The Second International Conference on Innovations in Information Technology (IIT 05)
|
|
- Buck Fields
- 8 years ago
- Views:
Transcription
1 HoneyAnalyzer Analysis and Extraction of Intrusion Detection Patterns & Signatures Using Honeypot Urjita Thakar Reader, Department of Computer Engineering, Shri G.S. Institute of Technology and Science 23, Park Road, Indore (MP) INDIA Sudarshan Varma Department of Computer Engineering, Shri G.S. Institute of Technology and Science 23, Park Road, Indore (MP) INDIA A.K. Ramani Professor, School of Computer Science, DAVV Khandwa Road, Indore (MP) INDIA Correspondence ABSTRACT A Honeypot is a security resource, which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. A honeypot can also indicate about how to perform forensics. The information gathered by watching a honeypot being probed is invaluable. It gives information about attacks and attack patterns. Currently, the creation of intrusion detection signatures is a tedious process that requires detailed knowledge of the traffic characteristics of the phenomenon to be detected. In this paper we address these issues. We have proposed, HoneyAnalyzer, a tool for analyzing honeyd-logs in a RDBMS with a webbased monitoring interface. The data collected from Honeypot is analyzed for possible attacks, scans, and viruses. The system displays the honeyd logs as well as traffic analyzer (e.g. Tcpdump) logs in a well-defined graphical manner so that a security administrator can filter the data of honeypot s log. We also propose the use of a signature extraction algorithm such as LCS (Longest Common Substring) on the data filtered out by the administrator. Thus the security administrator gets the flexibility to apply the signature extraction algorithm on the data of his choice resulting in more precise attack signature extraction. Keywords: Honeypot, Intrusion Detection, Attack Signatures, Security. 1. INTRODUCTION Intrusion detection systems (IDS) have become an important component in the Security Administrator's toolbox. More specifically, IDS tools aim to detect computer attacks and/or computer misuse, and to alert the proper individuals upon detection. Intrusion detection systems serve three essential security functions: they monitor, detect and respond to unauthorized activity of organization insiders and outsiders [1]. Intrusion detection systems use policies to define certain events that, if detected will issue an alert in the form of a sound or . Intrusion detection systems are an integral and necessary element of a complete information security infrastructure functioning as "the logical complement to network firewalls. IDS tools allow for complete supervision of networks, regardless of the action being taken, such that information will always exist to determine the nature of the security incident and its source. Honeypot is a highly flexible security tool with differing applications for security [2]. They don't fix any problem but instead they have important use in intrusion prevention, detection and information gathering. A Honeypot is a security resource that does not have any production or authorized activity. This makes it very simple to use. A Honeypot's greatest value lies in its simplicity because it is a device that is intended to be compromised [3]. This means that there is little or no production traffic going to or from it. Any time a connection is sent to the Honeypot, it is most likely to be a probe, scan, or even an attack. Honeypot collects very little data and what it collects is normally of high value. This information can be used in extraction of intrusion detection signature. There are two basic techniques to detect intruders: anomaly detection, misuse detection (signature detection). Anomaly Detection is designed to uncover abnormal patterns of behavior, the IDS
2 establishes a baseline of normal usage patterns, and anything that widely deviates from it is flagged as a possible intrusion [5]. The data mining techniques are generally applied to this category of Intrusion Detection i.e. Anomaly detection. Misuse Detection, commonly called signature detection, uses specifically known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures. Therefore in case of Misuse Detection at the heart of IDS is the attack signature. Various experiments on Data Mining based Intrusion Detection System [14] have demonstrated the effectiveness of classification models in detecting anomalies but the accuracy of the detection models depends on sufficient training data and the right feature set. The Data Mining Method is not suitable for signature extraction in combination with honeypots as they provide very little useful data. The signatures can be generated through approaches like Network Grapping / Pattern Matching, Protocol Decode/Analysis, Heuristic and Honeypot. Current intrusion detection systems often work as misuse detectors, where the packets in the monitored network are compared against a repository of signatures that define characteristics of an intrusion. Successful matching causes alerts to be fired. The signature often consists of one or more specific binary patterns found in a given network packet. The signature can be described as a Boolean relation called rule [6]. An intrusion detection system is able to recognize an attack only when it knows a signature for this attack, and thus require continuous updates of their signature database. Also continuous research to analyze new attacks and find their signatures is a must. Moreover, a slight change in the attack scenario may be enough to alter the attack signature and thus fool a signature filter. They are consequently vulnerable to polymorphic attacks and other evasion techniques which are expected to grow in the near future. At present, the creation of these signatures is a tedious process that requires detailed knowledge