for Alert Classification, and its two modes of operation: a recommender mode, in which all alerts with their classification are forwarded to the analyst, and an agent mode, in which the system uses autonomous alert processing. We evaluate ALAC in both modes on real and synthetic intrusion detection datasets and obtain promising results: In our experiments ALAC reduced the number of false positives by up to 60% with acceptable misclassification rates. Abstaining classifiers are classifiers that in certain cases can refrain from classification, which is similar to a domain expert saying I don t know. Abstaining classifiers are advantageous over normal classifiers if they perform better than normal classifiers when they make a decision. In this dissertation we provide a clarification of the concept of optimal abstaining classifiers and introduce three different models, in which normal and abstaining classifiers can be compared: the cost-based model, the bounded-abstention model, and the bounded-improvement model. In the first cost-based model, the classifier uses an extended 2 3 cost matrix, whereas in the bounded models, the classifier uses a standard 2 2 cost matrix and boundary conditions: the abstention window or the desired cost improvement. Looking at a common type of abstaining classifiers, namely classifiers constructed from a single ROC curve, we provide efficient algorithms for selecting these classifiers optimally in each of these models. We perform an experimental validation of these methods on a variety of common benchmark datasets. Applying abstaining classifiers to ALAC, we introduce ALAC+, an extension of our alertclassification system. We select the most suitable abstaining classifier models and show that by using abstaining classifiers one can significantly reduce the misclassification cost. For example, in our experiments with a 10% abstention the system reduced the overall misclassification cost by up to 87%. This makes abstaining classifiers particularly suitable for alert classification. vii

14 viii Preface In the final part of this dissertation, we extend CLARAty, the state-of-the-art alert clustering system by introducing automated cluster processing, and show how the system can be used to investigate missed intrusions and correct initial analyst s classifications. Based on this, we build a two-stage alert-classification system in which alerts are processed by the automated cluster-processing system and then forwarded to ALAC. Our experiments with real and synthetic datasets showed that the automated cluster-processing system is robust and on average reduces the total number of alerts by 63% which further reduces the analyst s workload.

15 Zusammenfassung Eindringerkennungssysteme (Intrusion Detection Systems, abgekürzt IDSs) zielen auf die Erkennung von Angriffen, d.h. Aktionen, die versuchen die Konfidenzialität, Integrität und Verfügbarkeit von Computer-Resourcen zu kompromittieren. Durch das enorme Wachstum des Internets und der Zahl der vernetzten Computer bei gleichzeitiger starker Zunahme von nicht-autorisierten Aktivitäten sind IDSs zu einem integralen Bestandteil der typischen aktuellen Sicherheits-Infrastruktur geworden. In realen Umgebungen beobachtet man jedoch, daß IDSs sehr viele Alarme produzieren, dabei zu einem großen Teil auch Fehlalarme (false positives), d.h. Alarme, die keinen Sicherheits-Zwischenfällen entsprechen. Diese Dissertation beschäftigt sich mit dem Problem von Fehlalarmen in der Intrusion Detektion. Wir schlagen hierzu ein neuartiges Konzept vor, bei dem ein Alarm-Klassifizierer aus der Rückmeldung eines menschlichen Analysten lernen kann, und zeigen, wie ein solcher effizienter Alarm-Klassifizierer mit Hilfe der Techniken maschinellen Lernens erstellt werden kann. Wir analysieren die wünschenswerten Eigenschaften eines solchen Systems aus dem Blickwinkel der Domäne der Intrusion Detektion und stellen ALAC vor, den Adaptiven Lerner für Alarm- Klassifikation (Adaptive Learner for Alert Classification). ALAC hat zwei Betriebsarten: eine empfehlende Betriebsart (recommender mode), bei der alle Alarme mit ihrer Klassifikation an den Analysten weitergeleitet werden, und eine Betriebsart als Agent (agent mode), in welcher das System Alarme teilweise eigenständig verarbeitet. Wir evaluieren ALAC in beiden Modi mit realen und synthetischen Daten aus dem Gebiet der Intrusion Detektion und erhalten dabei viel versprechende Ergebnisse: ALAC reduziert in diesen Experimenten die Zahl der Fehlalarme um bis zu 60% bei annehmbaren Raten der Fehlklassifikation. Sich-enthaltende Klassifizierer (abstaining classifiers) nehmen in bestimmten Fällen keine Klassifizierung vor, ähnlich einem Ich weiß nicht eines Domain-Experten. Es besteht die Annahme, daß ein solcher Klassifizierer, der sich enthalten kann, insgesamt eine bessere Leistung bringen kann als normale Klassifizierer, die in jedem Fall eine Entscheidung treffen müssen. In dieser Dissertation klären wir das Konzept des optimalen sich-enthaltenden Klassifizierers und stellen drei verschiedene Modelle vor, in denen sie mit normalen Klassifizierern verglichen werden können: ein kosten-basiertes Modell, ein Modell mit begrenzter Enthaltung und ein Modell mit begrenzter Verbesserung. Im kosten-basierten Modell benutzt der Klassifizierer eine erweiterte 2 3 Kosten-Matrix, während in den anderen Modellen der Klassifizierer eine normale 2 2 Kosten-Matrix verwendet mit zusätzlichen Randbedingungen: der Menge der Alarme, bei denen sich der Klassifizierer enthält, beziehungsweise die gewünschte Verbesserung der Kosten. Für eine übliche Gruppe von sich-enthaltenden Klassifizierern, die ix

