Basic Concepts in Intrusion Detection
|
|
- Paul Lee
- 5 years ago
- Views:
Transcription
1 Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ
2 Outline 2 Introduction Classification Error rates Attack detection techniques Anomaly detection techniques Denial-of-service attacks Distributed denial-of of-service attacks Rule-based anomaly detection techniques Statistical anomaly detection techniques Statistical anomaly detection techniques - Examples 2
3 Introduction 3 An intrusion detection system (IDS) aims at detecting and logging malicious, abusive, or suspicious processes, activities, or events in an information system such as a host computer or a system of computers communicating with each other via a communications network In particular, a communications network, such as the Internet, may utilize the Internet Protocol (IP) as a communication protocol A host-based IDS is running on a single host and mainly logs suspicious and unauthorized events or activities and changes to system files and configurations A network-based IDS captures network packets on relevant network segments and inspects them 3
4 Introduction 4 An intrusion prevention system (IPS) is in addition capable of taking an immediate action following intrusion detection, such as dropping malicious packets, blocking all further traffic from a particular IP address, or traffic shaping in terms of available transmission bandwidth A network-based IDS/IPS has to deal with large volumes of data and hence has to be computationally very efficient. As the business cost of network problems may be high, especially for large networks (e.g., telephone operators, large corporations, etc.), it is practically very important to have effective solutions for IDS/IPS in these networks. 4
5 Classification 5 Two main types of intrusion detection techniques: Attack detection (attack-based) techniques Anomaly detection (anomaly-based) techniques Attack detection (attack-based, signature-based, patternbased, or knowledge-based) techniques utilize a description (signature, pattern) of a particular attack (e.g., a virus, worm, or other malicious software) inspect the observed traffic or file data and decide if it is consistent with this description or not attack is declared in the case of detected consistency 5
6 Classification 6 Anomaly detection (anomaly-based or behavior-based) techniques utilize a description (profile, model) of normal/standard traffic or events, rather than anomalous attack traffic or events inspect the observed traffic data or events and decide if they are consistent with this description or not attack or anomalous traffic is declared in the case of detected inconsistency better suited for proprietary solutions less effective against known attacks, but are expected to be effective against unknown or new attacks 6
7 Error Rates 7 False negative rate (FNR) Probability of not declaring an attack when there is an attack, that is, probability of missing an attack False positive rate (FPR) Probability of declaring an attack when there is no attack, that is, probability of false alarm 7
8 Attack Detection Techniques 8 Require prior knowledge of each particular attack targeted Include databases of attack signatures and efficient search algorithms for string matching Have to be continuously updated with new signatures corresponding to new attacks that appear In principle, a signature can also describe a type of attacks instead of a particular attack Anti-virus software vendors tend to provide signatures for new attacks as soon as possible (hours or days) 8
9 Attack Detection Techniques 9 Have zero false negative rates, for targeted attacks Have zero or (very) small false positive rates, for targeted attacks, the more so if the used signatures are more specific and hence closer to characterizing, not just describing the attacks Incapable of detecting previously unknown (not targeted) attacks Are very reliable to be used for in-line intrusion prevention and especially effective against virus, worm, Trojan, spyware, and other malicious software attacks Suitable for personal usage as well as for small, medium, and large enterprises 9
10 Anomaly Detection Techniques 10 Do not require prior knowledge of particular attacks and as such are in principle capable of detecting previously unknown attacks In principle, require modeling or profiling of normal traffic or events Typically have non-zero false negative rates, with respect to given attacks or types of attacks, i.e., can miss attacks Have higher false positive rates in a sense that they can declare anomalous traffic or attacks in the absence of attacks 10
11 Anomaly Detection Techniques 11 They are typically not reliable enough to be used for in-line intrusion prevention, but are useful as complementary tools, in addition to attack-based techniques, for detecting traffic anomalies, possibly due to new, previously unknown attacks In particular, they may be useful against broad classes of attacks such as (distributed) denial of service attacks, scanning/probing attacks (e.g., port-scanning attacks), and SPAM and SPIT (SPam over Internet Telephony) attacks as well as against certain malicious software attacks Anomaly detection techniques can essentially be classified into two categories: rule-based techniques and statistic-based or statistical techniques 11