of each software exploit and analysis of large pool of ASCII-log data. The automated extraction of the signatures e.g. application of longest common substring (LCS) algorithm to the database of attack log data as presented in [5] extracts the binary pattern blindly, resulting in more false positives. Thus there is a need of generating more precise attack signatures. Simplistic signatures tend to generate large numbers of false positives, too specific ones cause false negatives. To address these issues, this paper presents HoneyAnalyzer, a tool that helps the security administrator in generating precise signatures of malicious network traffic. The proposed system uses honeyd [4], a popular low-interaction open-source honeypot for collecting intruder s log. Honeyd simulates hosts with individual networking personalities. It intercepts traffic sent to nonexistent hosts and uses the simulated systems to respond to this traffic. Each host's personality can be individually configured in terms of OS type and running network services. This paper focuses on graphical visualization of the attack/access made on various ports of different simulated Honeypots machines. The proposed system gives the flexibility to security administrator by providing him a good graphical interface, to filter out the data. On this filtered data he can apply attack signature algorithms and can get a balanced attack signature that will not give too many false positives or negatives. A security administrator can apply LCS algorithm for signature extraction on the data of his choice. Therefore, this manual intervention will give more precise signatures. 2. BACKGROUND 2.1 Intrusion Detection Signatures The purpose of attack signatures is to describe the characteristic elements of attacks. A signature can be a portion of code, a pattern of behavior, a sequence of system calls, etc. There is currently no common standard for defining these signatures. As a consequence, different systems provide signature languages of varying expressiveness. A good signature must be narrow enough to capture precisely the characteristic aspects of exploit it attempts to address; at the same time, it should be flexible enough to capture variations of the attack. Failure in generating good signatures leads to either large amounts of false positives or false negatives. Content Based Signature Generation [10] is process of extracting the attack signatures based on selection of the most frequently occurring byte sequences across the flows in the suspicious flow
3 pool. To do so various algorithms like LCS are applied to extract the common patterns in it because malicious payload appears with increasing frequency as the malicious activity spreads. 2.2 Honeypots The honeypot has emerged as an effective tool for observing and understanding intruder s toolkits, tactics, and motivations [7]. A honeypot suspects every packet transmitted to/from it, giving it the ability to collect highly concentrated and less noisy datasets for network attack analysis. Honeypots are decoy computer resources set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise them [8]. Activities on honeypots can be considered suspicious by definition, as there is no point for benign users to interact with these systems. Honeypots come in many shapes and sizes; examples include dummy items in a database, low-interaction network components like preconfigured traffic sinks, or full-interaction hosts with real operating systems and services [9]. Honeypots excel at detection, addressing many of the problems of traditional detection. Honeypots reduce false positives by capturing small data sets of high value, capture unknown attacks such as new exploits or polymorphic shell-code, and work in encrypted and IPv6 environments [6]. In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain. 3. THE PROPOSED METHOD The proposed signature extraction system consists of three major parts i) Data Capture i.e. traffic logging components: this part includes Honeyd and Tcpdump for data collection. ii) Data Analysis i.e. analysis and extraction components: this part contains data analysis part of signature extraction mechanism for extracting precise attack signature. iii) Signature Extraction i.e. steps to extract out good quality attack signatures. 3.1 Data Capture The purpose of Data Capture is to log all the activities of an attacker. The Honeypot does exactly this i.e. it collects information. The HoneyAnalyzer system has two sources of Data: Honeypot log and network traffic log from Tcpdump. The Honeyd framework supports several ways of logging network activity. It can create connection logs that report attempted and completed connections for all protocols. But to analyze the complete attack scenario, the system needs full payload of the packets entering and leaving the honeypot. This task is performed by the second element i.e. Tcpdump which captures every packet s full payload. Tcpdump is a tool for network monitoring and one of the most well known sniffers for Linux. Built with the libpcap (packet capture library) interface, it collects information from packets on the network including those intended for other host machines. It does this through a network interface card's ability to enter into promiscuous mode. It then dumps packet header information in the log file. 3.2 Data Analysis In order to extract the precise attack signature, a data analyzer has been developed as shown in figure 1. The web-interface gives a graphical output using which security administrator can easily find out most attacked port, most attacked IP address in the form of pie chart as shown in fig 2 and 3. The proposed methodology for realization of the HoneyAnalyzer for extracting more precise attack signature is described below: i) Configure honeyd to simulate network. ii) Run Tcpdump for traffic analysis.