16 x Preface aus einer einzelnen ROC-Kurve hervorgehen, zeigen wir effiziente Algorithmen um diese Klassifizierer in optimaler Art auszuwählen in allen genannten Modellen. Diese Methoden werden experimentell bestätigt mit einer großen Zahl von Benchmark-Daten. Unter Anwendung von sich-enthaltenden Klassifizierern auf ALAC führen wir ALAC+ ein, eine Erweiterung unseres Alarm-Klassifikations-Systems. Wir wählen die am besten geeigneten sich-enthaltenden Klassifizierer und zeigen, daß dadurch die Fehlklassifikations-Kosten signifikant reduziert werden können. So reduzieren sich beispielsweise in unseren Experimenten bei 10% Enthaltung die allgemeinen Fehlklassifikations-Kosten um bis zu 87%. Dies macht sich-enthaltende Klassifizierer besonders geeignet für die Alarm-Klassifizierung. Im letzten Teil der Arbeit erweitern wir CLARAty, ein aktuelles Alarm-Clustering-System, durch die Einführung einer automatisierten Cluster-Verarbeitung und zeigen, wie das System dazu benutzt werden kann eventuell übersehene Angriffe zu untersuchen und initiale Klassifikationen eines Analysten zu korrigieren. Hierauf aufbauend entwickeln wir ein zweistufiges Alarm-Klassifikations-System, in welchen Alarme zuerst durch die automatisierte Cluster- Verarbeitung prozessiert und dann an ALAC weitergeleitet werden. Unsere Experimente mit realen und synthetischen Daten zeigen, daß das automatisierte Cluster-Verarbeitungs-System robust ist und die Gesamtzahl von Alarmen, und damit auch die Arbeitslast des Analysten, durchschnittlich um 63% reduziert.

