Analysis of Attacks towards Turkish National Academic Network

Size: px
Start display at page:

Download "Analysis of Attacks towards Turkish National Academic Network"

Transcription

1 Analysis of Attacks towards Turkish National Academic Network Murat SOYSAL, Onur BEKTAŞ Abstract Monitoring unused IP address is an emerging method for capturing Internet security threads. Either an attack or a mis-configuration could generate network traffic towards the unused IP blocks of a network segment. This paper summarizes the method for ascertaining the attacks towards Turkish National Academic Network by the use of modified version of Blackhole concept. In this method Blackhole traffic is captured by using Honeypots and analyzed by using IP header information. The attacks are classified based on source IP address, originating country, operating system and destination port. Moreover, captured traffic originating from Turkey is further evaluated in order to characterize distribution of attacks among the Turkish Internet Service Providers. Index Keywords Terms Blackhole monitoring, Honeypot, network security, ULAKBIM, ULAKNET I. INTRODUCTION he security of the national and personal information Tresources has become more important with the expansion in the use of the internet and the increase in the number of applications such as e-government and electronic banking applications. Moreover, the increase in the number of cyber attacks and cyber terrorism have been threatening especially the security of the national information resources. These circumstances have emerged the urgent establishment of the Computer Security Incident Response Teams. Urged by necessity, Ulak-CSIRT, ULAKNET Computer Security Incident Response Team, has been established in the constitution of the National Academic Network (ULAKNET). ULAKNET, managed by Turkish Academic Network and Information Center (ULAKBIM) [1], provides network connectivity of universities and research institutes with similar institutions in Turkey and abroad. For ULAKBIM to provide services in order to be able to fulfill its primary duties there is a need for a high-speed reliable backbone and external connections. The main goal of ULAKBIM is to provide network services always one step ahead of the expectations of its users, made up of 100,000 academic personnel and more than 2.2 million university students. ULAKBIM is a partner of GÉANT2 and ULAKNET backbone is interconnected with the trans-european Research Manuscript received November 10, M. Soysal. is with the Turkish Academic Network and Information Center (ULAKBIM), Ankara, Bilkent, phone: ; fax: ; O. Bekta. is with the Turkish Academic Network and Information Center (ULAKBIM), Ankara, Bilkent, Network GÉANT2 with 2.5 Gbps capacity and an upgrade on this link is in process. ULAKNET backbone consists of three PoPs located in Ankara, Istanbul and Izmir and the backbone links are 1 Gbps, 500 Mbps and 500 Mbps accordingly. The CERT/CSIRT units are mainly established in the constitutions of well-organized and superior enterprises managing big networks [2]. Ulak-CSIRT (Computer Security Incident Response Team) is responsible for preventing the potential security violation of external networks to ULAKNET. Ulak-CSIRT also aims ascertaining the attacks and the people in charge and in the same way, preventing the attacks of ULAKNET to the outside world and if there is an attack, ascertaining the people in charge of the attack and sharing the information with the administrators of this network [3]. The method developed in this study is based on Blackhole concept and employs Honeypots in the scope of ascertaining the attacks towards ULAKNET mission of Ulak-CSIRT. In ordinary usage, Blackholes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Systems that monitor unused address space have been called Blackholes [4], darknets [5], network telescopes [6] or Sinkholes [7] and have been under investigation for a long time. Honeypots are kind Intrusion Detection Systems which emulates vulnerable systems or services to attract interest of intruders [8]. ULAKNET Blackhole Attack Detection System includes a Blackhole application based on ULAKNET unused IP blocks and the traffic forwarded to this system is received by a Honeypot. Inclusion of the Honeypot encourages the intruders to continue their attacking behavior which facilitates security experts analyzing the attacks deeper. Whereas, with single stand Blackholes security experts have limited capabilities since the traffic is directly dropped. Although there are some researches in literature focusing on the use of Honeypots in Blackhole applications, implementation in large scale networks is still a challenging study due to the great amount of data required to be analyzed. In addition, ULAKNET Blackhole Attack Detection System is a unique study in Turkey in this scale up to our knowledge. Moreover, our study represents national scale findings since it analyzes the attacks towards whole national academic network. These findings contribute to the analysis of attacks toward Turkey with interesting results such as the most attacking countries, the most attacking Operating Systems, the mostly attacked ports, etc. 126