4 iii) Invoke the auto-run shell script that will run in a particular time interval and execute the parser utility that will parse the data from the honeyd log file and insert it into the database, as shown in figure 1. The realization of parser utility can be done in any language, which has strong string tokenization capability like Java. iv) Execute the auto-run shell-script to push the honeyd logs data into the database. This will be invoked by cron. v) Login to the web interface to view the attack patterns and analyze the data for extraction of good quality signature. Figure 1: Honey Analyzer s architecture, illustrating honeyd as it is simulating a number of different machines, each running a number of pre-configured services. The HoneyAnalyzer has hooked itself into the wire to see in and outgoing connections and providing the web-interface.
5 To enable the Security Administrator to select the suspicious data, the web GUI has the following features: i) Ability to display packet information from the database. ii) Ability to display real time network traffic from data stored in database, as well as historical traffic statistics. iii) Display the ports, which were attacked within a certain time range using pie charts. iv) A timeline based hit statistic showing how many hits per second Honeypot got in a certain time range. v) Show using pie charts which remote IP-addresses were "visited" by Honeypot in a certain time range. Here it's possible to specify a port number to show activity on a specific port. vi) A textual hit statistic over a certain time range. By specifying an IP or a port number it is possible to focus on specific events. Figure 2: This is a quick summary of hits on a particular port like in this case it is port number 137 by various IP address. Figure 3: This is a quick summary of hits by a particular IP address e.g. hits by the machine on various ports. In the proposed method, database module is useful mainly due to two reasons. First, it is easier to search for a particular packet or range of packets using database, and all one has to do is to construct the correct query syntax. Second, the database facilitates different representations of generated data. The database records all the packets (IP, TCP, and UDP) that are received by the Honeypot and Tcpdump. The graphical interface can be run independent of the Honeypot and without any type of honeypot configuration. This independence will come from the database module that is described earlier. Since past events are all recorded in a database, the web GUI can analyze events without having to interfere with normal operations of the Honeypot. In this way the proposed system allows
6 for a good selection of data for extracting the attack signatures as against the existing methods, which blindly apply the content-based signature extraction algorithm on whole data captured by the honeypot. 3.3 Signature Extraction The graphical interface has support for application of LCS algorithm the data of interest while present systems apply LCS algorithm on whole data. The process of finding attack signatures is not fully automated rather it also depends upon Security Administrator s (SA) wisdom and experience. The SA can choose the traffic on which the LCS algorithm is to be applied. The Resulting precise signature will give less number of false positives and false negatives. The steps followed for finding the good quality attack signature are as follows: - i) Identify data of interest (i.e. of significance) from the database by looking at the web GUI. ii) Analyze combined data from different data sources i.e. honeypot and Tcpdump. For each received packet initiate the following sequence of activities: a) If there is any existing connection state for the new packet, that state is updated otherwise new state is created. b) If the packet is outbound, don t process the packet. c) Perform protocol analysis [6] at the network and transport layer. d) For each stored connection, perform header comparison in order to detect matching IP networks, initial TCP sequence numbers, etc. iii) Apply content-based string matching algorithm on the payload of interest by applying following sequence of activities: a) If the connections have the same destination port, perform pattern detection on the exchanged messages with the help of Longest Common Substring algorithm. A description about string-based pattern detection is given in the [10]. b) If a new signature is created in the process use the signature to augment the signature pool otherwise stop the process. DISCUSSION & CONCLUSIONS The honeyanalyzer presented in this