17 List of Figures 1.1 Evolution of the scope for addressing false positives in intrusion detection. Shaded areas represent the scope discussed in the text The global picture of alert management Thesis outline The general architecture of an IDS (based on [Axe05]) Using CSSE to preserve the metadata of string representations and to allow late string evaluation. Shaded areas represent string fragments originating from the user A sample decision tree Examples of ROC and ROCCH curves and the cost-optimal classifier Multiple facets of related work Entity-relationship diagram of concepts used by CLARAty [Jul03b] Architecture of ALAC in agent and recommender modes Three types of background knowledge for classifying IDS alerts ROC curves for the base classifier used with different types of background knowledge. The fragments represent areas of practical interest (low falsepositive rates and high true-positive rates) False negatives and false positives for ALAC in agent and recommender modes (DARPA1999 dataset, w = 50) Number of alerts processed autonomously by ALAC in agent mode False negatives and false positives for ALAC in agent and recommender modes (Data Set B, w = 50) ROC performance for algorithms inducing rules for different classes: + and Abstaining classifier A α,β constructed using two classifiers C α and C β Optimal classifier paths in a bounded-abstention model Finding the optimal classifier in a bounded model: visualization of X Optimal classifier paths in a bounded-improvement model Building an abstaining classifier A α,β Cost-based model: Relative cost improvement and fraction of nonclassified instances for a representative dataset ( : CR = 0.5, : CR = 1, : CR = 2) Bounded-abstention model: Relative cost improvement and the absolute cost for one representative dataset ( : CR = 0.5, : CR = 1, : CR = 2) xi

18 xii LIST OF FIGURES 6.8 Bounded-improvement model: Fraction of nonclassified instances for a representative dataset ( : CR = 0.5, : CR = 1, : CR = 2) Conversion between sample ROC and P-R curves (N/P = 5) Conversion between sample P-R and ROC curves (N/P = 5). The ROCCH has been transferred back to the P-R curve Conversion between sample ROC and DET curves. Grid shows iso-cost lines at CR = 2 and Simplified architecture of ALAC with abstaining classifiers Classifiers for three different misclassification costs ICR = 1, ICR = 50 (used in the remaining experiments) and ICR = 200 (DARPA 1999, BA 0.1) Three main types of clusters: false-alert candidates, true-alert candidates, and mixed clusters for further analysis Semi-automated cluster processing Sample generalization hierarchies for address, port and time attributes Automated cluster processing creating features Automated cluster processing filtering The evaluation of alert clustering and filtering Cluster persistency for DARPA 1999 Data Set and Data Set B relative and absolute values. Arrows show cumulative cluster coverage in the clustering (begin of an arrow) and the filtering (end of an arrow) stages for individual clustering runs Estimating the fraction of alerts clustered and the fraction of alerts filtered as a function of the number of clusters learned. Curves correspond to individual clustering runs. Verticals line show the smallest argument for which the target function reaches 95% of its maximum value Clusters as filters for DARPA 1999 Data Set and Data Set B relative and absolute values. Missed positives in Figures 8.9b and 8.9d are calculated relative to the number of true alerts (P ) Total alert reduction for clusters as filters for all datasets relative and absolute values Clustering and filtering precision and recall for DARPA 1999 Data Set. Data shown cumulatively for all clustering runs, with FA-clusters suppressed Cluster 72194, describing a part of a portsweep attack ROC curves for two types of two-stage alert-classification systems: 2FC and 2FI, for DARPA 1999 Data Set and Data Set B Two-stage alert-classification system: False negatives and false positives for ALAC and two-stage ALAC (2FC, 2FI) in agent and recommender modes (DARPA1999 Data Set, ICR =50) Two-stage alert-classification system: Number of alerts processed autonomously by ALAC and two-stage ALAC (2FC, 2FI) in agent mode Two-stage alert-classification system: False negatives and false positives for ALAC and two-stage ALAC (2FC, 2FI) in agent and recommender modes (Data Set B, ICR =50) ROC curve for sample MSSP datasets