12 Denial-of-Service Attacks 12 Commonly regarded as a major threat to the Internet A denial-of-service (DoS) attack is an attack on a computer system or network that causes a loss of service or network connectivity to legitimate users, that is, unavailability of services Most common DoS attacks aim at exhausting the computational resources, such as connection bandwidth, memory space, or CPU time, for example, by flooding the target network node by valid or invalid requests and/or messages 12
13 Denial-of-Service Attacks 13 They can also cause disruption of network components or disruption of configuration information, such as routing information, or can aim at disabling an application making it unusable In particular, the network components (e.g., servers, proxies, gateways, routers, switches, hubs, etc.) may be disrupted by malicious software attacks, for example, by exploiting buffer overflows or vulnerabilities of the underlying operating system or firmware 13
14 Distributed Denial-of-Service Attacks 14 A distributed denial-of-service (DDoS) attack is a DoS attack that, instead of using a single computer as a base of attack, uses multiple compromised computers simultaneously, possibly a large or a very large number of them (e.g., millions), thus amplifying the effect Altogether, they flood the network with an overwhelming number of packets which exhaust the network or application resources In particular, the packets may be targeting one particular network node causing it to crash, reboot, or exhaust the computational resources 14
15 Distributed Denial-of-Service Attacks 15 The compromised computers, which are called zombies, are typically (unknowingly) infected by malicious software (worm, virus, or Trojan) in a preliminary stage of the attack, which involves scanning a large number of computers searching for those vulnerable The attack itself is then launched at a later time, either automatically or by a direct action of the attacker For example, DDoS attacks are dangerous for the emerging Voice over IP (VoIP) applications, e.g., based on the Session Initiation Protocol (SIP) 15
16 Distributed Denial-of-Service Attacks 16 In particular, the underlying SIP network dealing only with SIP signalling packets is potentially vulnerable to request or message flooding attacks, spoofed SIP messages, malformed SIP messages, and reflection DDoS attacks Reflection DDoS attacks work by generating fake SIP requests with a spoofed source IP address and a spoofed via header field, which falsely identify a victim node as the sender, and by sending or multicasting them to a large number of SIP network nodes, which all respond to the victim node, and repeatedly so if they do not get a reply, hence achieving an amplification effect 16
17 Rule-Based Anomaly Detection Techniques 17 Rule-based techniques describe the normal behavior in terms of certain static rules or certain logic and can essentially be stateless or stateful Essentially, stateless techniques describe individual events and stateful techniques describe sequences of events In particular, rules can be derived from protocol specifications An important class of these techniques performs stateless or stateful protocol analysis and is useful for detecting malformed or invalid messages (packets or sequences of packets), which may be used in attacks such as DoS attacks 17
18 Rule-Based Anomaly Detection Techniques 18 So, if the rules are violated, then anomalous behavior is declared The false positive rate is thus equal to zero, as the normal behavior has to satisfy the chosen rules The false negative rate for a given attack or a given anomalous behavior is usually non-zero, as the chosen rules may be satisfied even if the behavior is anomalous, and the more so if the rules are less specific Rule-based techniques require expert knowledge of communication or application protocols 18
19 Rule-Based Anomaly Detection Techniques 19 Example: SIP network transmits SIP messages/packets between SIP nodes (e.g., INVITE, RE-INVITE, BYE, CANCEL, REGISTER, etc.) A rule-based anomaly detection system may use SIP specification rules for individual messages and sequences of messages in the socalled SIP transactions and dialogs A SIP message not complying with the syntax is called malformed, and a SIP message not complying with the rules for sequences and timings of messages is called invalid Malformed and invalid messages can be detected by a stateless and stateful protocol analysis, respectively Malformed or invalid SIP messages may be caused by (D)DoS attacks! 19
20 Statistical Anomaly Detection Techniques 20 Statistical anomaly detection techniques describe the normal behavior in terms of probability distributions of certain variables, called statistics, derived from the chosen data features or parameters and varying in time For network-based IDS/IPS, these features are extracted from packets corresponding to normal, i.e., regular traffic or from anomalous traffic For example, packet features may include the basic information about an IP packet, contained in layers 3 and 4 (the network and transport layers, respectively) 20
21 Statistical Anomaly Detection Techniques 21 Basic packet information includes: source IP address, TCP/UDP source port number, destination IP address, TCP/UDP destination port number, and transport protocol used; a series of packets having in common this basic information is called a flow A basic feature of an IP packet is its size in bytes, i.e., the total number of layer 3 bytes in a packet Specify a time resolution in terms of the length of a short time interval, define the packet rate, byte rate, and average packet size, with respect to this interval, and monitor the resulting curves in time, for selected or aggregated flows One can also use information in higher packet layers as well as the payload 21