2 II. ULAKNET BLACKHOLE ATTACK DETECTION SYSTEM A. Blackholes Blackholes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, blackholing can be used to drop all attack traffic at the edge of an Internet Service Provide (ISP) network, based on either destination or source IP addresses. Blackholes are used for monitoring unused Internet space to characterize security threats. Systems that monitor unused IP address space have been called Blackhole monitors [4], darknets [5], network telescopes [6] and Sinkholes [7]. Blackholes are capable of identifying configuration errors, routing problems [9], denial of service attacks (DoS) [10], [11], Internet worms [12], [13], [14], [15] and botnets [4]. There are some primitive results even from IPv6 Blackhole applications [16]. B. Capturing and Analyzing Attacks The Blackhole concept is adapted to detect the attacks by the help of unused IP blocks among ULAKNET. The following IPv4 address blocks are assigned to ULAKNET in Ripe Database [17]: / / / /17 ULAKBIM assigns sub-blocks of these four IP blocks to the nodes of ULAKNET, using its Assignment Window, and routes the traffic destined to these sub-blocks to the related node according to these assignments. On the other hand, some sub-blocks are currently not assigned to any node and consequently, nominated as unused IP blocks of ULAKNET. Any network packet whose destination address is in one of the unused IP block ranges belongs to either a malicious activity or a mis-configured traffic. The ULAKNET Blackhole application is mainly based on capturing and analyzing this kind of traffic. We used a very simple rule of routing to capture this traffic: The priority of the specific routes over the general ones. First, all four huge IP ranges assigned to ULAKBIM are routed to a ULAKNET Blackhole. ip route ip route ip route ip route Since the smaller blocks assigned to the nodes have more specific entries in the routing tables of backbone routers, they are issued first. All packets having a used IP address as a destination address are distributed to the related nodes. Then, the rest is captured by Blackhole. After capturing these packets the analysis is done according to the research interests. We assumed that if the captured packets belong to a malicious activity, this is mainly a scan before the actual attack since the destination is not a real victim with a valid IP address. Therefore, we decided to identify the distribution of these hosts according to the ISP hosting the attacker, the country the attacks come from, the destination ports scanned. This information could easily be gathered from the IP header part from the packets, so the deep packet inspection tools are not used in this study. Employing such a tool to identify the attack type more preciously and in more detail was another option, but it will not be cost effective since the captured packets probably belong to the only the scan part. Besides, as the number of packets towards the Blackhole increases, real time deep packet analysis of traffic gets more difficult. Honeyd [18] is used to gather information from the IP header part of the captured packets. Although honeyd is classified as low interaction honeypot it has advanced features like faking operating system probe scanners. Simplicity, human readable logs and familiarity are the main concerns while choosing honeyd. Honeyd creates a flow log for all connections request captured. Example log file includes the following lines: :00: tcp(6) S [Windows XP SP1] :00: tcp(6) E : :00: udp(17) : 30 Fields in the Honeyd log file can be interpreted as follows: The first field contains the timestamp of event The second field lists the protocol like tcp, udp etc. The third field may either be : o S start of a new connection o E end of a connection (Honeyd logs the amount of data received at the end of line) o Packet does not belong to any connection. Third field is four tuple of connection in the order of source IP, source port, destination IP and destination port. Honeyd also logs operating system (OS) of the attacker at the end of the line if it can be identified via passive fingerprinting. C. Classification of Attacks In this section, the methodology which is used to classify the attacks will be explained. The attacks are classified according to the ISP which the attacker belongs to, the 127