19 LIST OF FIGURES xiii B.1 Cost-Based Model: Experimental results with abstaining classifiers relative cost improvement B.2 Cost-based model: Experimental results with abstaining classifiers fraction of skipped instances B.3 Bounded model: Experimental results with abstaining classifiers relative cost improvement B.4 Bounded model: Experimental results with abstaining classifiers absolute cost values B.5 Expected improvement model: Experimental results with abstaining classifiers desired relative cost improvement vs. fraction of nonclassified instances B.6 Expected improvement model: Experimental results with abstaining classifiers desired absolute cost improvement vs. fraction of nonclassified instances B.7 ALAC+, DARPA 1999 Data Set, BA0.1: False-positive rates, false-negative rates, the abstention window and the fraction of discarded alerts in both agent and recommender modes B.8 ALAC+, Data Set B, BA0.1: False-positive rates, false-negative rates, the abstention window and the fraction of discarded alerts in both agent and recommender modes B.9 ALAC+, DARPA 1999 Data Set, BI0.5: False-positive rates, false-negative rates, the abstention window and the fraction of discarded alerts in both agent and recommender modes B.10 ALAC+, Data Set B, BI0.5: False-positive rates, false-negative rates, the abstention window and the fraction of discarded alerts in both agent and recommender modes C.1 Cluster persistency for 20 MSSP customers absolute values. X and Y axes labels are the same as in Figs. 8.7a and 8.7c C.2 Cluster persistency for 20 MSSP customers relative values. X and Y axes labels are the same as in Figs. 8.7b and 8.7d C.3 Estimating the fraction of instances clustered as a function of the number of clusters learned for 20 MSSP customers. X and Y axes labels are the same as in Figs. 8.8a and 8.8c C.4 Estimating the fraction of instances clustered as a function of the fraction of instances filtered for 20 MSSP customers. X and Y axes labels are the same as in Figs. 8.8b and 8.8d C.5 Cluster filtering for 20 MSSP customers absolute values. X and Y axes labels are the same as in Figs. 8.9a and 8.9c C.6 Cluster filtering for 20 MSSP customers relative values. X and Y axes labels are the same as in Figs. 8.9b and 8.9d C.7 Clustering precision for 20 MSSP customers clustering stage. X and Y axes are the same as in Fig. 8.11a C.8 Clustering precision for 20 MSSP customers filtering stage. X and Y axes are the same as in Fig. 8.11b C.9 Clustering recall for 20 MSSP customers clustering stage. X and Y axes are the same as in Fig. 8.11c C.10 Clustering recall for 20 MSSP customers filtering stage. X and Y axes are the same as in Fig. 8.11d

20 xiv LIST OF FIGURES

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup Network Anomaly Detection A Machine Learning Perspective Dhruba Kumar Bhattacharyya Jugal Kumar KaKta»C) CRC Press J Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Network Intrusion Detection and Prevention

Network Intrusion Detection and Prevention Ali A. Ghorbani Wei Lu Mahbod Tavallaee Network Intrusion Detection and Prevention Concepts and Techniques )Spri inger Contents 1 Network Attacks 1 1.1 Attack Taxonomies 2 1.2 Probes 4 1.2.1 IPSweep and

More information

CIS 433/533 - Computer and Network Security Intrusion Detection

CIS 433/533 - Computer and Network Security Intrusion Detection CIS 433/533 - Computer and Network Security Intrusion Detection Professor Kevin Butler Winter 2011 Computer and Information Science Intrusion An Authorized Action (or subversion of auth)... That Can Lead

More information

CS 5410 - Computer and Network Security: Intrusion Detection

CS 5410 - Computer and Network Security: Intrusion Detection CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Locked Down You re using all the techniques we will talk about over the course of the semester: Strong access

More information

Double guard: Detecting Interruptions in N- Tier Web Applications

Double guard: Detecting Interruptions in N- Tier Web Applications Vol. 3, Issue. 4, Jul - Aug. 2013 pp-2014-2018 ISSN: 2249-6645 Double guard: Detecting Interruptions in N- Tier Web Applications P. Krishna Reddy 1, T. Manjula 2, D. Srujan Chandra Reddy 3, T. Dayakar

