Lesson #8: Correlation. Matthijs Koot (koot@uva.nl) 2007-05-10 / SNE-IDS college 06-07

Similar documents
INTRUSION DETECTION ALARM CORRELATION: A SURVEY

Intrusion Alert Correlation Technique Analysis for Heterogeneous Log

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks

IRSS: Incident Response Support System. Ing. Gianluca Capuzzi

The research area of SET group is software engineering, and model-based software engineering in particular:

Intrusion Detection Systems

The Ontological Approach for SIEM Data Repository

Standardized Parameterization of Intrusion Detection Systems

Alarm Clustering for Intrusion Detection Systems in Computer Networks

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Network Forensics Analysis with Evidence Graphs (Demo Proposal)

Self-organized Collaboration of Distributed IDS Sensors

Independent and Comprehensive Intrusion Detection Management

How To Create A Data Science System

Network Intrusion Alert Aggregation Based on PCA and Expectation Maximization Clustering Algorithm

High Availability and Clustering

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

IDS Interoperability and Correlation Using IDMEF and Commodity Systems

Virtual Terrain: A Security-Based Representation of a Computer Network

How To Understand The Theory Of Alert Correlation

Identification of correlated network intrusion alerts

Industry 4.0 and Big Data

Alert Prioritization in Intrusion Detection Systems

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Title: Alert Correlation in Collaborative Intelligent Intrusion Detection Systems-ASurvey

ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Integration of Standardized Syntax and Semantics (Common Language) into CSIRT Operations

DEVELOPMENT OF THREAT EVALUATION TOOL FOR DISTRIBUTED NETWORK ENVIRONMENT. Keun-Hee Han, Il-Gon Kim Kang-Won Lee, Jin-Young Choi.

INTRUSION PREVENTION AND EXPERT SYSTEMS

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Questions? Assignment. Techniques for Gathering Requirements. Gathering and Analysing Requirements

False Alert Reduction and Correlation for Attack Scenarios with Automatic Time Window

Silect Software s MP Author

HOW ACUNETIX ENSURES WEB APPLICATION SECURITY

TNT SOFTWARE White Paper Series

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Network Intrusion Detection Systems. Beyond packet filtering

FortiAnalyzer VM (VMware) Install Guide

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

White Paper How Noah Mobile uses Microsoft Azure Core Services

Attack Taxonomies and Ontologies

Cisco AnyConnect Secure Mobility Solution Guide

State Data Center. VMAX Data Migration Guide

AN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS

Enterprise Application Monitoring with

Installation and configuration guide

Gecontroleerde grip op uw netwerk security en netwerk beheer

RT Support Ticket System

Installing and Configuring vcenter Support Assistant

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Copyright 2013 EMC Corporation. All Rights Reserved.

Tk20 Network Infrastructure

Digital Image Increase

A Case Study on Constructing a Security Event Management (SEM) System

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Beyond Check The Box

RESEARCH PROPOSAL: AN INTRUSION DETECTION SYSTEM ALERT REDUCTION AND ASSESSMENT FRAMEWORK BASED ON DATA MINING

LR120 LoadRunner 12.0 Essentials

Development of Technology for Detecting Advanced Persistent Threat Activities

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Remote Service. SASG - Big Data From machine design to IT management & Remote Service. Marcel Boosten Philips Healthcare October 7, 2014

1. Introduction. Matthijs Koot / SNE-IDS college 06-07

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Informatica Master Data Management Multi Domain Hub API: Performance and Scalability Diagnostics Checklist

Firewalls & Intrusion Detection

A Framework for Secure and Verifiable Logging in Public Communication Networks

Alert Verification Determining the Success of Intrusion Attempts

ITIL Introducing service operation

Ohio Supercomputer Center

Future Network Monitoring for IXPs

Installation and configuration guide

: Introduction to Machine Learning Dr. Rita Osadchy

WHITE PAPER. Improving Operational Readiness for P25 Systems through Advanced Network Monitoring

