NVisionIP: An Interactive Network Flow Visualization Tool for Security
|
|
- Kellie Nash
- 8 years ago
- Views:
Transcription
1 NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois, Urbana-Champaign {kiran, byurcik, ratna, Abstract Security engineers are being overwhelmed with data from the network monitoring tools. A tool is needed that will allow security engineers to view information about the entire network. In addition, the tool must allow the security engineers to use their background knowledge and intuition. NVisionIP, a tool developed at the National Center for Supercomputing Applications at the University of Illinois, Urbana-Champaign, provides a visualization of a Class B network. Following the Visual Information Seeking Mantra ( Overview first, zoom and filter, then detailson-demand ), NVisionIP provides a visualization of an entire Class B network, then allows users to drill down and gather more details about the hosts on the network. Combining the visualization and data processing capabilities of computers and the intuition and reasoning capabilities of humans, NVisionIP is a tool that allows security engineers to detect and stop attacks on networks. Keywords: Netflows, Intrusion Detection, Network Security, Network Visualization 1 Introduction As the recent wave of viruses, worms and attacks illustrate, network security is fast becoming a issue in computer systems everywhere. Attackers can easily download scripts that can be used to attack various systems. These root kits allow even hacking novices to attack large systems. With the increase in security incidents in the last few years, Security Engineers are faced with the task of securing networks that are being increasingly being attacked. There are many monitoring and logging tools that provide data on the behavior of networks. Logging facilities, like Syslog on Unix, or packet tracing utilities provide a rich set of data for security engineers to use in detecting and preventing intrusions. With the size and complexity of networks increasing, though, security engineers are often faced with a deluge of data from the network. The large amount of data /04/$20.00 c 2004 IEEE. must be processed by the security engineer in order to understand the state of the network. Unfortunately, the amount of data can often overwhelm a security engineer, and thus networks become vulnerable to attacks as the security engineer cannot keep track of the behavior of the network. To alleviate this problem, there has been much research done on automatically detecting attacks and intrusions from the logs. Automatic Intrusion Detection Systems (IDS) are useful but can easily be overwhelming when applied to a large network. Tools of this type work by matching network activity to signatures of attacks. An alarm is generated when the traffic pattern is found and an is sent to the security engineer. These methods suffer from two major problems, the first being that the signature base must constantly be updated to keep up with new attacks, and the second, the systems often generate a huge amount of alarms, overwhelming the security engineer, once again, with too much information.there is work being done to address these two concerns. The field of Misuse Detection focuses on determining if the behavior of hosts is not normal. Hosts that are behaving abnormally can be investigated further, to determine if they are under attack. The problem, though is determining the normal behavior of a host. Alarm Fusion techniques group related alarms together based on their similarity, but determining similarity can be difficult. Although the two techniques mentioned above are promising approaches to automatically detecting intrusions, we find that they are not general and scalable enough to provide practical benefit for our security engineers. Either the technique is too specific, focusing on a simple and small subset of attacks, or the technique is not scalable to the large networks. In addition, many of these techniques have a high false positive rate, that is, indicating an attack when there is not one. At our installation, security is still the domain of human, who with their ability to generalize and utilize background knowledge, are able to far outstrip the automatic IDSes in terms of analysis and determing if an attack is occurring on the system. Unfortunately, with the increase in