More information

IBM Security. Alle Risiken im Blick und bessere Compliance Kumulierte und intelligente Security Alerts mit QRadar Security Intelligence

IBM Security. Alle Risiken im Blick und bessere Compliance Kumulierte und intelligente Security Alerts mit QRadar Security Intelligence IBM Security Alle Risiken im Blick und bessere Compliance Kumulierte und intelligente Security Alerts mit QRadar Security Intelligence Peter Kurfürst Vertrieb IBM Security Lösungen Enterprise-Kunden Baden-Württemberg

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection Stefan Axelsson Presented by Kiran Kashalkar Agenda 1. 1. General Overview of of IDS 2. 2. Bayes Theorem and Base-Rate

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Intrusion Detection Systems

Intrusion Detection Systems CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Intrusion Detection Systems CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

SURVEY OF INTRUSION DETECTION SYSTEM

SURVEY OF INTRUSION DETECTION SYSTEM SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

CSC574 - Computer and Network Security Module: Intrusion Detection

CSC574 - Computer and Network Security Module: Intrusion Detection CSC574 - Computer and Network Security Module: Intrusion Detection Prof. William Enck Spring 2013 1 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus

More information

An Incrementally Trainable Statistical Approach to Information Extraction Based on Token Classification and Rich Context Models

An Incrementally Trainable Statistical Approach to Information Extraction Based on Token Classification and Rich Context Models Dissertation (Ph.D. Thesis) An Incrementally Trainable Statistical Approach to Information Extraction Based on Token Classification and Rich Context Models Christian Siefkes Disputationen: 16th February

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

MACHINE LEARNING & INTRUSION DETECTION: HYPE OR REALITY?

MACHINE LEARNING & INTRUSION DETECTION: HYPE OR REALITY? MACHINE LEARNING & INTRUSION DETECTION: 1 SUMMARY The potential use of machine learning techniques for intrusion detection is widely discussed amongst security experts. At Kudelski Security, we looked

More information

Azure Machine Learning, SQL Data Mining and R

Azure Machine Learning, SQL Data Mining and R Azure Machine Learning, SQL Data Mining and R Day-by-day Agenda Prerequisites No formal prerequisites. Basic knowledge of SQL Server Data Tools, Excel and any analytical experience helps. Best of all:

More information

Practical Data Science with Azure Machine Learning, SQL Data Mining, and R

Practical Data Science with Azure Machine Learning, SQL Data Mining, and R Practical Data Science with Azure Machine Learning, SQL Data Mining, and R Overview This 4-day class is the first of the two data science courses taught by Rafal Lukawiecki. Some of the topics will be

More information

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks Lohith Raj S N, Shanthi M B, Jitendranath Mungara Abstract Protecting data from the intruders

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Performance Evaluation of Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection

More information

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008 Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems.

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

Update to V10. Automic Support: Best Practices Josef Scharl. Please ask your questions here http://innovate.automic.com/q&a Event code 6262

Update to V10. Automic Support: Best Practices Josef Scharl. Please ask your questions here http://innovate.automic.com/q&a Event code 6262 Update to V10 Automic Support: Best Practices Josef Scharl Please ask your questions here http://innovate.automic.com/q&a Event code 6262 Agenda Update to Automation Engine Version 10 Innovations in Version

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security

More information

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Measuring Intrusion Detection Capability: An Information-Theoretic Approach

Measuring Intrusion Detection Capability: An Information-Theoretic Approach Measuring Intrusion Detection Capability: An Information-Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Boris Škorić Wenke Lee Philips Research Laboratories, Netherlands Georgia Institute of

More information

CS419 Computer Security

CS419 Computer Security CS419 Computer Security Vinod Ganapathy Topic: Intrusion Detection and Firewalls Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes

More information

A very short history of networking

A very short history of networking A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the

