Bio-Inspired Anomaly Detection

Similar documents

Cyber Watch. Written by Peter Buxbaum

How To Protect Your Mobile From Attack From A Signalling Storm

Graduation Project Ideas Proposed By Faculty Members Department of Communication and Networks

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

LINK EPA Requirements, audit & Safety

SURVEY OF INTRUSION DETECTION SYSTEM

From Active & Programmable Networks to.. OpenFlow & Software Defined Networks. Prof. C. Tschudin, M. Sifalakis, T. Meyer, M. Monti, S.

Advanced Threat Protection with Dell SecureWorks Security Services

Defending Against Cyber Attacks with SessionLevel Network Security

Cyber Security Research and Development a Homeland Security Perspective

A General-purpose Laboratory for Large-scale Botnet Experiments

High-Frequency Active Internet Topology Mapping

1. Fault Attacks for Virtual Machines in Embedded Platforms. Supervisor: Dr Konstantinos Markantonakis,

CYBERINFRASTRUCTURE FRAMEWORK FOR 21 ST CENTURY SCIENCE, ENGINEERING, AND EDUCATION (CIF21)

A Biologically Inspired Approach to Network Vulnerability Identification

Risk and Security Assessment. Zbigniew Kalbarczyk

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Second-generation (GenII) honeypots

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Software Defined Networking & Openflow

Hardware Enabled Zero Day Protection

How To Create An Insight Analysis For Cyber Security

TUSKEGEE CYBER SECURITY PATH FORWARD

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Cisco Advanced Services for Network Security

SANE: A Protection Architecture For Enterprise Networks

!! "# $%!& $!$ +) * ', -./01.//1233/ "4, -./01.//12223 *, 565

TRUST Background. National Science Foundation Office of Integrative Activities (OIA) Core Funding (FY )

Bridging the gap between COTS tool alerting and raw data analysis

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

How To Protect A Network From Attack From A Hacker (Hbss)

High End Information Security Services

MEng, BSc Applied Computer Science

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

NERC CIP VERSION 5 COMPLIANCE

Radware s Attack Mitigation Solution On-line Business Protection

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Visualization, Modeling and Predictive Analysis of Internet Attacks. Thermopylae Sciences + Technology, LLC

Intelligent Worms: Searching for Preys

SANS Top 20 Critical Controls for Effective Cyber Defense

Doctor of Philosophy in Computer Science

RAVEN, Network Security and Health for the Enterprise

How To Protect Your Data From Being Hacked On Security Cloud

Content Delivery Network (CDN) and P2P Model

Network Virtualization and Data Center Networks Data Center Virtualization - Basics. Qin Yin Fall Semester 2013

Integrating MSS, SEP and NGFW to catch targeted APTs

Comprehensive Understanding of Malicious Overlay Networks

System Specification. Author: CMU Team

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Verve Security Center

Security Testing for Web Applications and Network Resources. (Banking).

Fighting Advanced Threats

Become a hunter: fi nding the true value of SIEM.

Cisco Application Networking for IBM WebSphere

Wireless Sensor Network Security. Seth A. Hellbusch CMPE 257

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.

CYBER SECURITY, A GROWING CIO PRIORITY

Top 10 Reasons Enterprises are Moving Security to the Cloud

Cisco Security Optimization Service

WildFire. Preparing for Modern Network Attacks

CYBER SECURITY TRAINING SAFE AND SECURE

CDM Hardware Asset Management (HWAM) Capability

Cisco Remote Management Services for Security

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Security Information Management (SIM)

Intrusion Detection for Mobile Ad Hoc Networks

Evolution of attacks and Intrusion Detection

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Into the cybersecurity breach

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Index Terms Domain name, Firewall, Packet, Phishing, URL.