3 D. Reporting All the classification results are visualized in a graphical manner and shared via Ulak-CSIRT web page [21]. The graphs include statistics such as the most attacking ULAKNET node, the most attacking countries and the most attacking IP address. This information is publicly published to enable all security teams to identify the most active attackers targeting Turkish Academic Network. Further details are available up on request, since public share could result in more security holes. Figure 1. Source IP based on analysis country the attacks come from, the destination ports scanned and the operating system used by the a The classifications based on the des directly gathered from the honeyd log source IP information is further proce hosting the attacker and the country This process is given in Figure 1 as a f III. RESULTS In this section the classification results of the attacks captured during June 2008 will be given. The log file processed exactly belongs to 30 days. The log file has an approximate size of 18 Gigabytes and over 233 Million lines. The total number of unique IP addresses in the log file is of these unique IP addresses belongs a significant number for our internet plication identified 50k compromised rkish ISP during one month. ng IP addresses In the first step, the country which t identified by using an open source [19]. GeoIP is a geographical loca mainly used to gather geographical Internet visitors in real-time. An query/result pair is given below: Query: Result: geoiploo GeoIP Country Edition: US, In step 2, country origin is determin Turkey are classified using Ge membership information [20] is use Turkish Local Internet Registers (LIR) and their IP ranges. At step 3 and 4, Turkey originated IP addresses are further classified as ULAKNET and the others. To accomplish this task, membership list further filtered based upon the registry base of LIR s. A LIR is added to Turkish LIR s List if its registry base is in Turkey. Attacks from Turkey are classified according to the ISPs hosting the attacker.. The last classification is made on the attacks coming from ULAKNET nodes. Most of ULAKNET nodes use the IPv4 blocks assigned by ULAKBIM, so it is easy to identify the node owning a source IPv4 address from the local databases. In addition, some nodes of ULAKNET have their own AS numbers and IPv4 addresses assigned directly from RIPE (e.g. METU, ITU). The local database is updated to include all IPv4 addresses used among ULAKNET. ng IP Addresses Attacking IP Addresses is one of the n network security point of view. This list could be used for dynamically generating Access Control Lists for filtering the most active attackers at the edge of backbone. After detecting IP address, traffic can also be redirected to deep packet intrusion detection systems (IDS) to analyze attack in depth. By using this method load on IDS can be reduced. B. The Most Attacking Countries Another type of classification on the attackers is made according to the countries they belong to. This information became much more important after the examples of cyber wars following the conflicts between some countries during The results in Figure 3 show the ranking according to the sum of all packets received from the attacking country. 128

4 remote shell access. Its ranking indicated that ssh probes are the most common attack type performed against Unix derivatives. Figure 3. Top Ten Attacking Countries Evaluations on the Top Ten Attacking Countries revealed that summing all the packets would mislead the ranking. A single host scanning the ports of another single destination could burst the country rank. A revise by counting all the traffic between dis IP pairs as single hit and result is g comparison of Figure 3 and Figure 4 s biased by the Polish hosts identified fro Figure 5. Top Ten Attacked Ports D The Most Attacking Operating Systems to identify the Operating System used ult of the attacker OS evaluation is as nce most of the internet users are using ating system has more than 70% share Figure 4. Top Ten Attacking Countries Revised ng OS C. The Mostly Attacked Ports The Top Ten Attacked Ports is giv information is valuable since some of the attacks could be identified according to these ports. In addition, the list of the mostly attacked ports is heavily used by network administrators to secure their network by simply blocking the probes to these ports. A dramatic result from this evaluation is the high share of Port 1433 which is commonly used by Microsoft's SQL server. Two MSSQL worms in May 2002 and January 2003 exploited several known MSSQL flaws [22]. The mostly attacked ports evaluation shows that the scan on this port still has a great amount of activity on Internet. Another interesting result is observation of port 1026 and 1027.These ports are used by Microsoft Windows messaging system which is designed for use by system administrators to notify users about their networks. Nevertheless, spammers use this service to send advertisements [23]. Port number 22 is used for SSH protocol which is used in Unix derivatives for encrypted his evaluation could be the 18% share ount of the open source attacking tools are available and Linux is feasible platform for running and improving such tools, a special attention to these attacks are paid. Linux can be used as server operating system. Thus, detection of Linux as attacker OS can be the indication of the more severe security problems like the compromise of DNS or SMTP servers. As a result, if detected OS is a server operating system it should be investigated more closely. E. Special analysis on the attackers from Turkey A novel result of this study is based on evaluating the attacks originating from Turkey. This is the first time in literature such a classification is given. 129