paper shall be useful in extracting good quality signatures from the data obtained by the logs of honeypot and traffic analyzer. It has been observed that the number of signatures generated by traditional methods are large in number as compared to those generated using honeyanalyzer i.e. lack of knowledge of protocol semantics and local network produce more number of signatures with benign substrings. Honeycomb was one of the first efforts to address the problem of automatic signature generation from honeypot traces [5]. An evaluation of Honeycomb performed in [13], shows that while there were several perfectly functional signatures, there were also a surprisingly large number of benign strings that were identified by the LCS algorithm. Some of these were small strings such as GET or HTTP that are clearly impractical and just happened to be the longest common substring between unrelated sessions. These were part of normal operation and were suppressed by white-listing signatures smaller than a certain length [13]. There were also much longer strings in the signature set, such as proxy-headers that also do not represent real attack signatures. Thus, the only way to avoid these kinds of problems is through manual grooming of signatures by an expert with protocol knowledge. A comparison of HoneyAnalyzer and Honeycomb is as follows: i) Pairwise LCS employed by Honeycomb often leads to redundant (non-identical) signatures, which would generate multiple alarms for the same attack. While, HoneyAnalyzer generalizes the approach such that a security administrator who is aware of protocol semantics can groom the signature to make it far less prone to redundant signature production.
7 ii) Honeycomb s lack of semantics awareness leads to signatures consisting of benign sub strings. These lead to false positives, thus Honeycomb is unable to produce precise signatures for protocols such as NetBIOS, MS-SQL and HTTP attacks, such as Nimda, where the exploit content is a small portion of the entire attack string. In case of HoneyAnalyzer semantics awareness is the responsibility of security administrator. He can better understand the benign substrings of the local network and can filter out redundant and useless strings. Thus the signatures obtained through HoneyAnalyzer are of high quality and result in more precise intrusion detection, not giving too many false positives or negatives. HoneyAnalyzer can also act as an intrusion indicator i.e. how, when and from where different intrusion attempts are taking place. This can be shown through the graphical interface. Honeypots are increasingly deployed in networks; however, they are mostly used passively and administrators watch it just for what happens. The proposed system gives better control to the security administrator on intrusion detection process for extracting good quality attack signature. Future Work In the future, attempt can be made to add implementation of some more algorithms and techniques like connection Tracking, protocol analysis, and pattern detection in flow content etc. based on which security administrator can perform the analysis and extract the signature with even greater precision. To make HoneyAnalyzer more flexible, certain more parameters like allowing the negative interpretation of input like Port! = 445 that will show activities on all Ports except 445 can also be added. A quantitative comparison also needs to be done between the existing method and proposed method to illustrate the advantages of proposed system over existing system. REFERENCES [1] Paul Innella and Oba McMillan, "An Introduction to Intrusion Detection Systems", [2] Christian Plattner, Reto Baumann, White Paper: Honeypots, [3] Lance Spitzner, The Value of Honeypots, Part One: Definitions and Values of Honeypots, [4] Niels Provos, A Virtual Honeypot Framework, In Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA, August 2004, Pp [5] Christian Kreibich, Jon Crowcroft, Honeycomb-Creating Intrusion Detection Signatures Using Honeypot, ACM SIGCOMM Computer Communication Review archive Volume 34,Issue1 January 2004, Pp [6] Erwan Lemonnier, Defcom, Protocol Anomaly Detection in Network-based IDSs, [7] Lance Spitzner, Honeypots: Simple, Cost-Effective Detection, [8] Martin Roesch, Snort Lightweight Intrusion Detection for Networks, Proceedings of USENIX 13th System Administration Conference, November 1999, pp [9] Yuqing Mai, Radhika Upadrashta and Xiao Su, J-Honeypot: A Java-Based Network Deception Tool with Monitoring and Intrusion Detection, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 1 April 05-07,2004, Pp [10] Hyang-Ah