Intrusion Detection Systems

The SIEM Evaluator s Guide

Hunting for the Undefined Threat: Advanced Analytics & Visualization

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Security Management. Keeping the IT Security Administrator Busy

Concept and Project Objectives

FIVE PRACTICAL STEPS

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Secure and Effective IT Infrastructure

Network Security Demonstration - Snort based IDS Integration -

Intrusion Detection Systems with Correlation Capabilities

BlackRidge Technology Transport Access Control: Overview

MEng, BSc Computer Science with Artificial Intelligence

Overview. Swarms in nature. Fish, birds, ants, termites, Introduction to swarm intelligence principles Particle Swarm Optimization (PSO)

Transcription:

Bio-Inspired Anomaly Detection Cyber Security Division 2012 Principal Investigators Meeting 10/11/12 S. Raj Rajagopalan Scientist HP Labs/Honeywell Sraj.raj@gmail.com 908-305-1681

Bio-Inspired Anomaly Detection Addressing TTA 13 Nature-inspired Cyber Health: PIs: Bio-Inspired Distributed Decision Making for Anomaly Detection Prof. Nina H. Fefferman, Rutgers University, Ecology, Evolution, and Natural Resources, and DIMACS/CCICADA S. Raj Rajagopalan, HP/Honeywell Team: Two Post Doctoral Researchers, a couple of grad students, a research programmer, and some very smart people to ask for advice as we go. Collaboration between the NJ and AZ researchers mostly by electronic communications, with infrequent in-person visits 2

Technical Approach Problem to be addressed: Early/Accurate Detection of Threats on Widely Distributed Computer System Networks Traditional methods utilized: Centralized knowledge & Defined-pattern matching (or violation)? More recent methods utilized: Distributed knowledge & Known When Seen (like pornography) no picture available 3

The Problem: What is new Detecting malicious activity (malware, insider threats, etc) is getting (much) harder Systems increasingly complex Adversary increasingly sophisticated and fast Environments getting more distributed than ever before E.g. HP s IT network Has ~ 200K computers Has ~10K networking equipment Spread over four continents Managed from three global hubs (data centers) 4

The Problem Specific challenges Data volumes Heterogeneity of Technology and Attacks Adaptable adversary Threat detection is distributed and resists prepackaged solutions. 5

The Approach Routers and switches today Are distributed in the network Have significant CPU, memory, and storage resources but no significant use for them What purpose can we put these resources to? Distributed Anomaly Detection Use in-network resources to store and analyze local traffic Share significant events 6

The Approach Leveraging infrastructure The ONE Blade on the HP Pro Curve Switch Capable of running an independent computer with local CPU, memory and storage Full access to traffic Independent control plane Anomaly Detection ONE blades can store and analyze local traffic Communicate with HIDS on local networks Run anomaly detection on local traffic But distributed anomaly detection is hard! 7

Nature provides model systems Anomaly detection in nature is a well-studied problem and there are a few perfect examples that involve both Distributed knowledge & Known When Seen threat identification. We will focus on two that utilize/favor detection of different types of anomalies on different system architectures: Both Bees and Ants rely for their survival on their ability (as colonies) to detect both known and unknown anomalies Natural Selection has produced these populations that employ highly efficient distributed algorithms to identify predators, food sources, nest sites, etc. 8

The Mathematics of Social Insect systems Each individual functions as an independent gatherer and analyzer of data, but can share conclusions with others, solicit the conclusions of others, and choose what (if any) data to share with which others. Conclusions are drawn using direct evidence, past experience, and the input of neighbors. Mathematical models capturing some of these dynamics already exist within the biological literature, but will require re-working to be able to apply them to computer system networks Evidence of performance of these natural systems in shifting realworld environmental conditions leads us to believe that these will be more effective at threat detection, without requiring prior models of threat types, and without requiring organizational centralization of information collection and analysis 9

Moving Pieces: Exploring how these algorithms perform on different networks Algorithm Type Network Topology Anomaly Type Bee-Inspired Algorithm Ant-Inspired Algorithm Scale Free Rooted Tree BiPartite Others Alpha Flows DOS Attack Flash Crowd Port Scan Network Scan Outage Event Point to Multipoint Targeted Attack (e.g. Phishing) 10