5 Figure 7. Top Ten Turkish ISPs The Turkish ISP ranking is given with two different evaluations similar to the Most Attacking Countries is section III.B. Figure 9. Top Ten Attacking ULAKNET Members Attacks were counted as a single hit if source and destination addresses are distinct. IV. CONCLUSION In this paper, ULAKNET Blackhole Attack Detection analysis methodology have been dings of the system for a one month d. It is also verified that even if the analyzed only in IP header level, an be gained about the attacks towards. Figure 8. Top Ten Turkish ISPs Revised It should be noted here that ULAK considerable amount of the attacks gath This is mainly based on the worm tra nearby hosts. A worm uses the sou subnet mask to discover the nearby related ports. The lead of Turk Telekom is an ex high share of the ISP in the market. rank of other ISPs could be beneficial f these ISPs to evaluate their position according to their competitors in the market. F. The Most Attacking ULAKNET members Since attack ranking of ULAKNET members are visualized and shared via Ulak-CSIRT web page on daily and hourly basis, only one month summary is given in Figure 9. e Blackhole can be the result of either ation error. The results of the detailed due to the attacks are presented in this AKNET Network Operations Center ork administrator of the ULAKNET general vision on the security threads cademic Network with the findings of the analysis over Blackhole data are nuously and results are updated in from ULAKNET nodes are further IRT to improve the security level in fying the compromised machines in s identification is automatically turned into security incident by a trouble ticketing system and the system informs security contact point of the node. Severity levels are assigned to each incident with time limits to investigate and resolve the attack. Two configuration errors causing network traffic towards Blackhole are also discovered in this study. In the first case the Akamai servers, hosted in ULAKBIM and providing the content delivery services to ULAKNET, were discovered to distribute traffic to Blackhole due to BGP routing problem. The second problem was discovered by the real time monitoring of port anomalies. A configuration error in the DNS server of one of the ULAKNET nodes resulted in excessive amount of traffic to port 53 of an unused IP address ( ). This anomaly was detected by the help of Blackhole Destination Port Daily Analysis. The 130

6 administrator of the node was informed to update the configuration of DNS server and enter the correct IP address ( ) to use ULAKBIM DNS forwarder service. This update prevented nodes DNS server from forwarding all uncached DNS queries to Blackhole. Blackhole system also detected considerable amount of traffic originated from unassigned ULAKNET IP addresses which is a clear indication of IP spoofing. Ulak-CSIRT published a recommendation including technical details of IP spoofing and ingress filtering as a possible solution as a result of this observation. [16] M. Ford, J. Stevens, J. Ronan, Initial Results from an IPv6 Darknet Internet Surveillance and Protection, in International Conference on Volume, Issue 2006, pp: [17] RIPE network coordination centre, [18] Honeyd virtual honeypot, [19] Geoip Geolocation IP finder [20] Local Internet Registries offering service in Turkey. Available: [21] ULAKNET honeypot statistics, [Online]. Available: [22] Port 1433 details, [Online]. Available: [23] Disabling Messenger Service in Windows XP, [Online]. Available: m.mspx In the future the efficiency of a Blackhole system can be improved by increasing the number of sensors. Moreover, if universities deploy their Blackhole systems monitored data can correlate together to produce better results. Another enhancement can be made by analyzing Blackhole traffic with the deep packet inspection tools. For example Honeynet can be used for this kind of purposes. REFERENCES [1] ULAKBIM The Turkish Academic Network and Information Centre, [2] RFC 2350, Expectations for Computer Security Incident Response. [3] Ulak-CSIRT, Turkish Academic network and information center Computer Security Incident Response Team, [4] Dug Song, Rob Malan, and Robert Stone, A snapshot of global Internet worm activity, presented at the FIRST Conference on Computer Security Incident Handling and Response, June [5] Team Cymru. The darknet project [Online]. Available: November [6] David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, Network telescopes, Technical Report CS , UC San Diego, July [7] Barry Raveendran Greene and Danny McPherson, Sinkholes: A swiss army knife isp security tool,, June 2003 [Online]. Available: [8] The Honeynet Project, Know Your Enemy : Learning about Security Threats, (2nd Edition), Pearson Education. [9] S. Soltani, S. A. Kyaham, H. Radha, Detecting Malware Outbreaks Using a Statistical Model of Blackhole Traffic, in Proc. IEEE International Conference on Communications, Beijing, 2008, pp [10] David Moore, Geoffrey M. Voelker, and Stefan Savage, Inferring Internet denial-of-service activity, in of the Tenth USENIX Security Symposium, Washington, D.C., August 2001, pp [11] Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, and Farnam Jahanian, Toward understanding distributed Blackhole placement, in of the 2004 ACM Workshop on Rapid Malcode (WORM-04), New York, Oct ACM Press. [12] Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Jose Nazario, The Blaster Worm: Then and Now, IEEE Security & Privacy, 3(4):26 31, [13] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas, Weaver. Inside the Slammer worm, IEEE Security & Privacy, 1(4):33 39, 2003 [14] Colleen Shannon and David Moore, The spread of the Witty worm, IEEE Security & Privacy, 2(4):46 50, July/August [15] Colleen Shannon, David Moore, and Jeffery Brown, Code-Red: a case study on the spread and victims of an Internet worm, in of the Internet Measurement Workshop (IMW), December

