Intrusion Detection System



Similar documents
Bro at 10 Gps: Current Testing and Plans

Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Chapter 15. Firewalls, IDS and IPS

Firewalls and Intrusion Detection

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets

Introduction of Intrusion Detection Systems

12. Firewalls Content

Covert Operations: Kill Chain Actions using Security Analytics

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Indexing Full Packet Capture Data With Flow

The Bro Network Intrusion Detection System

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Managing Latency in IPS Networks

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Network Monitoring using MMT:

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

INTRUSION DETECTION SYSTEMS and Network Security

Role of Anomaly IDS in Network

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

How to (passively) understand the application layer? Packet Monitoring

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Network Security Policy

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

An Overview of the Bro Intrusion Detection System

Firewall Testing Methodology W H I T E P A P E R

Solution of Exercise Sheet 5

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Application Firewalls

Firewalls, IDS and IPS

Content-ID. Content-ID URLS THREATS DATA

Database Security, Virtualization and Cloud Computing

Network Security Platform 7.5

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Monitoring Network Security with the Open-Source Bro NIDS

How to launch and defend against a DDoS

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewall Firewall August, 2003

Covert Channels. Some instances of use: Hotels that block specific ports Countries that block some access

Classification of Firewalls and Proxies

Guideline on Auditing and Log Management

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Seminar Computer Security

Gateway Security at Stateful Inspection/Application Proxy

Barracuda Intrusion Detection and Prevention System

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Detecting peer-to-peer botnets

UNMASKCONTENT: THE CASE STUDY

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

IDS / IPS. James E. Thiel S.W.A.T.

Intro to Firewalls. Summary

Attack and Defense Techniques 2

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

A Bro Walk-Through. Robin Sommer International Computer Science Institute & Lawrence Berkeley National Laboratory

Configuring Security for FTP Traffic

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Symptoms Based Detection and Removal of Bot Processes

Chapter 4: Security of the architecture, and lower layer security (network security) 1

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Network Based Intrusion Detection Using Honey pot Deception

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Networking for Caribbean Development

Intrusion Detection Systems

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Network Forensics: Log Analysis

Exercise 7 Network Forensics

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Networks and Security Lab. Network Forensics

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Chapter 11 Phase 5: Covering Tracks and Hiding

Security Event Management. February 7, 2007 (Revision 5)

Integrity of In-memory Data Mirroring in Distributed Systems Tejas Wanjari EMC Data Domain

Content Inspection Director

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Building A Secure Microsoft Exchange Continuity Appliance

Radware s Behavioral Server Cracking Protection

Guideline on Firewall

Intrusion Detection Systems

Transcription:

Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet applications use arbitrary ports Benign reasons Lack administrator privileges Circumvention of firewall, e.g., Skype Application tunnels Malicious intend Evasion of security monitoring E.g.: IRC based botnets on ports other than 666x/tcp E.g.: ftp servers on ports other than 21/tcp 2 1

Time Machine: motivation Trouble-Shooting What happened before a fault? Security monitoring ( Forensics ) Break in 2 days ago: How? What else have they done? NIDS: offloading Ideas Keep packet traces of past events! 3 Time Machine: problem Recording High data volume, high load (CPU, disk) E.g., MWN: Gbps link 2004: 2 TB / day 2007: 4-6TB / day 350 / 950 Mbps busy hour load Retrieval Using the captured data Find relevant needle in the haystack 4 2

Time Machine: concept Buffer packets up to connection cutoff 5 Connection sizes: heavy-tailed LBL (2004): > 20 KB 12% of connections 96% of all bytes NERSC (2004): > 20 KB 14% of connections 99.86% of bytes 6 3

TM: capabilities (cutoff: 15KB) MWN: 10Gb uplink, 3-6 TB per day, 50,000 users 600MB memory buffer, 800GB disk buffer 7 TM: retention time Huge potential 8 4

TM: CPU utilization Head room available for query processing 9 Coupling NIDS with Time Machine NIDS pkts pkts pkts TM Link Probe 10 5