Theory Technical Challenges Natural Selection doesn t produce the best solution to a problem, it simply eliminates failed solutions after borrowing initial inspiration, we will need to consider how the system could be improved upon for our purposes Bridging the language gap between theoretical biology and applied computer science (not within current scope, but to be considered) Robustness of system to design of next-generation threats that would specifically attempt to evade distributed detection. 11

Implementation System Challenges Mapping biological concepts to computer networks Choosing the right kinds of anomalies Creating sound experiments on DETER Validating our results 12

Milestones & Deliverables Milestones & Deliverables Team Date Fully Documented Design for Ant and Bee Algorithms RU 5/13 Fully Documented Network Design and Prototype Completed Software Environment for Testing RU 5/13 Completed Software-Based Performance Evaluation for One Algorithm on Specific Anomaly Types (preparation of publications and presentations) Papers on Experiment Design and Analysis of Results Completed Software-Based Performance Evaluation for Other Algorithm on Specific Anomaly Types (preparation of publications and presentations) Fully Documented Network Design and Prototype and Experimentation Results (preparation of publications and presentations) Sub RU 6/13 Sub RU 12/13 Sub 13

Milestones & Deliverables cont. Milestones & Deliverables Team Date Papers on Experiment Design and Analysis of Results (preparation of publications and presentations) Completed Software-Based Performance Evaluation for One Algorithm on Novel Anomaly Types (preparation of publications and presentations) Sub RU 5/14 Design General Method for Algorithm Performance Prediction RU 10/14 Large-Scale Experimentation Phase 1 Sub 6/15 Large-Scale Experimentation Phase 2 Sub 10/15 Revise/Tailor Most Promising Algorithm for Large-Scale Testbed RU 10/15 14

Technology Transfer Plan Build working POC on ONE Blades Work with corporate environments to detect real-world anomalies quickly Work with incident investigators to determine detection rate and false positive rates 15

Date: 7 July 2011 Quad Chart Distributed Intelligence finds the elusive adversary Proposed Technical Approach 1. Addressing goals in the BAA: Models biological systems for new methods for cyber-health plus technology transfer. 2. Base Period tasks: Define distributed detection algorithms; Implement and test software simulations to test algorithms on simple network topologies; Build networking substrate; Test and evaluate anomaly detection performance on a diversity of anomalies. 3. Current status: The biological phenomena have already been studied by the proposer. Proposed work will marry this with cyber security. 4. Describe any actions done to date. None. This is a fresh proposal. 5. Describe any related ongoing effort by the offeror: Distributed correlation capability is on a short term list in at least one HP security product unit and in HP networking. Operational Capability 1. Performance targets: Basic principles in 12 mo; Proof of concept in 24 mo; (Option) field testing and tech transfer in 36 mo. 2. Quantify performance for key parameters: Key performance measures derived in Year 1 will be used to evaluate effectiveness for appropriate botnet detection scenarios 3. Cost of ownership: None. Project results will be in public domain 4. Address how the proposed development addresses the goals in the BAA. Provides scalable distributed intelligence for detecting hard-to-find malwareinduced behavior; leverages biological understanding of bees and ants to design communication protocols; results in significant tech transfer Schedule, Cost, Deliverables, Contact Info Milestones: Biology-based detection algorithms designed and evaluated December 2012; ProCurve Networking prototype delivered December 2013; Tech transfer December 2014 Period of performance: 3 years Deliverables: Application of basic principles of bio-inspired distributed detection; Enhanced network switches with detection; Decentralized switch protocols for data sharing; Consolidated prototype; Tech transfer Corporate Information: Sarah Dumais, Rutgers University, 3 Rutgers Plaza, New Brunswick, NJ 08901, phone: 732-932-0150 x 2107, fax: 732-932-0162, email: dumais@grants.rutgers.edu 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information