2 attacks, security engineers are being overwhelmed with data, and so new tools are needed, now, to aid the security engineers in grasping all the data. As automatic methods are not fully developed, we believe that a different type of tool is needed that will allow human security engineers to grasp and manipulate the large amount of information that is generated by the network monitors. In addition, we want the tool to allow human security engineers to use their background knowledge and generalization ability to make security decisions. Our tool, NVisionIP provides these two functionalities by creating a visualization of the network data, thus providing a practical solution that allows security engineers to use their generalization ability and background knowledge along with the data crunching and visualization capabilities of machines. Humans have amazing visual capabilities, in fact there is no more powerful method of presenting large amounts of information than through visual data maps [10]. By visualizing the data, human security engineers can grasp and manipulate the large amount of information that is generated by network installations. NVisionIP can be considered a middle ground between human security engineers and automatic intrusion detection systems, allowing a combination of the positive aspects of both. In addition, by monitoring the use of NVisionIP, we hope, in the future, to be able to get ideas on the security analysis process that will allow us to increase the performance of automatic IDSes. The rest of the paper is organized as follows: Section 2 details the related work in IDSes and network visualization. Section 3 discusses NetFlows, the data source for NVisionIP, Section 4 describes NVisionIP, Section 5 lists some examples of attacks and intrusions that NVisionIP can help catch, and Section 6 provides the conclusions and future work. 2 Related Work 2.1 Signature Based IDSes There are several Intrusion Detection Systems that rely on signature based detection. In general, there are two classes, Host-Based IDSes, such as [3], which monitor the host, and Network-based IDSes, like Snort [7] which monitor the packets on a network. Both types of IDSes suffer from the same drawback, namely that the signature database must be updated every time a new attack appears. In addition, the IDSes generally generate a large amount of alarms; at our installation, our security engineer received in excess of 4000 alarms when our computer systems came under attack. 2.2 Network Visualizations There has been much work on visualizing networks, [2] describes many of the early visualizations of the Internet. Some of the visualization are geographical in nature, showing the traffic flow between machines as a link between the physical locations of the machines. Other visualizations focus on connectivity patterns and traffic volumes. In terms of visualization for security, [9] provides an example using BGP routing data. Although the data has been visualized to look for security incidents on the Internet, this work does not provide a sense of situational awareness as it analyzes traffic between autonomous systems. A new tool to enhance situational awareness is the Spinning Cube of Potential Doom [4]. This tool represents network traffic as points in 3D space. The addresses of the network being monitored lie on one axis, all possible source IP addresses lie on a second axis, and the third axis represents port numbers. The color of the points represent different characteristics of the traffic flows on the network. This presentation is similar to that of NVisionIP, though it tends to be more busy. Although similar to NVisionIP, the Spinning Cube of Potential Doom does not allow the user to drill down or filter for events of interest. 3 NetFlows NVisionIP uses NetFlows as a data source. A Net- Flow is an abstract representation of a sequence of packets transmitted between a source and destination host. NetFlows can keep track of the start and end time, source and destination port, number of bytes, number of packets, and the protocol. Figure 1 shows a sample netflow record. Appended to the source/destination IP address is the source/destination port. The counts are, respectively, source to destination packets, destination to source packets, source to destination bytes, and destination to source bytes. NetFlows can be thought of as connections between computers. For instance, a NetFlow would be generated between Host A and Host B if a user on Host A used ssh to connect to Host B. The source and destination ip addresses would be that of Host A and Host B respectively. The number of bytes, number of packets, and protocol used would depend on the application. A NetFlow is an abstract representation, the only items being transmitted via the network are packets. At NCSA, we are concerned primarily about traffic between the internal network and the Internet, thus we have set up our NetFlow connection architecture to capture the flows between our internal network and our border router. [11] describes, in detail, the NetFlow collection architecture at NCSA as well as details about the various types of NetFlows and their differences. NCSA uses two types of NetFlows, the proprietary CISCO Net- Flows ([8]) and ARGUS flows ([1]). Both are similar but have their own idiosyncrasies, consult [11] for more details.