More information

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion

More information

Kapitel 2 Unternehmensarchitektur III

Kapitel 2 Unternehmensarchitektur III Kapitel 2 Unternehmensarchitektur III Software Architecture, Quality, and Testing FS 2015 Prof. Dr. Jana Köhler jana.koehler@hslu.ch IT Strategie Entwicklung "Foundation for Execution" "Because experts

More information

INTRUSION PREVENTION AND EXPERT SYSTEMS

INTRUSION PREVENTION AND EXPERT SYSTEMS INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion

More information

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE PRODUCT BRIEF LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE The Tripwire VIA platform delivers system state intelligence, a continuous approach to security that provides leading indicators of breach

More information

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS Athira A B 1 and Vinod Pathari 2 1 Department of Computer Engineering,National Institute Of Technology Calicut, India

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security

More information

Network Intrusion Detection Systems

Network Intrusion Detection Systems Network Intrusion Detection Systems False Positive Reduction Through Anomaly Detection Joint research by Emmanuele Zambon & Damiano Bolzoni 7/1/06 NIDS - False Positive reduction through Anomaly Detection

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,

More information

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626 Intrusion Detection Systems vs. Intrusion Prevention Systems Sohkyoung (Michelle) Cho ACC 626 1.0 INTRODUCTION An increasing number of organizations use information systems to conduct their core business

More information

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations

More information

Moderne Sicherheit. Fokussiert auf Business Continuity, Mobilität & Application Control. Marc Mathys Country Manager Switzerland

Moderne Sicherheit. Fokussiert auf Business Continuity, Mobilität & Application Control. Marc Mathys Country Manager Switzerland Moderne Sicherheit Fokussiert auf Business Continuity, Mobilität & Application Control Marc Mathys Country Manager Switzerland Network Security History in a Nutshell 1990s The Internet is bad if we do

More information

Search Engines Chapter 2 Architecture. 14.4.2011 Felix Naumann

Search Engines Chapter 2 Architecture. 14.4.2011 Felix Naumann Search Engines Chapter 2 Architecture 14.4.2011 Felix Naumann Overview 2 Basic Building Blocks Indexing Text Acquisition Text Transformation Index Creation Querying User Interaction Ranking Evaluation

More information

MANAGED SECURITY SERVICES (MSS)

MANAGED SECURITY SERVICES (MSS) MANAGED SECURITY SERVICES (MSS) The Cyber Security Initiative. Cybercrime is becoming an important factor for CIOs and IT professionals, but also for CFOs, compliance officers and business owners. The

More information

Machine Learning Final Project Spam Email Filtering

Machine Learning Final Project Spam Email Filtering Machine Learning Final Project Spam Email Filtering March 2013 Shahar Yifrah Guy Lev Table of Content 1. OVERVIEW... 3 2. DATASET... 3 2.1 SOURCE... 3 2.2 CREATION OF TRAINING AND TEST SETS... 4 2.3 FEATURE

More information

Role of Anomaly IDS in Network

Role of Anomaly IDS in Network Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,

More information

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Designing and Implementing a Server Infrastructure MOC 20413

Designing and Implementing a Server Infrastructure MOC 20413 Designing and Implementing a Server Infrastructure MOC 20413 In dieser 5-tägigen Schulung erhalten Sie die Kenntnisse, welche benötigt werden, um eine physische und logische Windows Server 2012 Active

More information

2010 White Paper Series. Layer 7 Application Firewalls

2010 White Paper Series. Layer 7 Application Firewalls 2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

More information

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics

More information

Bio-inspired cyber security for your enterprise

Bio-inspired cyber security for your enterprise Bio-inspired cyber security for your enterprise Delivering global protection Perception is a network security service that protects your organisation from threats that existing security solutions can t

More information

Mit einem Auge auf den mathema/schen Horizont: Was der Lehrer braucht für die Zukun= seiner Schüler