Advanced Honeypot Architecture for Network Threats Quantification

Advanced Honeypot Architecture for Network Threats Quantification Advanced Honeypot Architecture for Network Threats Quantification Mr. Susheel George Joseph M.C.A, M.Tech, M.Phil(CS) (Associate Professor, Department of M.C.A, Kristu Jyoti College of Management and Technology,

More information

2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks 2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks A darknet is a set of globally announced unused IP addresses and using it is a good way to monitor

More information

Honeyd Detection via Packet Fragmentation

Honeyd Detection via Packet Fragmentation Honeyd Detection via Packet Fragmentation Jon Oberheide and Manish Karir Networking Research and Development Merit Network Inc. 1000 Oakbrook Drive Ann Arbor, MI 48104 {jonojono,mkarir}@merit.edu Abstract

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Intelligent Worms: Searching for Preys

Intelligent Worms: Searching for Preys Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1 Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and

More information

Literature Review: Network Telescope Dashboard and Telescope Data Aggregation

Literature Review: Network Telescope Dashboard and Telescope Data Aggregation Literature Review: Network Telescope Dashboard and Telescope Data Aggregation Samuel Oswald Hunter 20 June 2010 1 Introduction The purpose of this chapter is to convey to the reader a basic understanding

More information

On Wednesday, 16 July 2003, Microsoft

On Wednesday, 16 July 2003, Microsoft The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

On Wednesday, 16 July 2003, Microsoft Security

On Wednesday, 16 July 2003, Microsoft Security The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from

More information

Nemea: Searching for Botnet Footprints

Nemea: Searching for Botnet Footprints Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech

More information

Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware

Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware Evan Cooke, Z. Morley Mao, Farnam Jahanian Department of Electrical Engineering and Computer Science University of Michigan {emcooke,

More information

Description: Objective: Attending students will learn:

Description: Objective: Attending students will learn: Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of

More information

One Size Does Not Fit All: 10 Years of Applying Context-Aware Security

One Size Does Not Fit All: 10 Years of Applying Context-Aware Security One Size Does Not Fit All: 10 Years of Applying Context-Aware Security Sushant Sinha, Michael Bailey, Farnam Jahanian Computer Science and Engineering University of Michigan Ann Arbor, MI 48109. {sushan,

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion

More information

Learning More About Attack Patterns With Honeypots

Learning More About Attack Patterns With Honeypots Learning More About Attack Patterns With Honeypots Thorsten Holz thorsten.holz@informatik.uni-mannheim.de Abstract: Honeypots are information system resources, whose value lies in unauthorized or illicit

More information

Inferring Internet Denial-of

Inferring Internet Denial-of Inferring Internet Denial-of of-service Activity Geoffrey M. Voelker University of California, San Diego Joint work with David Moore (CAIDA/UCSD) and Stefan Savage (UCSD) Simple Question We were interested

