Basic Concepts in Intrusion Detection

Size: px
Start display at page:

Download "Basic Concepts in Intrusion Detection"

Transcription

1 Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ

2 Outline 2 Introduction Classification Error rates Attack detection techniques Anomaly detection techniques Denial-of-service attacks Distributed denial-of of-service attacks Rule-based anomaly detection techniques Statistical anomaly detection techniques Statistical anomaly detection techniques - Examples 2

3 Introduction 3 An intrusion detection system (IDS) aims at detecting and logging malicious, abusive, or suspicious processes, activities, or events in an information system such as a host computer or a system of computers communicating with each other via a communications network In particular, a communications network, such as the Internet, may utilize the Internet Protocol (IP) as a communication protocol A host-based IDS is running on a single host and mainly logs suspicious and unauthorized events or activities and changes to system files and configurations A network-based IDS captures network packets on relevant network segments and inspects them 3

4 Introduction 4 An intrusion prevention system (IPS) is in addition capable of taking an immediate action following intrusion detection, such as dropping malicious packets, blocking all further traffic from a particular IP address, or traffic shaping in terms of available transmission bandwidth A network-based IDS/IPS has to deal with large volumes of data and hence has to be computationally very efficient. As the business cost of network problems may be high, especially for large networks (e.g., telephone operators, large corporations, etc.), it is practically very important to have effective solutions for IDS/IPS in these networks. 4

5 Classification 5 Two main types of intrusion detection techniques: Attack detection (attack-based) techniques Anomaly detection (anomaly-based) techniques Attack detection (attack-based, signature-based, patternbased, or knowledge-based) techniques utilize a description (signature, pattern) of a particular attack (e.g., a virus, worm, or other malicious software) inspect the observed traffic or file data and decide if it is consistent with this description or not attack is declared in the case of detected consistency 5

6 Classification 6 Anomaly detection (anomaly-based or behavior-based) techniques utilize a description (profile, model) of normal/standard traffic or events, rather than anomalous attack traffic or events inspect the observed traffic data or events and decide if they are consistent with this description or not attack or anomalous traffic is declared in the case of detected inconsistency better suited for proprietary solutions less effective against known attacks, but are expected to be effective against unknown or new attacks 6

7 Error Rates 7 False negative rate (FNR) Probability of not declaring an attack when there is an attack, that is, probability of missing an attack False positive rate (FPR) Probability of declaring an attack when there is no attack, that is, probability of false alarm 7

8 Attack Detection Techniques 8 Require prior knowledge of each particular attack targeted Include databases of attack signatures and efficient search algorithms for string matching Have to be continuously updated with new signatures corresponding to new attacks that appear In principle, a signature can also describe a type of attacks instead of a particular attack Anti-virus software vendors tend to provide signatures for new attacks as soon as possible (hours or days) 8

9 Attack Detection Techniques 9 Have zero false negative rates, for targeted attacks Have zero or (very) small false positive rates, for targeted attacks, the more so if the used signatures are more specific and hence closer to characterizing, not just describing the attacks Incapable of detecting previously unknown (not targeted) attacks Are very reliable to be used for in-line intrusion prevention and especially effective against virus, worm, Trojan, spyware, and other malicious software attacks Suitable for personal usage as well as for small, medium, and large enterprises 9

10 Anomaly Detection Techniques 10 Do not require prior knowledge of particular attacks and as such are in principle capable of detecting previously unknown attacks In principle, require modeling or profiling of normal traffic or events Typically have non-zero false negative rates, with respect to given attacks or types of attacks, i.e., can miss attacks Have higher false positive rates in a sense that they can declare anomalous traffic or attacks in the absence of attacks 10

11 Anomaly Detection Techniques 11 They are typically not reliable enough to be used for in-line intrusion prevention, but are useful as complementary tools, in addition to attack-based techniques, for detecting traffic anomalies, possibly due to new, previously unknown attacks In particular, they may be useful against broad classes of attacks such as (distributed) denial of service attacks, scanning/probing attacks (e.g., port-scanning attacks), and SPAM and SPIT (SPam over Internet Telephony) attacks as well as against certain malicious software attacks Anomaly detection techniques can essentially be classified into two categories: rule-based techniques and statistic-based or statistical techniques 11