3 Start Time End Time Protocol Source IP,Port Destination IP, Port Counts 20 Aug 03 00:00:06 20 Aug 03 00:00:06 tcp ? E Figure 1. Sample NetFlow record 4 NVisionIP NVisionIP is comprised of three views of the data, and many features that allow manipulation of these views. The three views, Galaxy View, Small Multiple View, and Machine View, successively provide greater detail about a smaller set of machines. The Galaxy View shows high level data about the entire network; Small Multiple View is in the middle giving a reasonable amount of information on a user selected subset of machines; the Machine View shows all the information for a single machine. NVisionIP, by being organized in this way, fits the Visual Information Seeking Mantra: Overview first, zoom and filter, then detailson-demand [5] The Galaxy view provides a high level overview of the entire network. Although each machine is only represented by a 4 pixel square, the use of colors and binning allow enough information to be shown that the Galaxy View can be useful as a quick summary of the traffic patterns on the network. In addition, in the Galaxy View there are zooming and filter capabilities, which will be explained later. Details can be obtained by choosing a subset of the machines in the galaxy view - note that only the machines that the user wants to see details on will be shown here. The Small Multiple View and Machine View show greater detail of a smaller subset of machines, with the Machine View showing all the possible information we have about a single machine. 4.1 Galaxy View The Galaxy View provides an overall look of the entire network. The ip-addresses of the machines are organized in a Cartesian plane, with the X-axis representing subnets and the Y -axis representing the host, so each point in the plane is one ip address. For instance, the point at coordinates (23, 47) would represent ip address Similarly, the point (100, 20) would represent the ip address (We also allow the user the option of changing the IP header to something other than ). The color of each machine represents the number of unique ports used by that machine to send and receive data. For instance, if the host with ip-address transmitted and received data via ports, 5, 12, 3456, and 90, it would have a count of 4. The binning legend on the bottom left of the Galaxy View shows the mapping of numbers to colors. In this case, 4 would fall in the second bin, 2-10, and thus would be colored grey. The motivation behind this view is to provide a visual summary of the entire network so that a Security Engineer can quickly scan to pick up problems. For instance, it is easy to observe some strong patterns of activity in Figure 2. It can be seen that many of the hosts with subnet values greater then 100 are not active. If, one day, some activity does occur in this range, a security engineer, upon a quick visual scan, can realize this fact, and act appropriately. By providing a visualization, in one screen, of the entire network, the security engineer can quickly scan and make judgments about the state of the network. NVisionIP provides two zooming facilities. One is a drill-down zoom, where a security engineer can choose a subset of machines and view them in the Small Multiple View. This will be described in more detail later on. In addition, NVisionIP provides a standard zooming option that increases the size of the galaxy view underneath the zooming tool Filtering NVisionIP has a filtering capability in the Galaxy View. Using this capability, the user can choose to display only those hosts that satisfy some criteria. Currently, the user can decide what ports/protocols the host must have used in order to be shown. For instance, suppose a Security Engineer has been informed of a worm that propagates itself via port 4456 on the host machine. The Security Engineer can then filter the Galaxy View so that only machines that have used port 4456 will be shown in the Galaxy View. 4.2 Small Multiple View Figure 3 shows the Small Multiple View which provides a more detailed look at a subset of machines in the network. The main panel is organized as in the Galaxy View, with subnets on the X-axis, and hosts on the Y -axis. Each machine in this view, though, is represented by two bar graphs. Both of these bar graphs show traffic (in terms of number of flows) over ports. The top bar graph shows the traffic for a certain set of special ports. Table 1 shows the initial special ports in NVisionIP. Each special port is assigned a unique color. The special ports can be seen on the left hand side of the view, in the legend. New special ports can be added by using the Add button. The top bar chart shows the counts for only the special ports, the color of the bar indicates which port it is. The second (bottom) bar chart shows flow counts for the top 10 ports outside of the special ports. The ports between are colored blue, and the rest of the ports
4 PORT DESCRIPTION 7 ECHO 21 FTP 22 SSH 23 TELNET 25 SMTP 37 TIME 42 NS 53 DNS 80 HTTP 88 KRB 143 IMAP Table 1. Initial Special Ports in NVisionIP are colored black. Of course, the special ports are colored their respective colors. The colors can be changed using the change color button. Once again, in this view a security engineer can quickly scan the machines and pick out machines that are not behaving normally. 