More information

Dynamic Honeypot Construction

Dynamic Honeypot Construction Dynamic Honeypot Construction 2nd Annual Alaska Information Assurance Workshop Christopher Hecker U. of Alaska, Fairbanks 9-5-2006 Presentation l Brief Introduction l Project Overview l Future Work l References

More information

A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS

A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS Dr. Jensen J. Zhao, Ball State University, jzhao@bsu.edu Dr. Allen D. Truell, Ball State University, atruell@bsu.edu Dr. Melody W. Alexander,

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of

More information

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc Tunisia s experience in building an ISAC Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc 1 Agenda Introduction ISAC objectives and benefits Tunisian approach SAHER system

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Analysis of Automated Model against DDoS Attacks

Analysis of Automated Model against DDoS Attacks Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

The Spread of the Sapphire/Slammer Worm

The Spread of the Sapphire/Slammer Worm The Spread of the Sapphire/Slammer Worm By (in alphabetical order) David Moore Vern Paxson Stefan Savage Colleen Shannon Stuart Staniford Nicholas Weaver CAIDA & UCSD CSE ICIR & LBNL UCSD CSE CAIDA Silicon

More information

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to

More information

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006 CSE331: Introduction to Networks and Security Lecture 15 Fall 2006 Worm Research Sources "Inside the Slammer Worm" Moore, Paxson, Savage, Shannon, Staniford, and Weaver "How to 0wn the Internet in Your

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

2010 White Paper Series. Layer 7 Application Firewalls

2010 White Paper Series. Layer 7 Application Firewalls 2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

A Flow-based Method for Abnormal Network Traffic Detection

A Flow-based Method for Abnormal Network Traffic Detection A Flow-based Method for Abnormal Network Traffic Detection Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong Dept. of Computer Science and Engineering POSTECH {mount,

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots

Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots M. Kaâniche 1, E. Alata 1, V. Nicomette 1, Y. Deswarte 1, M. Dacier 2 1 LAAS-CNRS, Université de Toulouse 7 Avenue du

More information

Workshop on Infrastructure Security and Operational Challenges of Service Provider Networks

Workshop on Infrastructure Security and Operational Challenges of Service Provider Networks Workshop on Infrastructure Security and Operational Challenges of Service Provider Networks Farnam Jahanian University of Michigan and Arbor Networks IFIP Working Group 10.4 June 29-30, 2006 What s the

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Service Description DDoS Mitigation Service

Service Description DDoS Mitigation Service Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3

More information

Securing the system using honeypot in cloud computing environment

Securing the system using honeypot in cloud computing environment Volume: 2, Issue: 4, 172-176 April 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 M. Phil Research Scholar, Department of Computer Science Vivekanandha College

More information

The Internet Motion Sensor: A Distributed Blackhole Monitoring System

The Internet Motion Sensor: A Distributed Blackhole Monitoring System The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey, * Evan Cooke, * Farnam Jahanian, * Jose Nazario, David Watson * * Electrical Engineering and Computer Science Department

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Outline. Outline. Outline

Outline. Outline. Outline Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather

More information

Taxonomy of Hybrid Honeypots

Taxonomy of Hybrid Honeypots 2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore Taxonomy of Hybrid Honeypots Hamid Mohammadzadeh.e.n 1, Masood Mansoori 2 and Roza

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) Author: Avinash Singh Avinash Singh is a Technical Evangelist currently worksing at Appin Technology Lab, Noida. Educational Qualification: B.Tech from Punjab Technical

More information

Cyber Essentials. Test Specification

Cyber Essentials. Test Specification Cyber Essentials Test Specification Contents Scope of the Audit...2 Assumptions...3 Success Criteria...3 External systems...4 Required tests...4 Test Details...4 Internal systems...7 Tester pre-requisites...8

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information

DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS

DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS GONG JIAN 2 jgong@njnet.edu.cn Jiangsu Key Laboratory of Computer Networking Technology, China, Nanjing, Southeast University AHMAD JAKALAN

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01 How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

A Firewall Data Log Analysis of Unauthorized and Suspicious Traffic

A Firewall Data Log Analysis of Unauthorized and Suspicious Traffic A Firewall Data Log Analysis of Unauthorized and Suspicious Traffic John Week University of Nevada, Reno United States Email:jweek@weekspace.net Phone: (775) 741-1555 Polina Ivanova University of Nevada,