12 Denial-of-Service Attacks 12 Commonly regarded as a major threat to the Internet A denial-of-service (DoS) attack is an attack on a computer system or network that causes a loss of service or network connectivity to legitimate users, that is, unavailability of services Most common DoS attacks aim at exhausting the computational resources, such as connection bandwidth, memory space, or CPU time, for example, by flooding the target network node by valid or invalid requests and/or messages 12

13 Denial-of-Service Attacks 13 They can also cause disruption of network components or disruption of configuration information, such as routing information, or can aim at disabling an application making it unusable In particular, the network components (e.g., servers, proxies, gateways, routers, switches, hubs, etc.) may be disrupted by malicious software attacks, for example, by exploiting buffer overflows or vulnerabilities of the underlying operating system or firmware 13

14 Distributed Denial-of-Service Attacks 14 A distributed denial-of-service (DDoS) attack is a DoS attack that, instead of using a single computer as a base of attack, uses multiple compromised computers simultaneously, possibly a large or a very large number of them (e.g., millions), thus amplifying the effect Altogether, they flood the network with an overwhelming number of packets which exhaust the network or application resources In particular, the packets may be targeting one particular network node causing it to crash, reboot, or exhaust the computational resources 14

15 Distributed Denial-of-Service Attacks 15 The compromised computers, which are called zombies, are typically (unknowingly) infected by malicious software (worm, virus, or Trojan) in a preliminary stage of the attack, which involves scanning a large number of computers searching for those vulnerable The attack itself is then launched at a later time, either automatically or by a direct action of the attacker For example, DDoS attacks are dangerous for the emerging Voice over IP (VoIP) applications, e.g., based on the Session Initiation Protocol (SIP) 15

16 Distributed Denial-of-Service Attacks 16 In particular, the underlying SIP network dealing only with SIP signalling packets is potentially vulnerable to request or message flooding attacks, spoofed SIP messages, malformed SIP messages, and reflection DDoS attacks Reflection DDoS attacks work by generating fake SIP requests with a spoofed source IP address and a spoofed via header field, which falsely identify a victim node as the sender, and by sending or multicasting them to a large number of SIP network nodes, which all respond to the victim node, and repeatedly so if they do not get a reply, hence achieving an amplification effect 16

17 Rule-Based Anomaly Detection Techniques 17 Rule-based techniques describe the normal behavior in terms of certain static rules or certain logic and can essentially be stateless or stateful Essentially, stateless techniques describe individual events and stateful techniques describe sequences of events In particular, rules can be derived from protocol specifications An important class of these techniques performs stateless or stateful protocol analysis and is useful for detecting malformed or invalid messages (packets or sequences of packets), which may be used in attacks such as DoS attacks 17

18 Rule-Based Anomaly Detection Techniques 18 So, if the rules are violated, then anomalous behavior is declared The false positive rate is thus equal to zero, as the normal behavior has to satisfy the chosen rules The false negative rate for a given attack or a given anomalous behavior is usually non-zero, as the chosen rules may be satisfied even if the behavior is anomalous, and the more so if the rules are less specific Rule-based techniques require expert knowledge of communication or application protocols 18

19 Rule-Based Anomaly Detection Techniques 19 Example: SIP network transmits SIP messages/packets between SIP nodes (e.g., INVITE, RE-INVITE, BYE, CANCEL, REGISTER, etc.) A rule-based anomaly detection system may use SIP specification rules for individual messages and sequences of messages in the socalled SIP transactions and dialogs A SIP message not complying with the syntax is called malformed, and a SIP message not complying with the rules for sequences and timings of messages is called invalid Malformed and invalid messages can be detected by a stateless and stateful protocol analysis, respectively Malformed or invalid SIP messages may be caused by (D)DoS attacks! 19