Kim, Brad Karp, Autograph: Toward Automated, Distributed Worm Signature Detection, In Proceedings of the 13th Usenix Security Symposium, San Diego, CA, August Pp [11] Peng Ning, Dingbang Xu, "Learning Attack Strategies from Intrusion Alerts," in Proceedings of the 10th ACM Conference on Computer and Communications Security, October 2003, Pp [12] Peng Ning, Yun Cui, Douglas Reeves, and Dingbang Xu, "Tools and Techniques for Analyzing Intrusion Alerts," in ACM Transactions on Information and System Security, Vol. 7, No. 2, May 2004, Pp [13] Vinod Yegneswaran, Jonathon T. Giffin, Paul Barford, and Somesh Jha. An Architecture for Generating Semantics-Aware Signatures. In 14th USENIX Security Symposium, Baltimore, Maryland, August To appear. [14] V.V. Patriciu, I. Priescu, Using Data Mining Techniques for increasing Security in System Internet-based, in 11th Conference CAIM, Oradea, 2003.
Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e
HONEYPOTS IN NETWORK SECURITY Abhishek Sharma Research Scholar Department of Computer Science and Engineering Lovely Professional University (Punjab) - India Abstract Computer Network and Internet is growing
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationSecuring the system using honeypot in cloud computing environment
Volume: 2, Issue: 4, 172-176 April 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 M. Phil Research Scholar, Department of Computer Science Vivekanandha College
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationHoneycomb Creating Intrusion Detection Systems
Honeycomb Creating Intrusion Detection Signatures Using Honeypots Christian Kreibich, Jon Crowcroft University of Cambridge Computer Laboratory JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom firstname.lastname
More informationA Review on Network Intrusion Detection System Using Open Source Snort
, pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,
More informationProject Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationAdvanced Honeypot System for Analysing Network Security
ISSN: 2347-3215 Volume 2 Number 4 (April-2014) pp. 65-70 www.ijcrar.com Advanced Honeypot System for Analysing Network Security Suruchi Narote 1* and Sandeep Khanna 2 1 Department of Computer Engineering.
More informationReview Study on Techniques for Network worm Signatures Automation
Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1,
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationHONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationAnnouncements. Lab 2 now on web site
Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:
More informationTaxonomy of Hybrid Honeypots
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore Taxonomy of Hybrid Honeypots Hamid Mohammadzadeh.e.n 1, Masood Mansoori 2 and Roza
More informationNetwork Monitoring and Forensics
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IJCSMC, Vol. 2, Issue.
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationAn Advanced Honeypot System for Efficient Capture and Analysis of Network Attack Traffic
An Advanced Honeypot System for Efficient Capture and Analysis of Network Attack Traffic Balaji Darapareddy #1, Vijayadeep Gummadi #2 1 M.Tech (CSE),Gudlavalleru Engineering College, Gudlavalleru 2 Associate
More informationHow to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01
How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot
More informationLab VI Capturing and monitoring the network traffic
Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)
More informationCoimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring
Volume 4, Issue 8, August 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigate the
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationNetwork Forensics: Log Analysis
Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationP Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
More informationIntrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of
Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code
More informationResearch Project 2: Metasploit-able Honeypots
Project 2: wouter.katz@os3.nl University of Amsterdam July 4th 2013 How feasible is an automated method to detect specific exploits on a honeypot by monitoring network traffic of exploits? What setup is
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationTransformation of honeypot raw data into structured data
Transformation of honeypot raw data into structured data 1 Majed SANAN, Mahmoud RAMMAL 2,Wassim RAMMAL 3 1 Lebanese University, Faculty of Sciences. 2 Lebanese University, Director of center of Research