More information

Firewalls & Intrusion Detection

Firewalls & Intrusion Detection Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion

More information

Detecting peer-to-peer botnets

Detecting peer-to-peer botnets Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,

More information

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What

More information

Understanding the Behavior of Internet Worm through PArallel Worm Simulator (PAWS)

Understanding the Behavior of Internet Worm through PArallel Worm Simulator (PAWS) Understanding the Behavior of Internet Worm through PArallel Worm Simulator (PAWS) Tiffany Tachibana Computer Science and lnformation Technology California State University, Monteray Bay ttachibana@csumb.edu

More information

EINSTEIN 3 - Accelerated (E 3 A)

EINSTEIN 3 - Accelerated (E 3 A) for EINSTEIN 3 - Accelerated (E 3 A) April 19, 2013 DHS/PIA/NPPD-027 Contact Point Brendan Goode Director, Network Security Deployment Office of Cybersecurity & Communications National Protection and Programs

More information

Detecting UDP attacks using packet symmetry with only flow data

Detecting UDP attacks using packet symmetry with only flow data University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow

More information

Review Study on Techniques for Network worm Signatures Automation

Review Study on Techniques for Network worm Signatures Automation Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1,

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

A Novel Packet Marketing Method in DDoS Attack Detection

A Novel Packet Marketing Method in DDoS Attack Detection SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun

More information

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION copyright 2003 securitymetrics Security Vulnerabilities of Computers & Servers Security Risks Change Daily New

More information

2 Technologies for Security of the 2 Internet

2 Technologies for Security of the 2 Internet 2 Technologies for Security of the 2 Internet 2-1 A Study on Process Model for Internet Risk Analysis NAKAO Koji, MARUYAMA Yuko, OHKOUCHI Kazuya, MATSUMOTO Fumiko, and MORIYAMA Eimatsu Security Incidents

More information

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks Characterization and Analysis of NTP Amplification Based DDoS Attacks L. Rudman Department of Computer Science Rhodes University Grahamstown g11r0252@campus.ru.ac.za B. Irwin Department of Computer Science

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Blended Security Assessments

Blended Security Assessments Blended Security Assessments Combining Active, Passive and Host Assessment Techniques October 12, 2009 (Revision 9) Renaud Deraison Director of Research Ron Gula Chief Technology Officer Table of Contents

More information

Protecting Critical Infrastructure

Protecting Critical Infrastructure Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

9. Exercise: Large Scale Incident Handling

9. Exercise: Large Scale Incident Handling 95 95 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions

More information

DDoS Trend Analysis through 2010, Infrastructure Security Report & ATLAS Initiative Yaroslav Rosomakho Senior Consulting Engineer, EMEA

DDoS Trend Analysis through 2010, Infrastructure Security Report & ATLAS Initiative Yaroslav Rosomakho Senior Consulting Engineer, EMEA DDoS Trend Analysis through 2010, Infrastructure Security Report & ATLAS Initiative Yaroslav Rosomakho Senior Consulting Engineer, EMEA Introduction Yaroslav Rosomakho, Senior CE, EMEA. 10+ years of experience

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Intrusion Detection System using Virtual Honeypots

Intrusion Detection System using Virtual Honeypots Intrusion Detection System using Virtual Honeypots Prof. Smita Jawale (Department of Computer Engineering, VCET) Rishi Mehta, Vivek Mahalingam, Niyoshi Mehta (Department of Computer Engineering, VCET,

More information

Network Service, Systems and Data Communications Monitoring Policy

Network Service, Systems and Data Communications Monitoring Policy Network Service, Systems and Data Communications Monitoring Policy Purpose This Policy defines the environment and circumstances under which Network Service, Systems and Data Communications Monitoring

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

CS2107 Introduction to Information and System Security (Slid. (Slide set 8) Networks, the Internet Tool support CS2107 Introduction to Information and System Security (Slide set 8) National University of Singapore School of Computing July, 2015 CS2107 Introduction to Information

More information

Frequent Denial of Service Attacks

Frequent Denial of Service Attacks Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information