20 Statistical Anomaly Detection Techniques 20 Statistical anomaly detection techniques describe the normal behavior in terms of probability distributions of certain variables, called statistics, derived from the chosen data features or parameters and varying in time For network-based IDS/IPS, these features are extracted from packets corresponding to normal, i.e., regular traffic or from anomalous traffic For example, packet features may include the basic information about an IP packet, contained in layers 3 and 4 (the network and transport layers, respectively) 20

21 Statistical Anomaly Detection Techniques 21 Basic packet information includes: source IP address, TCP/UDP source port number, destination IP address, TCP/UDP destination port number, and transport protocol used; a series of packets having in common this basic information is called a flow A basic feature of an IP packet is its size in bytes, i.e., the total number of layer 3 bytes in a packet Specify a time resolution in terms of the length of a short time interval, define the packet rate, byte rate, and average packet size, with respect to this interval, and monitor the resulting curves in time, for selected or aggregated flows One can also use information in higher packet layers as well as the payload 21

22 Statistical Anomaly Detection Techniques 22 For each chosen statistic, a range of normal values corresponding to normal traffic may be specified in terms of thresholds, derived from normal traffic in the training stage If a statistic, estimated on the observed data sample, falls out of the range, then the process monitored (a packet or a sequence of packets corresponding to a flow or a connection or a communication link) is declared anomalous and an alert is issued Thresholds are chosen according to an acceptable false positive rate 22

23 Statistical Anomaly Detection Techniques 23 If the false positive rate is chosen to be very small, then the false negative rate with respect to a given attack or type of attacks may become unacceptably high, which means that the underlying statistic will belong to the permissible range with a high probability even when extracted from anomalous/attack data So, a tradeoff between the two rates is necessary normal thr anomalous FNR FPR 23

24 Statistical Anomaly Detection Techniques 24 If the statistic inherently does not reflect the attack behavior sufficiently accurately, then the false negative rate will be high almost regardless of the thresholds chosen, because the two probability distributions of the chosen statistic will be similar Accordingly, it is important to choose the statistics appropriately, depending on the types of attacks desired to be detected and on the normal data In practice, as normal data is rarely stationary, the resulting probability distributions are not stable and change in time, so that the problem of choosing the right statistics is difficult 24

25 Statistical Anomaly Detection Techniques 25 In principle, the types of attacks potentially sensitive to statistical anomaly detection are scanning attacks and flooding (D)DoS attacks and also, possibly, SPAM or SPIT attacks and malicious software (e.g., worm) attacks Note that in usual networks, DDoS attacks are typically preceded by (massive) scanning attacks, in order to find vulnerable computers to be used as zombies So, detecting the scanning attacks may also help prevent DDoS attacks 25

26 Statistical Anomaly Detection Techniques 26 An inherent problem with statistical anomaly detection techniques lies in the very definition of anomalous behavior or, in the case of networks, anomalous traffic Namely, under certain circumstances, the traffic may change considerably or even abruptly also in the normal operation, in the absence of malicious traffic Such traffic will very likely be classified as anomalous, although it does not correspond to attacks 26

27 Statistical Anomaly Detection Techniques 27 Therefore, the thresholds need to be carefully chosen and, instead of being static and fixed, they may be dynamic (e.g., may depend on the time of a day) or may change adaptively Of course, if the attacker knows the adaptation policy, then the attack traffic can also be adapted accordingly, in order to satisfy the dynamic or adaptive thresholds and yet mount an attack For example, sophisticated attackers may launch (D)DoS attacks slowly and gradually instead of abruptly However, at a point when an attack presents a problem for the network functionality, it should be easier to detect 27

28 Statistical Anomaly Detection Techniques - Examples 28 A general method underlying many proposed statistical anomaly detection techniques consists of two stages: Modelling stage in which a statistical model of normal data/traffic, possibly dynamic (e.g., depending on the time of a day or a day in the week), is developed by using historical or expected behavior data Comparison stage in which an observed portion of traffic (a single packet or a sequence of packets of network traffic) is compared with the developed statistical model and a decision is made whether the deviation from the statistical model is statistically significant or not 28

