System Specification. Author: CMU Team



Similar documents
SURVEY OF INTRUSION DETECTION SYSTEM

Development of a Network Intrusion Detection System

Tk20 Network Infrastructure

Vulnerability Assessment Using Nessus

How To Protect A Network From Attack From A Hacker (Hbss)

Observation and Findings

Cisco IPS Tuning Overview

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Performance Evaluation of Intrusion Detection Systems

A Review on Network Intrusion Detection System Using Open Source Snort

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Web Application Security

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

CHAPTER 1 INTRODUCTION

Attack Graph Techniques

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Fuzzy Network Profiling for Intrusion Detection

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Is your SIEM ready.???

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Conclusions and Future Directions

Role of Anomaly IDS in Network

Security Event Management. February 7, 2007 (Revision 5)

NETWORK PENETRATION TESTING

The SIEM Evaluator s Guide

IDS / IPS. James E. Thiel S.W.A.T.


Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Taxonomy of Intrusion Detection System

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Exam 1 - CSIS 3755 Information Assurance

Radware s Behavioral Server Cracking Protection

Banking Security using Honeypot

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Εmerging Ways to Protect your Network

Name. Description. Rationale

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Cisco Remote Management Services for Security

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

MINDS: A NEW APPROACH TO THE INFORMATION SECURITY PROCESS

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Intrusion Detection System using Log Files and Reinforcement Learning

Bio-inspired cyber security for your enterprise

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

How To Protect Your Network From Attack From A Hacker On A University Server

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

CSCI 4250/6250 Fall 2015 Computer and Networks Security

KEITH LEHNERT AND ERIC FRIEDRICH

Network Based Intrusion Detection Using Honey pot Deception

Evaluation of Penetration Testing Software. Research

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

First Line of Defense

Tenable Tools for Security Compliance The Antivirus Challenge

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

On-Premises DDoS Mitigation for the Enterprise

Taxonomy of Hybrid Honeypots

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Guidance Regarding Skype and Other P2P VoIP Solutions

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Second-generation (GenII) honeypots

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Table of Contents. Page 2/13

CTS2134 Introduction to Networking. Module Network Security

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

funkwerk packetalarm NG IDS/IPS Systems

FIREWALL ARCHITECTURES

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

INTRUSION DETECTION SYSTEMS and Network Security

Building A Secure Microsoft Exchange Continuity Appliance

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Deploying Firewalls Throughout Your Organization

Security Information Management

How to build a security assessment program. Dan Boucaut

A Survey on Intrusion Detection System with Data Mining Techniques

IBM QRadar Security Intelligence April 2013

Firewalls, Tunnels, and Network Intrusion Detection

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

Transcription:

System Specification Author: CMU Team Date: 09/23/2005

Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect possible attacks 2 2. System Architecture 2 3. Technical Specifications 3 3.1. Information Collection 3 3.2. Data Analysis 3 3.3. Report Generation and Presentation 4 4. Summary 4 1

1. Introduction Despite a multitude of efforts and a wide variety of approaches devoted towards computer security, guaranteeing secured computer networks is still a grave challenge. We propose a system that would contribute significantly towards these efforts. The system would provide a dual functionality: Enhancement of vulnerability scanning tools reports Intelligent monitoring of traffic to detect possible attacks 1.1. Enhancement of vulnerability scanning tools reports: The proposed system would enhance the power of vulnerability scanning tools such as Nessus by categorizing the different vulnerabilities as well as the possible security attacks that the host is likely to yield to due to these vulnerabilities. The different vulnerabilities identified by Nessus would be appropriately mapped into these vulnerability categories, and the corresponding security attack type would be identified, hence providing more useful and easy to understand information that would enhance the usability and effectiveness of Nessus. In addition, a userfriendly and visually interactive interface would be included that would enable users to better understand the reports generated by Nessus. 1.2. Intelligent monitoring of traffic to detect possible attacks: The proposed system would also provide an added intelligent component that would monitor the flow of traffic in the network, analyze it and detect possible attack scenarios. The module would possess the ability to behave as both a misuse detection as well as anomaly detection system. Hence, it would be able to identify the type of attack, if the attack is of a known attack type and would also be able to identify an attack as anomalous if the attack is new and previously unseen. This would be a significant leap from the functioning of standard vulnerability scanning tools such as Nessus. The system architecture and the technical specifications of proposed system are provided below: 2. System Architecture As shown in Fig.1, the procedure would include four phases: information collection, data analysis, report generation, and presentation. In the first phase, information collection, Nessus client programs would be installed and set up on the protected machines. Also traffic would be captured on router span port or PCAP on the firewall. The data analysis phase would include both vulnerability and traffic analysis. The vulnerability scanning function would come from Nessus with its own vulnerability knowledge base. Possible vulnerabilities would be evaluated according to the response from Nessus clients. Our system would provide the traffic analyzer, which would analyze the network traffic collected in the previous phase. In the third phase, report generation, both vulnerability and attack reports would be generated based on the analysis carried out in the previous phase. In the final phase, these reports would be presented in a web- 2

based utility with a user-friendly and visually interactive interface. Collectively, these four phases would offer an effective dual functionality of enhancing the effectiveness of Nessus and also providing an intelligent module that monitors the traffic to detect possible attacks. 3. Technical Specifications Fig. 1: System Architecture 3.1. Information Collection: As shown in Fig. 2, Nessus clients would connect to the Nessus server via Ethernet. Internal firewalls drop the rapid-fire connections generated by vulnerability scanners, and are thus a problem that plague the vulnerability assessment teams. The Nessus serves would thus be put on the local loopback with Nessus clients. There are two approaches being considered to capture network traffic. One is to use the span port in the router. This approach has the advantage of not affecting the operation of local machines. However, all network administrators cannot access the router and not all routers support this function. The alternative approach is to deploy sensors on protected machines and report the network traffic regularly. This would however, increase the load on protected machines and in turn decrease the performance of the local network. Both approaches are currently being evaluated. All traffic information would be stored in a MySQL database. 3.2. Data Analysis: Pattern recognition and machine learning techniques would be at the heart of this module. Pattern recognition techniques not only provide us with the tools to match attack signatures and hence identify the type of attack, but also provide us with the generalization power to identify a new type of attack as anomalous behavior and report it as a potential attack. Pattern recognition 3

techniques have been shown to provide a good compromise between the sensitivity of the intrusion detection system to identify attacks, and lowering the false alarm rates. Neural networks would be used as a classification tool to identify attack scenarios. Several different sources such as traffic statistics, contents information and basic information about the connections can provide useful indications regarding the possibility of an attack. Information would be combined from these different sources using sophisticated pattern recognition algorithms to make more reliable decisions about whether an observed traffic pattern is a potential attack or not. Fig. 2: Deployment Scenario 3.3. Report Generation and Presentation: Apache would be used to build a web server which offers a web-based interface to evaluate all the reports generated by both the Nessus server and the traffic analyzer. Nessus provides several report files in different formats. Most of these different format styles seem lengthy and obscure for users. Thus we would provide a user friendly and easily accessible interface via a web based report presentation and report the appropriate mappings of the different vulnerabilities identified by Nessus into the different vulnerabilities and attack categories. The status of the network traffic as analyzed by the traffic analyzer (normal or malicious and possibly the specific type of malicious activity) would also be shown through the same interface. 4. Summary To summarize, the proposed system would not only provide an enhancement to vulnerability scanning tools such as Nessus in the form of a plug-in to make the reports more user-friendly, but more significantly, would provide an intelligent traffic analyzer module, that makes it a more complete and versatile computer security tool. 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information