Mit einem Auge auf den mathema/schen Horizont: Was der Lehrer braucht für die Zukun= seiner Schüler Mit einem Auge auf den mathema/schen Horizont: Was der Lehrer braucht für die Zukun= seiner Schüler Deborah Löwenberg Ball und Hyman Bass University of Michigan U.S.A. 43. Jahrestagung für DidakEk der

More information

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security

More information

Data Mining for Network Intrusion Detection

Data Mining for Network Intrusion Detection Data Mining for Network Intrusion Detection S Terry Brugger UC Davis Department of Computer Science Data Mining for Network Intrusion Detection p.1/55 Overview This is important for defense in depth Much

More information

Data Mining - Evaluation of Classifiers

Data Mining - Evaluation of Classifiers Data Mining - Evaluation of Classifiers Lecturer: JERZY STEFANOWSKI Institute of Computing Sciences Poznan University of Technology Poznan, Poland Lecture 4 SE Master Course 2008/2009 revised for 2010

More information

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become

More information

Observation and Findings

Observation and Findings Chapter 6 Observation and Findings 6.1. Introduction This chapter discuss in detail about observation and findings based on survey performed. This research work is carried out in order to find out network

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

Effective Intrusion Detection

Effective Intrusion Detection Effective Intrusion Detection A white paper by With careful configuration and management, intrusion detection systems can make a valuable contribution to IT infrastructure security s Global network of

More information

Radware s Behavioral Server Cracking Protection

Radware s Behavioral Server Cracking Protection Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information

More information

IBM Connections Cloud Security

IBM Connections Cloud Security IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Defeating Machine Learning

Defeating Machine Learning Defeating Machine Learning What Your Security Vendor is Not Telling You www.bluvectorcyber.com Bob Klein Data Scientist Bob.Klein@bluvectorcyber.com Ryan Peters Data Scientist Ryan.Peters@bluvectorcyber.com

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Wolkige Versprechungen - Freiraum mit Tuecken

Wolkige Versprechungen - Freiraum mit Tuecken Wolkige Versprechungen - Freiraum mit Tuecken Aria_Naderi@bmc.com Wolkige Versprechungen Im Rechenzentrum Wölkchen sind inzwischen bereits einige Wölkchen am Netz Himmel aufgezogen, doch eine dichte Wolkendecke

More information

HEURISTICS FOR IMPROVED ENTERPRISE INTRUSION DETECTION. A Dissertation. Presented to. the Faculty of Engineering and Computer Science

HEURISTICS FOR IMPROVED ENTERPRISE INTRUSION DETECTION. A Dissertation. Presented to. the Faculty of Engineering and Computer Science HEURISTICS FOR IMPROVED ENTERPRISE INTRUSION DETECTION A Dissertation Presented to the Faculty of Engineering and Computer Science University of Denver In Partial Fulfillment of the Requirements for the

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

KEITH LEHNERT AND ERIC FRIEDRICH

KEITH LEHNERT AND ERIC FRIEDRICH MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They

More information

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation Shanofer. S Master of Engineering, Department of Computer Science and Engineering, Veerammal Engineering College,

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

Conclusions and Future Directions

Conclusions and Future Directions Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions

More information

From Network Security To Content Filtering

From Network Security To Content Filtering Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/ An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at

More information

Microsoft Certified IT Professional (MCITP) MCTS: Windows 7, Configuration (070-680)

Microsoft Certified IT Professional (MCITP) MCTS: Windows 7, Configuration (070-680) Microsoft Office Specialist Office 2010 Specialist Expert Master Eines dieser Examen/One of these exams: Eines dieser Examen/One of these exams: Pflichtexamen/Compulsory exam: Word Core (Exam 077-881)

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

Cognitive and Organizational Challenges of Big Data in Cyber Defense

Cognitive and Organizational Challenges of Big Data in Cyber Defense Cognitive and Organizational Challenges of Big Data in Cyber Defense Nathan Bos & John Gersh Johns Hopkins University Applied Laboratory nathan.bos@jhuapl.edu, john.gersh@jhuapl.edu The cognitive and organizational