29 Statistical Anomaly Detection Techniques - Examples 29 Clustering techniques: group multidimensional training data into clusters by using an appropriate metric and then compare observed (individual or cluster) data with training data; typically, attack data result in more compact clusters Normal traffic waveforms in time (e.g., packet rate or byte rate curves) can be modelled by: Neural networks Principal component analysis Discrete wavelet transforms 29

30 Statistical Anomaly Detection Techniques - Examples Comparison of an individual data sample with a profile probability distribution can be performed by using thresholds derived from the profile probability distribution or, in a simplified way, by using the mean value and standard deviation of the probability distribution Comparison of a set of data samples with a probability distribution can be performed by comparing the empirical probability distribution derived from sampled data with the profile probability distribution, e.g., by using the chi-square statistic; for comparing two sample distributions, two-sample chi-square statistic can be used Comparison of two waveforms can be performed by correlation techniques 30 30

31 Statistical Anomaly Detection Techniques - Examples 31 Entropies of IP addresses and port numbers can be used for detecting random spoofing of IP addresses and port scanning, respectively Number of open or half-open TCP connections can be used for detecting (D)DoS attacks using TCP protocol, from TCP flags Asymmetry between in-bound and out-bound packet or byte rates can be used for detecting (D)DoS attacks using TCP protocol and, also, using UDP protocol for SIP traffic, as SIP is a symmetric request/response protocol 31

32 Statistical Anomaly Detection Techniques - Examples 32 Peakflow is an IPS system/device of Arbor Networks for network profiling and anomaly detection, mitigation, and prevention Models legitimate relationships (matrices) between users, machines, and applications, using basic packet information Behavioral fingerprint traffic profiling and violation detection Behavior-based worm detection Rate-based anomaly detection Slow and fast scan detection (D)DoS detection Intelligent attack mitigation and prevention 32

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

Network Security. Chapter 0. Attacks and Attack Detection

Network Security. Chapter 0. Attacks and Attack Detection Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015 Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:

More information

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016 Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds

More information

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting

More information

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial

More information

Denial of Service (DoS)

Denial of Service (DoS) Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:

More information

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013 Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive

More information

ANOMALY DETECTION IN COMMUNICTION NETWORKS

ANOMALY DETECTION IN COMMUNICTION NETWORKS Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems

More information

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Data Communication. Chapter # 5: Networking Threats. By: William Stalling Data Communication Chapter # 5: By: Networking Threats William Stalling Risk of Network Intrusion Whether wired or wireless, computer networks are quickly becoming essential to everyday activities. Individuals

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking

More information

Denial of Service and Distributed Denial of Service Attacks

Denial of Service and Distributed Denial of Service Attacks Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial

More information

2. INTRUDER DETECTION SYSTEMS

2. INTRUDER DETECTION SYSTEMS 1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding

More information

Configuring IP Services

Configuring IP Services This module describes how to configure optional IP services. For a complete description of the IP services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference. To

More information

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Keywords: Intelligent Next-Generation Firewall (ingfw), Unknown Threat, Abnormal Parameter, Abnormal Behavior,

More information

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:

More information

Lecture 12. Application Layer. Application Layer 1

Lecture 12. Application Layer. Application Layer 1 Lecture 12 Application Layer Application Layer 1 Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers

More information

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks Background This NISCC technical note is intended to provide information to enable organisations in the UK s Critical

More information

9. Security. Safeguard Engine. Safeguard Engine Settings

9. Security. Safeguard Engine. Safeguard Engine Settings 9. Security Safeguard Engine Traffic Segmentation Settings Storm Control DoS Attack Prevention Settings Zone Defense Settings SSL Safeguard Engine D-Link s Safeguard Engine is a robust and innovative technology

More information

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK P.Priya 1, S.Tamilvanan 2 1 M.E-Computer Science and Engineering Student, Bharathidasan Engineering College, Nattrampalli. 2

More information

Chapter 7. Denial of Service Attacks

Chapter 7. Denial of Service Attacks Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),

More information

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

More information

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract

More information

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges

More information

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can Resources and Credits Denial of Service COMP620 Information on Denial of Service attacks can be found on Wikipedia. Graphics and some text in these slides was taken from the Wikipedia site The textbook