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationEfficient Security Alert Management System
Efficient Security Alert Management System Minoo Deljavan Anvary IT Department School of e-learning Shiraz University Shiraz, Fars, Iran Majid Ghonji Feshki Department of Computer Science Qzvin Branch,
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationOn A Network Forensics Model For Information Security
On A Network Forensics Model For Information Security Ren Wei School of Information, Zhongnan University of Economics and Law, Wuhan, 430064 renw@public.wh.hb.cn Abstract: The employment of a patchwork
More informationAdvancement in Virtualization Based Intrusion Detection System in Cloud Environment
Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,
More informationDynamic Honeypot Construction
Dynamic Honeypot Construction 2nd Annual Alaska Information Assurance Workshop Christopher Hecker U. of Alaska, Fairbanks 9-5-2006 Presentation l Brief Introduction l Project Overview l Future Work l References
More informationVolume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies
Volume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies Research Article / Paper / Case Study Available online at: www.ijarcsms.com Web Application
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationA Survey on Honeypot Based Signature Generation Techniques in Computer Network Security
A Survey on Honeypot Based Signature Generation Techniques in Computer Network Security Geetika yadav 1, Ms.Prabhjot Kaur 2 1 M.Tech Student, Department of CSE, B.S.Anangpuria Institute of Technology and
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationAnalyzing Intrusion Detection System Evasions Through Honeynets
Analyzing Intrusion Detection System Evasions Through Honeynets J.S Bhatia 1, Rakesh Sehgal 2, Simardeep Kaur 3, Siddharth Popli 4 and Nishant Taneja 5 1 Centre for Development of Advanced Computing 2,
More informationIntrusion Detection Systems
Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/
More informationZero-Day Attack Signatures Detection Using Honeypot
Zero-Day Attack Signatures Detection Using Honeypot Reshma R. Patel Information Technology Department, L. D. College of Engineering, Ahmedabad, India Chirag S. Thaker Information Technology Department,
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security
More informationIntroduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.
Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Journal of Ubiquitous Systems & Pervasive Networks Volume 3, No. 2 (2011) pp. 3- Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National University
More informationDetecting Threats in Network Security by Analyzing Network Packets using Wireshark
1 st International Conference of Recent Trends in Information and Communication Technologies Detecting Threats in Network Security by Analyzing Network Packets using Wireshark Abdulalem Ali *, Arafat Al-Dhaqm,
More informationDetecting Zero-Day Attack Signatures using Honeycomb in a Virtualized Network
Detecting Zero-Day Attack Signatures using Honeycomb in a Virtualized Network Reshma R. Patel Information Technology Department, L.D.College of Engineering, Ahmedabad, India. Chirag S. Thaker Information
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationWeb Forensic Evidence of SQL Injection Analysis
International Journal of Science and Engineering Vol.5 No.1(2015):157-162 157 Web Forensic Evidence of SQL Injection Analysis 針 對 SQL Injection 攻 擊 鑑 識 之 分 析 Chinyang Henry Tseng 1 National Taipei University
More informationDon t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure
Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationCapturing Web Application Threats Using virtual CMS Honeypot. Saharuddin Saat, Nor Adora Endut 1, Abdul Hamid Othman 2
Capturing Web Application Threats Using virtual CMS Honeypot Saharuddin Saat, Nor Adora Endut 1, Abdul Hamid Othman 2 Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA, Malaysia
More informationDynamic Rule Based Traffic Analysis in NIDS
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationBehaviour Based Worm Detection and Signature Automation
Journal of Computer Science 7 (11): 1724-1728, 2011 ISSN 1549-3636 2011 Science Publications Behaviour Based Worm Detection and Signature Automation 1 Mohammed Anbar, 1 Selvakumar Manickam, 2 Al-Samarraie
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationHoneyd Detection via Packet Fragmentation
Honeyd Detection via Packet Fragmentation Jon Oberheide and Manish Karir Networking Research and Development Merit Network Inc. 1000 Oakbrook Drive Ann Arbor, MI 48104 {jonojono,mkarir}@merit.edu Abstract