More information

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE PRODUCT BRIEF LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE As part of the Tripwire VIA platform, Tripwire Log Center offers out-of-the-box integration with Tripwire Enterprise to offer visibility

More information

Intrusion Detection. Jeffrey J.P. Tsai. Imperial College Press. A Machine Learning Approach. Zhenwei Yu. University of Illinois, Chicago, USA

Intrusion Detection. Jeffrey J.P. Tsai. Imperial College Press. A Machine Learning Approach. Zhenwei Yu. University of Illinois, Chicago, USA SERIES IN ELECTRICAL AND COMPUTER ENGINEERING Intrusion Detection A Machine Learning Approach Zhenwei Yu University of Illinois, Chicago, USA Jeffrey J.P. Tsai Asia University, University of Illinois,

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

Protecting the Infrastructure: Symantec Web Gateway

Protecting the Infrastructure: Symantec Web Gateway Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options

More information

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate

More information

Experiments in Web Page Classification for Semantic Web

Experiments in Web Page Classification for Semantic Web Experiments in Web Page Classification for Semantic Web Asad Satti, Nick Cercone, Vlado Kešelj Faculty of Computer Science, Dalhousie University E-mail: {rashid,nick,vlado}@cs.dal.ca Abstract We address

More information

Performance Analysis of Naive Bayes and J48 Classification Algorithm for Data Classification

Performance Analysis of Naive Bayes and J48 Classification Algorithm for Data Classification Performance Analysis of Naive Bayes and J48 Classification Algorithm for Data Classification Tina R. Patil, Mrs. S. S. Sherekar Sant Gadgebaba Amravati University, Amravati tnpatil2@gmail.com, ss_sherekar@rediffmail.com

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

Implementation of Intelligent Techniques for Intrusion Detection Systems

Implementation of Intelligent Techniques for Intrusion Detection Systems Ain Shams University Faculty of Computer & Information Sciences Implementation of Intelligent Techniques for Intrusion Detection Systems A Thesis Submitted to Department of Computer Science In partial

More information

Some Research Challenges for Big Data Analytics of Intelligent Security

Some Research Challenges for Big Data Analytics of Intelligent Security Some Research Challenges for Big Data Analytics of Intelligent Security Yuh-Jong Hu hu at cs.nccu.edu.tw Emerging Network Technology (ENT) Lab. Department of Computer Science National Chengchi University,

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Efficient Security Alert Management System

Efficient Security Alert Management System Efficient Security Alert Management System Minoo Deljavan Anvary IT Department School of e-learning Shiraz University Shiraz, Fars, Iran Majid Ghonji Feshki Department of Computer Science Qzvin Branch,

More information

False Positives Reduction Techniques in Intrusion Detection Systems-A Review

False Positives Reduction Techniques in Intrusion Detection Systems-A Review 128 False Positives Reduction Techniques in Intrusion Detection Systems-A Review Asieh Mokarian, Ahmad Faraahi, Arash Ghorbannia Delavar, Payame Noor University, Tehran, IRAN Summary During the last decade

More information

Learning Classifiers for Misuse Detection Using a Bag of System Calls Representation

Learning Classifiers for Misuse Detection Using a Bag of System Calls Representation Learning Classifiers for Misuse Detection Using a Bag of System Calls Representation Dae-Ki Kang 1, Doug Fuller 2, and Vasant Honavar 1 1 Artificial Intelligence Lab, Department of Computer Science, Iowa

More information

windream Failover Cluster Installation

windream Failover Cluster Installation windream windream Failover Cluster Installation windream GmbH, Bochum Copyright 2006-2011 by windream GmbH Wasserstr.219 44799 Bochum Stand: 06/11 1.0.0.3 Alle Rechte vorbehalten. Kein Teil dieser Beschreibung

More information