4.3 Machine View Figure 4. The NVisionIP Machine View The Machine View provides a detailed look at one machine in the network. To get the Machine View for a machine, the user must simply choose the machine from the Small Multiple View. The purpose of the Machine View is to provide all the information possible about the machine. To this end, the netflows used to generate all the visualization are presented in the Machine View. The security engineers, at this point, require a look at the raw netflows used by NVisionIP. In addition to the raw netflows, we provide several different bar charts that emphasize different aspects of the data. Each of the bar charts shows a subset of ports on the x axis, and either flow count (the number of flows in which the port was present) or Byte Count (the number of bytes which the port transmitted/received). Each set of two charts follows the same style as in the Small Multiple View, the top bar chart shows counts for a set of special ports, and the bottom shows the counts for the rest of the ports. Among the bar charts that can be viewed are charts that show how many bytes were transferred by a port that has used the protocol TCP or UDP, the byte count for every port, and several other types of ports Each of these bar charts can be accessed via the tabs at the top of the Machine View. As can be seen in Figure 4, there are three sets of bar charts in the Machine View. The top, and largest set, of bar charts shows the total traffic coming into and out of this machine. The bottom left hand bar chart shows the amount of traffic that the ports transmitted. The bottom right hand bar charts shows the amount of traffic that the ports received. The sum of the values from the left and right equal the values of the center chart. 5 User Evaluation. NVisionIP is currently being tested by the internal Security engineers at NCSA. NVisionIP was developed with security in mind, so it is useful for detecting security incidents. NVisionIP can help in several things: Worm Infection Many types of worms spread by probing for other hosts to infect. For instance, the Slammer worm sent 376-byte packets to UDP port 1434 of random hosts in an attempt to propagate [6]. A security engineer could filter the galaxy view to only show hosts that have flows with destination port 1434 transmitted using UDP. Once identified, the security engineer can alert the system admins of the hosts and inform them of the worm. Compromised Systems Many times, when a host is compromised, the attacker will install software that allows remote access to the machine. In this way, compromised hosts can act as file servers, allowing illegal software to be copied from the host. NVisionIP can aid in the detection of such hosts because the hosts will suddenly have a large amount of traffic originating from them. These machines will be displayed in red in the Galaxy View, and thus be easily spotted by the security engineer. In addition, once the security engineer drills down on these machines, they can see which ports have been used, and whether the port usage is anomalous for that machine. Port Scans Port scans are easily detectable using NVisionIP. If one host is targeted, and all its ports scanned, then that host should turn red in the galaxy view. If the attacker
5 scans a series of machines on a particular subnet, this can show up as a line in the galaxy view. Figure 5 illustrates this type of scan in NVisionIP. References [1] Argus metrics. Web Page, Mar http: // [2] Martin Dodge and Rob Kitchin. Atlas of Cyberspace. Addison Wesley, Harlow, England, [3] Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: a file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and communications security, pages ACM Press, [4] Stephen Lau. The spinning cube of potential doom. Communications of the ACM, 47(6):25 26, Jun Figure 5. Port Scan activity in NVisionIP 6 Conclusions and Future Work In the future, we plan to incorporate into the Galaxy View the ability to compare the state of the network at two different moments in time. The Security Engineer can save the Galaxy View of a period of time in which they deem the network traffic to be normal, and then compare subsequent states against this normal version. Current research in Anomaly and Misuse detection can be incorporated within NVisionIP as well. Instead of just showing the information about the host based on netflows, we could incorporate information taken from Intrusion Detection Systems and Anomaly detection algorithms running on various hosts/servers. NVisionIP can also provide insights into the security process. By monitoring NVisionIP while security engineers are using it, it could be possible to generate automatic rules derived from how the security engineers use NVisionIP. Securing and preventing attacks on computer networks is a difficult endeavor, made harder by the large amount of information a security engineer must wade through. Although there is work in Automatically looking for attacks, the work is not general, scalable, or efficient enough. NVisionIP provides a visualization of network information, allowing a human security engineer to utilize their background knowledge and generalization abilities while letting the machine handle the brute force task of visualization and data gathering. By bringing together the best parts of man and machine, NVisionIP allows a security engineer to focus on what is important - finding and detecting security incidents on the network. [5] Ben Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations. In Proceedings of the 1996 IEEE Symposium on Visual Languages, page 336, [6] CERT Advisory CA MS-SQL Server Worm. Web Page, Jan org/advisories/ca html. [7] Snort: The open source network intrusion detection system. Web Page, Jun snort.org. [8] Cisco Systems. Cisco IOS Netflow Technology. Web Page, Jul public/cc/pd/iosw/prodlit/iosnf_ds.h%tm. [9] Soon Tee Teoh, Kwan-Liu Ma, S. Felix Wu, and Xiaoliang Zhao. Case study: Interactive visualization for internet security. In IEEE Visualization, [10] Edward R. Tufte. The Visual Display of Quantitative Information. Graphics Press, P.O. Box 430, Cheshire, CT 06410, Second edition, Jan [11] William Yurcik, Yifan Li, James Barlow, Kiran Lakkaraju, Xiaoxin Yin, and Cristina Abad. Scalable data-centric processing of netflows for security monitoring. In In Review, Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2004.
6 Figure 2. The NVisionIP user interface (with magnifier activated in galaxy view) Figure 3. The NVisionIP Small Multiple View
NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security
NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationVisualization for Network Traffic Monitoring & Security
Visualization for Network Traffic Monitoring & Security Erwan ISIT/KYUSHU, Supélec 2006 Plan Visualization Visualization Host based Network based Between networks Other prototypes Pre-processing PGVis
More informationA Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.