More informationPassive Vulnerability Detection
Page 1 of 5 Passive Vulnerability Detection "Techniques to passively find network security vulnerabilities" Ron Gula rgula@securitywizards.com September 9, 1999 Copyright 1999 Network Security Wizards
More informationConfiguring Snort as a Firewall on Windows 7 Environment
Configuring Snort as a Firewall on Windo Environment Moath Hashim Alsafasfeh a, Abdel Ilah Noor Alshbatat b a National university of Malaysia UKM, Selengor, Malaysia. b Tafila Technical University, Electrical
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationIDS : Intrusion Detection System the Survey of Information Security
IDS : Intrusion Detection System the Survey of Information Security Sheetal Thakare 1, Pankaj Ingle 2, Dr. B.B. Meshram 3 1,2 Computer Technology Department, VJTI, Matunga,Mumbai 3 Head Of Computer TechnologyDepartment,
More informationCSE331: Introduction to Networks and Security. Lecture 17 Fall 2006
CSE331: Introduction to Networks and Security Lecture 17 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Summary:
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationLAN Based Intrusion Detection And Alerts
LAN Based Intrusion Detection And Alerts Vivek Malik, Mohit Jhawar, Harleen, Akshay Khanijau, Nakul Chawla Abstract : With the ever increasing size and number of networks around the world, the network
More information2 Technologies for Security of the 2 Internet
2 Technologies for Security of the 2 Internet 2-1 A Study on Process Model for Internet Risk Analysis NAKAO Koji, MARUYAMA Yuko, OHKOUCHI Kazuya, MATSUMOTO Fumiko, and MORIYAMA Eimatsu Security Incidents
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationCountermeasure for Detection of Honeypot Deployment
Proceedings of the International Conference on Computer and Communication Engineering 2008 May 13-15, 2008 Kuala Lumpur, Malaysia Countermeasure for Detection of Honeypot Deployment Lai-Ming Shiue 1, Shang-Juh
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationHadoop Technology for Flow Analysis of the Internet Traffic
Hadoop Technology for Flow Analysis of the Internet Traffic Rakshitha Kiran P PG Scholar, Dept. of C.S, Shree Devi Institute of Technology, Mangalore, Karnataka, India ABSTRACT: Flow analysis of the internet
More informationDaniel Meier & Stefan Badertscher
Daniel Meier & Stefan Badertscher 1. The definition of Honeypots 2. Types of Honeypots 3. Strength and Weaknesses 4. Honeypots in action 5. Conclusions 6. Questions 7. Discussion A honeypot is an information
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationDesign and Implementation of Netdude, a Framework for Packet Trace Manipulation
Design and Implementation of Netdude, a Framework for Packet Trace Manipulation Christian Kreibich University of Cambridge Computer Laboratory JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom christian.kreibich
More informationUnit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationIntrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories
More informationAutonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security
Acta Polytechnica Hungarica Vol. 10, No. 6, 2013 Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security Peter Fanfara, Marek Dufala, Ján Radušovský Department of Computers and
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationFrom Network Security To Content Filtering
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
More informationEFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS
EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS Manu Bansal Assistant Professor Department of IT University Institute of Engineering & Technology Panjab University,
More informationFramework for generating IDS benchmarking Data sets. Stian Skjølsvik
Framework for generating IDS benchmarking Data sets Stian Skjølsvik Master s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University
More informationAbstract. 1. Introduction. 1.1. Current Environment. University of California, Los Alamos National Laboratory. Telephone 505-667-0096 Fax 505-665-3456
Automated Information System (AIS) Alarm System Author(s) Organizational Affiliation William Hunteman University of California, Los Alamos National Laboratory Telephone 505-667-0096 Fax 505-665-3456 E-mail
More informationDevelopment of a Network Intrusion Detection System
Development of a Network Intrusion Detection System (I): Agent-based Design (FLC1) (ii): Detection Algorithm (FLC2) Supervisor: Dr. Korris Chung Please visit my personal homepage www.comp.polyu.edu.hk/~cskchung/fyp04-05/
More information