Lesson #8: Correlation. Matthijs Koot (koot@uva.nl) 2007-05-10 / SNE-IDS college 06-07

Similar documents
INTRUSION DETECTION ALARM CORRELATION: A SURVEY

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks

Intrusion Detection Systems

The Ontological Approach for SIEM Data Repository

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Network Forensics Analysis with Evidence Graphs (Demo Proposal)

Network Intrusion Alert Aggregation Based on PCA and Expectation Maximization Clustering Algorithm

High Availability and Clustering

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

How To Understand The Theory Of Alert Correlation

Industry 4.0 and Big Data

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

INTRUSION PREVENTION AND EXPERT SYSTEMS

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Questions? Assignment. Techniques for Gathering Requirements. Gathering and Analysing Requirements

False Alert Reduction and Correlation for Attack Scenarios with Automatic Time Window

Silect Software s MP Author

TNT SOFTWARE White Paper Series

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Network Intrusion Detection Systems. Beyond packet filtering

FortiAnalyzer VM (VMware) Install Guide

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

White Paper How Noah Mobile uses Microsoft Azure Core Services

Attack Taxonomies and Ontologies

Cisco AnyConnect Secure Mobility Solution Guide

State Data Center. VMAX Data Migration Guide

Enterprise Application Monitoring with

Installation and configuration guide

RT Support Ticket System

Installing and Configuring vcenter Support Assistant

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Copyright 2013 EMC Corporation. All Rights Reserved.

Tk20 Network Infrastructure

Digital Image Increase

A Case Study on Constructing a Security Event Management (SEM) System

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

RESEARCH PROPOSAL: AN INTRUSION DETECTION SYSTEM ALERT REDUCTION AND ASSESSMENT FRAMEWORK BASED ON DATA MINING

LR120 LoadRunner 12.0 Essentials

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Remote Service. SASG - Big Data From machine design to IT management & Remote Service. Marcel Boosten Philips Healthcare October 7, 2014

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Informatica Master Data Management Multi Domain Hub API: Performance and Scalability Diagnostics Checklist

Firewalls & Intrusion Detection

A Framework for Secure and Verifiable Logging in Public Communication Networks

Alert Verification Determining the Success of Intrusion Attempts

ITIL Introducing service operation

Future Network Monitoring for IXPs

Installation and configuration guide

: Introduction to Machine Learning Dr. Rita Osadchy

WHITE PAPER. Improving Operational Readiness for P25 Systems through Advanced Network Monitoring

Panorama High Availability

Load Balancing BEA WebLogic Servers with F5 Networks BIG-IP v9

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

CSIRT Introduction to Security Incident Handling

CS 392/CS Computer Security. Module 17 Auditing

Detection and mitigation of Web Services Attacks using Markov Model

Information Technology Policy

False Alarm Minimization Techniques in Signature-Based Intrusion Detection Systems: A Survey

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

1 Log visualization at CNES (Part II)

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

On the features and challenges of security and privacy in distributed internet of things. C. Anurag Varma CpE /24/2016

Device Integration: Checkpoint Firewall-1

UNDERSTANDING DATA DEDUPLICATION. Tom Sas Hewlett-Packard

Intrusion Detection Systems with Correlation Capabilities

LogLogic Cisco IPS Log Configuration Guide

Goals. Understanding security testing

Splunk for VMware Virtualization. Marco Bizzantino Vmug - 05/10/2011

Product Description. Model VM 500 series [ VM508/VM508E ] Water Alarm. Telephone/Pager Alert Calls. Power Alarm. Maximum Number of Sensors

Transcription:

Lesson #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam 2007-05-10 / SNE-IDS college 06-07

Outline

Warning. Warning Don t expect to see the topics discussed today be reflected in next year s IDS-product (except perhaps by their marketeers). Consider them a way forward", which will require cooperation and consensus from non-ids vendors.

Outline

Events and alerts.

Events and alerts.

Event correlation vs. and alert correlation.

Definitions. Dan Gorton, 2001: Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building.

Outline

Logging policy. Logging policy: what loggables should be logged? Consider: Guidelines on logging for security purposes Ask thyself: what loggables are relevant to detecting threats? "Best logging practices" Security expert advice Abstraction level Data activity Application activity OS activity Network activity Context Security domain/level, asset value Public vs. non-public infrastructure (churn)

Alerting policy. Alerting policy: what events yield an alert? Consider: Guidelines on alerting Ask thyself: what combination of events indicate an intrusion? "Best alerting practices" Security expert advice Context (again) Security domain/level, asset value Public vs. non-public infrastructure (churn) BUT ALSO: business-specific understanding of threat and intrusion MUST be resolvable to business goals SHOULD be resolvable to IT-goals

Outline

Goals. aims to: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker

process. Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

Outline

. Syntax AND semantics Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP (next slide) Semantics: under construction - CVE, intrusion alert ontology,... Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

IDMEF data model. IDMEF = Message Exchange Format

IDXP transport model. IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile

Outline

Alert fusion. Recognize and remove redundancy in alerts from different sensors

Alert verification. Alert verification Passive Verify target s (in)vulnerability in CMDB (and waive OS/2-Warp attacks on MINIX machines :-)) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check config files against known-good hashes

Outline

Two approaches to correlation. "Aha! Alerts seem to match <attack-pattern>." "I don t know what s happening, but these alerts appear (statistically) related."

Alert thread reconstruction. Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread One thread represents one attack (session) Questions to ask: Which attributes should be compared? How is a comparison actually done? What weight is assigned to each attribute? > Similarity matrices, similarity expectations require human knowledge, (re)introducing human fallibility (Ning).

Outline

Predefined attack scenarios. Specification of attack scenarios: Attack Scenario Language (Kruegel) Chronicles formalism (Debar) LAMBA (Cuppens)

Prerequisite-consequence analysis. Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Prerequisite specifies a condition for a successful attack Consequence specifies possible result If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation

Prerequisite-consequence analysis (2). Example hyper-alert correlation graph Source: Ning et al - Techniques and Tools for Analyzing Intrusion Alerts", 2004

Purpose and value of correlation process ad 2005 Not discussed: Bayes and Granger-Causality for behavior-based correlation

Feedback! Question Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information