Panorama High Availability

Threat Information Sharing; Perspectives, Strategies, and Scenarios

Load Balancing BEA WebLogic Servers with F5 Networks BIG-IP v9

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Stellar: A Fusion System for Scenario Construction and Security Risk Assessment

CSIRT Introduction to Security Incident Handling

CS 392/CS Computer Security. Module 17 Auditing

Detection and mitigation of Web Services Attacks using Markov Model

Information Technology Policy

False Alarm Minimization Techniques in Signature-Based Intrusion Detection Systems: A Survey

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

1 Log visualization at CNES (Part II)

Guardian Digital. 4 Internet Defense and Detection System 5

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

On the features and challenges of security and privacy in distributed internet of things. C. Anurag Varma CpE /24/2016

Device Integration: Checkpoint Firewall-1

UNDERSTANDING DATA DEDUPLICATION. Tom Sas Hewlett-Packard

Intrusion Detection Systems with Correlation Capabilities

LogLogic Cisco IPS Log Configuration Guide

Goals. Understanding security testing

Splunk for VMware Virtualization. Marco Bizzantino Vmug - 05/10/2011

Product Description. Model VM 500 series [ VM508/VM508E ] Water Alarm. Telephone/Pager Alert Calls. Power Alarm. Maximum Number of Sensors

A Generic Architecture for Fusion-Based Intrusion Detection Systems. Remco C. de Boer

Transcription:

Lesson #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam 2007-05-10 / SNE-IDS college 06-07

Outline

Warning. Warning Don t expect to see the topics discussed today be reflected in next year s IDS-product (except perhaps by their marketeers). Consider them a way forward", which will require cooperation and consensus from non-ids vendors.

Outline

Events and alerts.

Events and alerts.

Event correlation vs. and alert correlation.

Definitions. Dan Gorton, 2001: Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building.

Outline

Logging policy. Logging policy: what loggables should be logged? Consider: Guidelines on logging for security purposes Ask thyself: what loggables are relevant to detecting threats? "Best logging practices" Security expert advice Abstraction level Data activity Application activity OS activity Network activity Context Security domain/level, asset value Public vs. non-public infrastructure (churn)

Alerting policy. Alerting policy: what events yield an alert? Consider: Guidelines on alerting Ask thyself: what combination of events indicate an intrusion? "Best alerting practices" Security expert advice Context (again) Security domain/level, asset value Public vs. non-public infrastructure (churn) BUT ALSO: business-specific understanding of threat and intrusion MUST be resolvable to business goals SHOULD be resolvable to IT-goals

Outline

Goals. aims to: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker

process. Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

Outline

. Syntax AND semantics Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP (next slide) Semantics: under construction - CVE, intrusion alert ontology,... Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

IDMEF data model. IDMEF = Message Exchange Format

IDXP transport model. IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile

Outline

Alert fusion. Recognize and remove redundancy in alerts from different sensors

Alert verification. Alert verification Passive Verify target s (in)vulnerability in CMDB (and waive OS/2-Warp attacks on MINIX machines :-)) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check config files against known-good hashes

Outline

Two approaches to correlation. "Aha! Alerts seem to match <attack-pattern>." "I don t know what s happening, but these alerts appear (statistically) related."

Alert thread reconstruction. Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread One thread represents one attack (session) Questions to ask: Which attributes should be compared? How is a comparison actually done? What weight is assigned to each attribute? > Similarity matrices, similarity expectations require human knowledge, (re)introducing human fallibility (Ning).

Outline

Predefined attack scenarios. Specification of attack scenarios: Attack Scenario Language (Kruegel) Chronicles formalism (Debar) LAMBA (Cuppens)

Prerequisite-consequence analysis. Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Prerequisite specifies a condition for a successful attack Consequence specifies possible result If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation

Prerequisite-consequence analysis (2). Example hyper-alert correlation graph Source: Ning et al - Techniques and Tools for Analyzing Intrusion Alerts", 2004

Purpose and value of correlation process ad 2005 Not discussed: Bayes and Granger-Causality for behavior-based correlation

Feedback! Question Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information