Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Similar documents
Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems

Challenges in Cyber Security Experiments: Our Experience

System Specification. Author: CMU Team

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

Attack Graph Techniques

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Network- vs. Host-based Intrusion Detection

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

ASV Scan Report Attestation of Scan Compliance

Deployment of Snort IDS in SIP based VoIP environments

Application Performance Testing Basics

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

O S S I M. Open Source Security Information Manager. User Manual

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Distributed Denial of Service (DDoS)

DoS: Attack and Defense

IDS / IPS. James E. Thiel S.W.A.T.

Strategies to Protect Against Distributed Denial of Service (DD

Intrusion Detection Systems with Correlation Capabilities

How to Detect and Prevent Cyber Attacks

From Network Security To Content Filtering

Development of a Network Intrusion Detection System

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Network: Monitoring Module Overview

EWeb: Highly Scalable Client Transparent Fault Tolerant System for Cloud based Web Applications

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

CISCO WIRELESS CONTROL SYSTEM (WCS)

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Cisco Integrated Services Routers Performance Overview

Security Event Management. February 7, 2007 (Revision 5)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Concept and Project Objectives

Denial of Service and Anomaly Detection

DJRA1.6 FINAL RELEASE OF NEW GRID MIDDLEWARE SERVICES

Performance Evaluation of VMXNET3 Virtual Network Device VMware vsphere 4 build

Where can I install GFI EventsManager on my network?

CentOS Linux 5.2 and Apache 2.2 vs. Microsoft Windows Web Server 2008 and IIS 7.0 when Serving Static and PHP Content

A Quantitative Approach to Security Monitor Deployment

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Cisco Wireless Control System (WCS)

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Netowork QoS Provisioning Engine for Distributed Real-time and Embedded Systems

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Intrusion Detection in AlienVault

Taxonomy of Intrusion Detection System

ENTERPRISE-CLASS MONITORING SOLUTION FOR EVERYONE ALL-IN-ONE OPEN-SOURCE DISTRIBUTED MONITORING

First Line of Defense

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

The SIEM Evaluator s Guide

NETWORK PENETRATION TESTING

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Where can I install GFI EventsManager on my network?

Worm Detection: Network-internal Mechanisms and Infrastructure

Cloud Resilient Architecture (CRA) -Design and Analysis. Hamid Alipour Salim Hariri Youssif-Al-Nashif

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

Business white paper. HP Process Automation. Version 7.0. Server performance

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

DDoS Protection Technology White Paper

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Agility Database Scalability Testing

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Course Title: Penetration Testing: Security Analysis

Network Mission Assurance

White Paper Integrating The CorreLog Security Correlation Server with BMC Software

Cisco Application Networking Manager Version 2.0

Oracle Database Scalability in VMware ESX VMware ESX 3.5

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

A Transport Protocol for Multimedia Wireless Sensor Networks

SECURING APACHE : DOS & DDOS ATTACKS - I

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

VEA-bility Security Metric: A Network Security Analysis Tool

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

A Case Study on Constructing a Security Event Management (SEM) System

- Introduction to PIX/ASA Firewalls -

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

Protecting Critical Infrastructure

Network Intrusion Detection Systems

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Adobe LiveCycle Data Services 3 Performance Brief

Capacity Planning Guide for Adobe LiveCycle Data Services 2.6

RiMONITOR. Monitoring Software. for RIEGL VZ-Line Laser Scanners. Ri Software. visit our website Preliminary Data Sheet

A Senior Design Project on Network Security

Second-generation (GenII) honeypots

Transcription:

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems Christopher Roblee Vincent Berk George Cybenko

These slides are based on the paper Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems by: Roblee, C. Berk, V. Cybenko, G.

Paper Contribution A scalable approach to detect networks intrusions is proposed. The process model can reduce false positive rate Our system combines user-space process monitoring, such as system load, I/O load, and fork behavior with intrusion detection data and loads it into the PQS processing core.

TRAFEN PQS tracks processes & create states + Sensor collect and pre-process state data Events Generated

Process Query System (PQS) A technology that allows us to quickly and easily integrate multiple sensor sources and model human system administrator analysis in order to obtain fast and accurate results, with a significantly reduced overhead. M3 : three generic server states: Q3 = {Nominal, Questionable, Compromised}.