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based

More information

Introduction to Security. Computer Networks Term A15

Introduction to Security. Computer Networks Term A15 Introduction to Security Computer Networks Term A15 Intro to Security Outline Network Security Malware Spyware, viruses, worms and trojan horses, botnets Denial of Service and Distributed DOS Attacks Packet

More information

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Intrusion Detection by Combining and Clustering Diverse Monitor Data Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction

More information

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis

More information

Activating Intrusion Prevention Service

Activating Intrusion Prevention Service Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers

More information

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document

More information

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified

More information

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,

More information

Check Point DDoS Protector Introduction

Check Point DDoS Protector Introduction Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2 (D)DoS Attack Methods

More information

Attack Prevention Technology White Paper

Attack Prevention Technology White Paper Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes

More information

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art 2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April 21-23 in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities

More information

Networking interview questions

Networking interview questions Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719

More information

Configuring Anomaly Detection

Configuring Anomaly Detection CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection

More information

COMPUTER NETWORK SECURITY

COMPUTER NETWORK SECURITY COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week) 7. Denial-of-Service Attacks 7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based

More information

The following topics describe how to configure correlation policies and rules.

The following topics describe how to configure correlation policies and rules. The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response

More information

NETWORK SECURITY. Ch. 3: Network Attacks

NETWORK SECURITY. Ch. 3: Network Attacks NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network

More information

Denial of Service (DoS) attacks and countermeasures

Denial of Service (DoS) attacks and countermeasures Dipartimento di Informatica Università di Roma La Sapienza Denial of Service (DoS) attacks and countermeasures Definitions of DoS and DDoS attacks Denial of Service (DoS) attacks and countermeasures A

More information

Chapter 10: Denial-of-Services

Chapter 10: Denial-of-Services Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different

More information

1. Intrusion Detection and Prevention Systems

1. Intrusion Detection and Prevention Systems 1. Intrusion Detection and Prevention Systems Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which

More information

ProCurve Network Immunity

ProCurve Network Immunity ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

More information

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network

More information

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network 10 Key Things Your Firewall Should Do When voice joins applications and data on your network Table of Contents Making the Move to 3 10 Key Things 1 Security is More Than Physical 4 2 Priority Means Clarity

More information

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information

More information

The Telephony Denial of Service (TDoS) Threat

The Telephony Denial of Service (TDoS) Threat The Telephony Denial of Service (TDoS) Threat An Analysis of the TDoS Threat in Voice Network Security A Whitepaper From SecureLogix Corporation Telephony Denial-of-Service (TDoS) and The Public Voice

More information

Cloudflare Advanced DDoS Protection

Cloudflare Advanced DDoS Protection Cloudflare Advanced DDoS Protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Why IPS Devices and Firewalls Fail to Stop DDoS Threats Arbor White Paper Why IPS Devices and Firewalls Fail to Stop DDoS Threats How to Protect Your Data Center s Availability About Arbor Networks Arbor Networks, Inc. is a leading provider of network security

More information

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 9 Attacks and Attack Detection (Prevention, Detection and Response) Attacks and Attack

More information

COMPUTER NETWORK SECURITY

COMPUTER NETWORK SECURITY COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls

More information

CTS2134 Introduction to Networking. Module 08: Network Security

CTS2134 Introduction to Networking. Module 08: Network Security CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting

More information

ASA Access Control. Section 3

ASA Access Control. Section 3 [ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look

More information

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled

More information

Anomaly Detection in Communication Networks

Anomaly Detection in Communication Networks Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u

More information

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information

More information

DDoS Testing with XM-2G. Step by Step Guide

DDoS Testing with XM-2G. Step by Step Guide DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial

More information

Internet Security: Firewall

Internet Security: Firewall Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

Check Point DDoS Protector Simple and Easy Mitigation

Check Point DDoS Protector Simple and Easy Mitigation Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an

More information

IDS: Signature Detection

IDS: Signature Detection IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions

More information

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion

More information

VoIP Security Threat Analysis

VoIP Security Threat Analysis 2005/8/2 VoIP Security Threat Analysis Saverio Niccolini, Jürgen Quittek, Marcus Brunner, Martin Stiemerling (NEC, Network Laboratories, Heidelberg) Introduction Security attacks taxonomy Denial of Service

More information

Endpoint Protection : Last line of defense?