TM-NIDS: applications Semi-automatic forensics NIDS detects standard traffic on non-standard port TM captures connections to file Scanner supervision NIDS recognizes scanner TM supplies past traffic on successful connection Host supervision NIDS recognizes weird traffic from some IP Instructs TM to capture / store all traffic Suspends cutoff 11 TM-NIDS: applications Offloading NIDS NIDS processes HTTP requests only If suspicious request TM supplies response NIDS processes FTP control data only If suspicious request TM supplies data connection Error correction NIDS recognizes content gap TM supplies missing data 12 6

Coupling NIDS with Time Machine Requirements Simple interface NIDS processing of TM data as usual Complications Two data sources Duplicate data packets from both sources NIDS needs to handle live as well as historic data (violates time sequence assumptions) 13 Query rate In memory queries Query rate increases Overhead and latency small 14 7

HTTP analysis Significant CPU gains by offloading HTTP reply 15 TM-NIDS: summary Stand-alone time machine: a very powerful tool Coupling a TM with an NIDS: an even more powerful tool! 16 8

NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet applications use arbitrary ports Benign reasons Lack administrator privileges Circumvention of firewall, e.g., Skype Application tunnels Malicious intend Evasion of security monitoring E.g.: IRC based botnets on ports other than 666x/tcp E.g.: ftp servers on ports other than 21/tcp 17 Applications on non-standard ports Data (Oct. 2005): 24 hour full packet trace from Münchner WissenschaftsNetz (MWN) 3.2 TB of data in 6.3 billion pkts, 137M connections Application signatures from l7-filter system Focus on HTTP, IRC, FTP, SMTP 18 9

Ports accounting > 1% of conns. Port % Conns % Success % Payload Web 80 70.82% 68.13% 72.59% 445 3.53% 0.01% 0.00% Web 443 2.34% 2.08% 1.29% SSH 22 2.12% 1.75% 1.71% Mail 25 1.85% 1.05% 1.71% 1042 1.66% 0.00% 0.00% 1433 1.06% 0.00% 0.00% 135 1.04% 0.00% 0.00% < 1024 83.68% 73.73% 79.05% > 1024 16.32% 4.08% 20.95% 19 Signature-based app. detection Port information offers no information for ports > 1024 l7-filter system application signatures HTTP highly attractive for hiding other applications Most successful conns. trigger expected signature FTP higher percentage of false negatives Method HTTP IRC FTP SMTP Port (succ.) 93,429K 75,876 151,700 1,447K Signature 94,326K 73,962 125,296 1,416K expected port 92,228K 71,467 98,017 1,415K other port 2,126K 2,495 27,279 265 20 10

Signature detection: well known ports Some connections trigger more than one signature Not yet wide-spread abuse But some misappropriate use of well known ports Port HTTP IRC SMTP Other No match 80 92,228,291 59 0 41,086 1,158,977 666x 1,217 71,650 0 4,238 524 25 459 2 1,415,428 195 31,889 21 Architecture for dynamic analysis Goals Detection scheme independence Dynamic analysis Modularity Efficiency Customizability Design (USENIX Security 06) Dynamic processing path Per connection dynamic analyzer trees 22 11

Reliable detection of non-standard ports UCB: 1 day internal remote FTP servers: 6 17 HTTP servers: 568 54,830 IRC servers: 2 33 SMTP servers: 8 8 MWN similar Non-standard port connection UCB: 99% HTTP (28% Gnutella, 22% Apache) MWN: 92% HTTP (21% BitTorrent, 20% Gnutella), 7% FTP Two open HTTP proxy detected: now closed SMTP server that allowed relay: now closed 23 Payload inspection of FTP data transfers FTP data transfers use arbitrary ports No longer a problem: dynamic prediction table File analyzer examines connection s payload Can determine file-type (LIBMAGIC) Can check if actual file-type == expected file-type Extensions: SMTP analyzer (using pipeline) Virus checker 24 12

Detecting IRC-based Botnets Idea Botnets like IRC protocol (remote control features) Botnet detector on top of IRC analyser Checks client nickname for typical patterns Checks channel topics for typical botnet commands Checks if new clients connect with IRC to identified bot-servers Results MWN: > 100 distinct IPs with Botnet clients Now part of a automatic prevention system UCB: 15distinct IPs 25 Summary: dynamic app. analysis Ideas: Dynamic processing path Per connection dynamic analyzer trees Operational at three large-scale networks Detected significant number of security incidents Bot-detection now automatically blocks IP 26 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information