A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that
More informationVisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring
VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign byurcik@ncsa.uiuc.edu
More informationVisualizing NetFlows for Security at Line Speed: The SIFT Tool Suite
Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite William Yurcik National Center for Supercomputing Applications (NCSA) ABSTRACT The first step in improving Internet security is measurement
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationSharing Intelligence is our Best Defense: Cyber Security Today Is a bit Like the Keystone Cops
Sharing Intelligence is our Best Defense: Incentives That Work versus Disincentives That Can Be Solved William Yurcik* Adam Slagell Jun Wang NCSA Security Research (NCSA) University of Illinois at Urbana-Champaign
More informationNetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior
NetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior Teryl Taylor, Stephen Brooks and John McHugh Abstract NetBytes Host Viewer is an interactive visualization
More informationOverview. Security System Administration
Better Tools for System Administration: Enhancing the Human-Computer Interface with Visualization Bill Yurcik Manager, NCSA Security Research National Center for Advanced Secure
More informationFlamingo: Visualizing Internet Traffic
Flamingo: Visualizing Internet Traffic Jon Oberheide, Michael Goff, Manish Karir Networking Research and Development Merit Network Inc. Ann Arbor, MI 48104 USA {jonojono,goffm,mkarir}@merit.edu Abstract
More informationVisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts
VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts Xiaoxin Yin, William Yurcik, and Adam Slagell National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign
More informationSafely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure
Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure William Yurcik* Clay Woolam, Greg Hellings, Latifur Khan, Bhavani Thuraisingham University
More informationIntrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of
Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationA VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS
A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS R. Bearavolu K. Lakkaraju W. Yurcik H. Raje National Center for Supercomputing
More informationA LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL
A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL Christopher Schwagele Supervisor: Barry Irwin Computer Science Department, Rhodes University 29 July 2010 Abstract Network
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationA Visualization Technique for Monitoring of Network Flow Data
A Visualization Technique for Monitoring of Network Flow Data Manami KIKUCHI Ochanomizu University Graduate School of Humanitics and Sciences Otsuka 2-1-1, Bunkyo-ku, Tokyo, JAPAPN manami@itolab.is.ocha.ac.jp
More information1 Log visualization at CNES (Part II)
1 Log visualization at CNES (Part II) 1.1 Background For almost 2 years now, CNES has set up a team dedicated to "log analysis". Its role is multiple: This team is responsible for analyzing the logs after
More informationVisual Data Exploration Techniques for System Administration. Tam Weng Seng
Visual Data Exploration Techniques for System Administration Tam Weng Seng Abstract The objective of this paper is to study terminology used in visual data exploration and to apply them to projects in
More informationNetwork Forensics: Log Analysis
Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationCyber Security Through Visualization
Cyber Security Through Visualization Kwan-Liu Ma Department of Computer Science University of California at Davis Email: ma@cs.ucdavis.edu Networked computers are subject to attack, misuse, and abuse.