Endpoint Protection : Last line of defense? Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development

More information

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD. Issue 11 Date 2018-05-28 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any

More information

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials Firewalls, IDS and IPS MIS5214 Midterm Study Support Materials Agenda Firewalls Intrusion Detection Systems Intrusion Prevention Systems Firewalls are used to Implement Network Security Policy Firewalls

More information

Scrutinizer Flow Analytics

Scrutinizer Flow Analytics Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN

More information

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information

More information

Security for SIP-based VoIP Communications Solutions

Security for SIP-based VoIP Communications Solutions Tomorrow Starts Today Security for SIP-based VoIP Communications Solutions Enterprises and small to medium-sized businesses (SMBs) are exposed to potentially debilitating cyber attacks and exploitation

More information

(2½ hours) Total Marks: 75

(2½ hours) Total Marks: 75 (2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.

More information

Huawei NIP2000/5000 Intrusion Prevention System

Huawei NIP2000/5000 Intrusion Prevention System Huawei 2000/5000 Intrusion Prevention System Huawei series is designed for large- and medium-sized enterprises, industries, and carriers to defend against network threats and ensure proper operations of

More information

haltdos - Web Application Firewall

haltdos - Web Application Firewall haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection

More information

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1 Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team

More information

Security Gap Analysis: Aggregrated Results

Security Gap Analysis: Aggregrated Results Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:

More information

A Firewall Architecture to Enhance Performance of Enterprise Network

A Firewall Architecture to Enhance Performance of Enterprise Network A Firewall Architecture to Enhance Performance of Enterprise Network Hailu Tegenaw HiLCoE, Computer Science Programme, Ethiopia Commercial Bank of Ethiopia, Ethiopia hailutegenaw@yahoo.com Mesfin Kifle

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy. August 2016 1. Overview Kalamazoo College provides and maintains information technology resources to support its academic programs and administrative operations. This Acceptable

More information

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks WHITE PAPER 2017 DDoS of Things SURVIVAL GUIDE Proven DDoS Defense in the New Era of 1 Tbps Attacks Table of Contents Cyclical Threat Trends...3 Where Threat Actors Target Your Business...4 Network Layer

More information

DDoS PREVENTION TECHNIQUE

DDoS PREVENTION TECHNIQUE http://www.ijrst.com DDoS PREVENTION TECHNIQUE MADHU MALIK ABSTRACT A mobile ad hoc network (MANET) is a spontaneous network that can be established with no fixed infrastructure. This means that all its

More information

Chapter 4. Network Security. Part I

Chapter 4. Network Security. Part I Chapter 4 Network Security Part I CCNA4-1 Chapter 4-1 Introducing Network Security Introduction to Network Security CCNA4-2 Chapter 4-1 Introducing Network Security Why is Network Security important? Rapid

More information

DDOS Attack Prevention Technique in Cloud

DDOS Attack Prevention Technique in Cloud DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing

More information

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause

More information

Chapter 8 roadmap. Network Security

Chapter 8 roadmap. Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing

More information

Yuri Gushin & Alex Behar

Yuri Gushin & Alex Behar Yuri Gushin & Alex Behar Ø Introduction Ø DoS Attacks overview & evolution Ø DoS Protection Technology Ø Operational mode Ø Detection Ø Mitigation Ø Performance Ø Wikileaks (LOIC) attack tool analysis

More information

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an

More information

CIH

CIH mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Intruders significant issue hostile/unwanted

More information

Network Anomaly Detection Using Autonomous System Flow Aggregates

Network Anomaly Detection Using Autonomous System Flow Aggregates Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University

More information

Configuring Anomaly Detection

Configuring Anomaly Detection CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when

More information

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE

More information

Managing Latency in IPS Networks

Managing Latency in IPS Networks Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings

More information

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion

More information