Development of a Network Intrusion Detection System



Similar documents
FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

HYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK

CS5008: Internet Computing

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

NETWORK SECURITY WITH OPENSOURCE FIREWALL

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

INTRUSION DETECTION SYSTEMS and Network Security

How To Prevent DoS and DDoS Attacks using Cyberoam

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

How To Protect Your Network From Attack From A Hacker On A University Server

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Firewalls and Intrusion Detection

Distributed Denial of Service (DDoS)

IDS / IPS. James E. Thiel S.W.A.T.

Chapter 8 Network Security

System Specification. Author: CMU Team

Security: Attack and Defense

CIT 380: Securing Computer Systems

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Network Forensics: Detection and Analysis of Stealth Port Scanning Attack

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Chapter 8 Security Pt 2

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Payment Card Industry (PCI) Executive Report. Pukka Software

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Network- vs. Host-based Intrusion Detection

Secure Software Programming and Vulnerability Analysis

Firewall Firewall August, 2003

Performance Evaluation of Intrusion Detection Systems

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

A Layperson s Guide To DoS Attacks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Attacks and Defense. Phase 1: Reconnaissance

Fuzzy Network Profiling for Intrusion Detection

Name. Description. Rationale

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Firewalls Netasq. Security Management by NETASQ

PROFESSIONAL SECURITY SYSTEMS

Network Security CS 192

Computer forensics

Introduction of Intrusion Detection Systems

Observation and Findings

Development of an Intrusion Detection and Prevention Course Project Using Virtualization Technology. Te-Shun Chou East Carolina University, USA

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

IxLoad-Attack: Network Security Testing

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

MINDS: A NEW APPROACH TO THE INFORMATION SECURITY PROCESS

Intrusion Detection System: Security Monitoring System

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Chapter 15. Firewalls, IDS and IPS

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Network Forensics: Log Analysis

Seminar Computer Security

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Stop that Big Hack Attack Protecting Your Network from Hackers.

Barracuda Intrusion Detection and Prevention System

Host Discovery with nmap

Science Park Research Journal

IDS : Intrusion Detection System the Survey of Information Security

Remote Network Analysis

Denial of Service. Tom Chen SMU

Firewalls, Tunnels, and Network Intrusion Detection

The Truth about False Positives

THE ROLE OF IDS & ADS IN NETWORK SECURITY

co Characterizing and Tracing Packet Floods Using Cisco R

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Slow Port Scanning Detection

Deployment of Snort IDS in SIP based VoIP environments

Network Monitoring Tool to Identify Malware Infected Computers

Content Distribution Networks (CDN)

Fuzzy Network Profiling for Intrusion Detection

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

CSCI 4250/6250 Fall 2015 Computer and Networks Security

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Intrusion Detection Systems

Network and Services Discovery

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Payment Card Industry (PCI) Executive Report 08/04/2014

Transcription:

Development of a Network Intrusion Detection System (I): Agent-based Design (FLC1) (ii): Detection Algorithm (FLC2) Supervisor: Dr. Korris Chung Please visit my personal homepage www.comp.polyu.edu.hk/~cskchung/fyp04-05/ for more information.

Why Intrusion Detection? Current firewalls are not sufficient to ensure the security in computer networks Some intrusions take advantages of vulnerabilities in computer systems or use socially engineered penetration techniques that traditional intrusion prevention techniques are not enough to protect systems Intrusion detection System (IDS) will be another wall for protection 2

Motivations Problems of existing IDS: Attack stealthiness Attackers try to hide their actions from either an individual who is monitoring the system or an IDS Novel intrusions Undetectable by signature-based IDSs that they can only be detected as anomalies by observing significant deviations from the normal network behavior Distributed attack Needed for detecting the correlation of attack 3

Objectives 4 Develop an adaptive IDS by using agentbased data mining techniques The data mining approaches are used to capture the actual behavior of network traffic accurately The portfolio mined is useful in differentiating normal and attack traffics The overall architecture of the proposed IDS is constructed with different types of agent

Types of Attack (1/2) 5 Denial of Service (DoS) SYN Flood Smurf Teardrop Probe SYN Stealth Port Scan Connect Mode Port Scan FIN Stealth Mode Port Scan NULL Scan Mode Port Scan Xmas Tree Mode Port Scan ACK Mode Port Scan UDP Scan

Types of Attack (2/2) Compromises Buffer Overflow Unauthorized Access from Remote Machine (U2R) Unauthorized Access to Local Superuser Privileges by a Local Unprivileged User (R2L) Trojan horses/worms 6

Traffic Behaviors (1/2) Probe URG ACK PSH RST SYN FIN Connect scan SYN scan Set Set FIN scan Set NULL scan Xmas tree scan Set Set Set ACK scan Set 7

Traffic Behaviors (2/2) Denial of Service (DoS) Attack type Port range No of connection attempt No of RST packets Mean packet size Time covered by 100 packets No of ICMP packets Connect scan if not stealthy SYN scan if not stealthy ACK scan No if not stealthy NULL scan No if not stealthy Xmas tree scan if not stealthy UDP scan No N/A if not stealthy Many destination unreachable SYN flood after connect pool full N/A PING flood N/A N/A N/A 8 Victim reply from attack Normal traffic for port scanned N/A??? for TCP scan on closed port and SYN flooded r Many ICMP if UDP scanned or ping flooded

9 Proposed Agent-based Intrusion Detection System

Proposed System data mining approaches are introduced Clustering Sequential Association Rules Outliner detection Each approach is represented by a number of agents 10

System Architecture Network Traffic Feature Extractor Batch Processing Real Time Trainer Update Detection Engine Alarm 11 Proposed IDS

Detection Engine Agent Set of Feature Feature Distributor Agent... Decision Maker Alarm Agent 12 Detection Engine

13 Agent Trainer Set of Feature Trainer Approach1 Approach2... Agent n Feature Distributor Update Corresponding Agents

Two types of System Models 14 Predictive model Built from labeled data sets (i.e. instances are labeled as normal or attack ) Misuse detection More sophisticated and precise than manually created signatures Expected to be unable to detect attacks whose instances have not yet been observed Anomaly detection model Built only based on normal behavior (i.e. normal behavior of the network is profiled) Detecting anomalies as deviations Possibly high in false alarm rate as previously unseen Higher adaptive ability

Thank You!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information