Nominal Questionable Compromised

Nominal Questionable Compromised TRAFEN receives the following sequence of host and networklevel observations for an observed host : e1.2 = (SYS.PROCS.GROWTH ) (SYS.CPU )

Nominal Questionable Compromised Red : a host that has most likely been compromised, & requires immediate attention from an administrator or an autonomic healing mechanism.

Example failure scenarios (s 3, s 4 ) on the observed host: M 3 h e h f h a h a n a n b M 4 h e h f h g h a h g h g h g h g h g h g B < p(s 3 h 1:t,n 1:t ) < A p(s 4 h 1:t ) > B, s4 is deemed the fault scenario occurring in the observed environment. > A, s3 is deemed the fault scenario. between A and B, however, the system waits until more observations are received. By adjusting A and B, we can control the sensitivity of the response mechanism and enforce a minimum confidence before taking any action. The slope thresholds and sampling window length control the sensitivity of the sensor. Thus reduce the false alarms

User-space Sensors The purpose of the user-space sensor is to collect and pre-process host-level state data and to generate sufficient, meaningful events in order to enable host verification at higher levels in the system. Events are generated on a reactive basis when short-term or long-term anomalies in any of the monitored host metrics are detected. These events are subsequently published to the TRAFEN system as observations over a dedicated TCP socket connection. Observations are treated as possible symptoms of larger-scale host or service failures, or security compromises.

Raw data 4 sec 5 samples The sensors state extractor modules poll all of the monitored processes & system metrics once every four seconds. The sensor s evaluator modules smooth these continuous metric streams over a window of five samples. Two decoupled modules: a state extractor and an evaluator.

TRAFEN configuration TRAFEN simultaneously evaluate observation streams using multiple models to formulate causal alternatives for each detected host failure or performance degradation.

4. Results One experiment only!

Experiments Test-bed: notional DMZ 4 Pentium III & IV servers (Instrumented with a users pace sensor) Running Red- Hat Linux & Apache HTTP server 2.0.40 or 2.0.52 1 server on a separate network to launch continuous manual DoS attacks. Sensors are configured to monitor the httpd, bash, & sh processes.

Experimental Setup The TRAFEN engine Runs on a local Sun Fire 210 server with dual 1GHz UltraSPARC III processors & Solaris 9, & listens for observations from the monitored hosts over a dedicated TCP socket. Listens for observations from a mainstream network intrusion detection sensor (Snort), which monitors network traffic on the DMZ. Hence, we have two independent observation spaces. Reports its real-time conclusions to a web-based user interface, which displays tracks of observations & associated scores. The scores (track likelihoods) are a quantitative measure between 0.0 & 1.0 of how likely a track of observations indicates an attack or failure scenario described by a submitted process model.

Experimental Setup The simulated attack sequence is as follows: Using nmap, attacker initiates an asymmetric stealth port scan of the four DMZ servers from the external attack host to identify potentially vulnerable targets; Attacker waits for all scan results & notices that each server is listening on port 8000; Attacker waits an additional 30 seconds & launches an Apache DoS attack against one server (host 3), listening on port 8000; Attacker waits 30 seconds & terminates the attack.

Progression of the estimated likelihood of compromise for 4 servers monitored by TRAFEN, using M3. Host 3 is the victim server High severity Medium severity Low severity 10 min

210 seconds 390 seconds into experiment, 110 sec after scan starts 415 seconds into experiment, 19 seconds after attack start

Most profound is the exclusive prevalence of PROC.MEM observations, which correspond to the acute growth in memory utilization of the overloaded Apache server (httpd) processes in response to the HTTP request flood. PROC.SPAWN observations correspond primarily to the forking of child server processes for handling the incoming requests. It is especially worth noting how the distribution of Snort reconnaissance observations is relatively uniform across the four servers.

Conclusion A promising new methodology & supporting architecture to automate rapid problem determination for multiple servers is presented. By combining the scalability, robust data collection, model abstraction, & hypothesis management capabilities of PQS, we were able to apply a fundamentally less complex & intrusive host sensor paradigm to rapidly detect a multi-stage denial of service attack against a server network. Reduced false positives by using process models to probabilistically correlate host-level symptoms of performance degradation with network context.

Critique Information are collected only from single host. Aggregating data from multiple hosts Small environment 4 servers (scalability) Automation- Self monitoring

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information