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationP Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationIntelligent Worms: Searching for Preys
Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School
More informationAssignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)
Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationIntrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)
ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep
More informationEdge Configuration Series Reporting Overview
Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed
More informationCooperating Security Management for Mutually Trusted Secure Networks
Cooperating Security Management for Mutually Trusted Secure Networks Lai-Ming Shiue Department of Applied Mathematics National Chung-Hsing University Taichung 402, Taiwan Shang-Juh Kao Department of Computer
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationSecurity visualisation
Security visualisation This thesis provides a guideline of how to generate a visual representation of a given dataset and use visualisation in the evaluation of known security vulnerabilities by Marco
More informationIMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationFlow-based detection of RDP brute-force attacks
Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationRouter Attacks-Detection And Defense Mechanisms
Router Attacks-Detection And Defense Mechanisms Saili Waichal, B.B.Meshram Abstract: Router is one of the most important components of any network. Their main aim is taking routing decision to forward
More informationA Software Tool for Multi-Field Multi-Level NetFlows Anonymization. University of Texas at Dallas
A Software Tool for Multi-Field Multi-Level NetFlows Anonymization William Yurcik Clay Woolam, Latifur Khan, Bhavani Thuraisingham University of Texas at Dallas
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationEXPLORER. TFT Filter CONFIGURATION
EXPLORER TFT Filter Configuration Page 1 of 9 EXPLORER TFT Filter CONFIGURATION Thrane & Thrane Author: HenrikMøller Rev. PA4 Page 1 6/15/2006 EXPLORER TFT Filter Configuration Page 2 of 9 1 Table of Content
More informationScience Park Research Journal
2321-8045 Science Park Research Journal Original Article th INTRUSION DETECTION SYSTEM An Approach for Finding Attacks Ashutosh Kumar and Mayank Kumar Mittra ABSTRACT Traditionally firewalls are used to
More informationINTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security
More informationCoimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring
Volume 4, Issue 8, August 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigate the
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationFlexible Web Visualization for Alert-Based Network Security Analytics
Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North Carolina State University, 2 U.S. Army Research Laboratory lhao2@ncsu.edu
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationFirewall VPN Router. Quick Installation Guide M73-APO09-380
Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,
More informationBest Practices for NetFlow/IPFIX Analysis and Reporting
WHITEPAPER Best Practices for NetFlow/IPFIX Analysis and Reporting IT managers and network administrators are constantly making decisions affecting critical business activity on the network. Management
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationIntrusion Forecasting Framework for Early Warning System against Cyber Attack
Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationMulti-Homing Dual WAN Firewall Router
Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationNetwork Incident Report
To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850
More informationAssets, Groups & Networks
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationTransformation of honeypot raw data into structured data
Transformation of honeypot raw data into structured data 1 Majed SANAN, Mahmoud RAMMAL 2,Wassim RAMMAL 3 1 Lebanese University, Faculty of Sciences. 2 Lebanese University, Director of center of Research
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationDNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.
Lab Exercise DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationNetwork & Agent Based Intrusion Detection Systems
Network & Agent Based Intrusion Detection Systems Hakan Albag TU Munich, Dep. of Computer Science Exchange Student Istanbul Tech. Uni., Dep. Of Comp. Engineering Abstract. The following document is focused
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationSecuring the system using honeypot in cloud computing environment
Volume: 2, Issue: 4, 172-176 April 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 M. Phil Research Scholar, Department of Computer Science Vivekanandha College
More informationClassic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1
Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,
More informationVIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION
VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally
More informationVisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness
VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness Xiaoxin Yin National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign
More informationHow to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01
How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationUsing IPM to Measure Network Performance
CHAPTER 3 Using IPM to Measure Network Performance This chapter provides details on using IPM to measure latency, jitter, availability, packet loss, and errors. It includes the following sections: Measuring
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationDatasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0
Cover Datasheet Datasheet (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Colasoft Capsa Enterprise enables you to: Identify the root cause of performance issues; Provide 24/7
More informationAn Adaptable Innovative Visualization For Multiple Levels of Users
World Applied Sciences Journal 15 (5): 722-727, 2011 ISSN 1818-4952 IDOSI Publications, 2011 An Adaptable Innovative Visualization For Multiple Levels of Users Doris Hooi-Ten Wong and Sureswaran Ramadass
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls
CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationNetwork Security In Linux: Scanning and Hacking
Network Security In Linux: Scanning and Hacking Review Lex A lexical analyzer that tokenizes an input text. Yacc A parser that parses and acts based on defined grammar rules involving tokens. How to compile
More informationCover. White Paper. (nchronos 4.1)
Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationDetect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 21, 571-578 (2005) Short Paper Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network Department of Computer Science and Information
More informationIntegrated Traffic Monitoring
61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of
More informationNetwork Monitoring Using Traffic Dispersion Graphs (TDGs)
Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George
More informationProject Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and
More informationWharf T&T Limited DDoS Mitigation Service Customer Portal User Guide
Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...
More informationInteractive Visualization for Network and Port Scan Detection
Interactive Visualization for Network and Port Scan Detection Chris Muelder 1, Kwan-Liu Ma 1, and Tony Bartoletti 2 1 University of California, Davis 2 Lawrence Livermore National Laboratory Abstract.
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationMonitor network traffic in the Dashboard tab
As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa makes it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network
More informationMeasurement of the Usage of Several Secure Internet Protocols from Internet Traces
Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Yunfeng Fei, John Jones, Kyriakos Lakkas, Yuhong Zheng Abstract: In recent years many common applications have been modified
More information