22 Statistical Anomaly Detection Techniques 22 For each chosen statistic, a range of normal values corresponding to normal traffic may be specified in terms of thresholds, derived from normal traffic in the training stage If a statistic, estimated on the observed data sample, falls out of the range, then the process monitored (a packet or a sequence of packets corresponding to a flow or a connection or a communication link) is declared anomalous and an alert is issued Thresholds are chosen according to an acceptable false positive rate 22
23 Statistical Anomaly Detection Techniques 23 If the false positive rate is chosen to be very small, then the false negative rate with respect to a given attack or type of attacks may become unacceptably high, which means that the underlying statistic will belong to the permissible range with a high probability even when extracted from anomalous/attack data So, a tradeoff between the two rates is necessary normal thr anomalous FNR FPR 23
24 Statistical Anomaly Detection Techniques 24 If the statistic inherently does not reflect the attack behavior sufficiently accurately, then the false negative rate will be high almost regardless of the thresholds chosen, because the two probability distributions of the chosen statistic will be similar Accordingly, it is important to choose the statistics appropriately, depending on the types of attacks desired to be detected and on the normal data In practice, as normal data is rarely stationary, the resulting probability distributions are not stable and change in time, so that the problem of choosing the right statistics is difficult 24
25 Statistical Anomaly Detection Techniques 25 In principle, the types of attacks potentially sensitive to statistical anomaly detection are scanning attacks and flooding (D)DoS attacks and also, possibly, SPAM or SPIT attacks and malicious software (e.g., worm) attacks Note that in usual networks, DDoS attacks are typically preceded by (massive) scanning attacks, in order to find vulnerable computers to be used as zombies So, detecting the scanning attacks may also help prevent DDoS attacks 25
26 Statistical Anomaly Detection Techniques 26 An inherent problem with statistical anomaly detection techniques lies in the very definition of anomalous behavior or, in the case of networks, anomalous traffic Namely, under certain circumstances, the traffic may change considerably or even abruptly also in the normal operation, in the absence of malicious traffic Such traffic will very likely be classified as anomalous, although it does not correspond to attacks 26
27 Statistical Anomaly Detection Techniques 27 Therefore, the thresholds need to be carefully chosen and, instead of being static and fixed, they may be dynamic (e.g., may depend on the time of a day) or may change adaptively Of course, if the attacker knows the adaptation policy, then the attack traffic can also be adapted accordingly, in order to satisfy the dynamic or adaptive thresholds and yet mount an attack For example, sophisticated attackers may launch (D)DoS attacks slowly and gradually instead of abruptly However, at a point when an attack presents a problem for the network functionality, it should be easier to detect 27
28 Statistical Anomaly Detection Techniques - Examples 28 A general method underlying many proposed statistical anomaly detection techniques consists of two stages: Modelling stage in which a statistical model of normal data/traffic, possibly dynamic (e.g., depending on the time of a day or a day in the week), is developed by using historical or expected behavior data Comparison stage in which an observed portion of traffic (a single packet or a sequence of packets of network traffic) is compared with the developed statistical model and a decision is made whether the deviation from the statistical model is statistically significant or not 28
29 Statistical Anomaly Detection Techniques - Examples 29 Clustering techniques: group multidimensional training data into clusters by using an appropriate metric and then compare observed (individual or cluster) data with training data; typically, attack data result in more compact clusters Normal traffic waveforms in time (e.g., packet rate or byte rate curves) can be modelled by: Neural networks Principal component analysis Discrete wavelet transforms 29
30 Statistical Anomaly Detection Techniques - Examples Comparison of an individual data sample with a profile probability distribution can be performed by using thresholds derived from the profile probability distribution or, in a simplified way, by using the mean value and standard deviation of the probability distribution Comparison of a set of data samples with a probability distribution can be performed by comparing the empirical probability distribution derived from sampled data with the profile probability distribution, e.g., by using the chi-square statistic; for comparing two sample distributions, two-sample chi-square statistic can be used Comparison of two waveforms can be performed by correlation techniques 30 30
31 Statistical Anomaly Detection Techniques - Examples 31 Entropies of IP addresses and port numbers can be used for detecting random spoofing of IP addresses and port scanning, respectively Number of open or half-open TCP connections can be used for detecting (D)DoS attacks using TCP protocol, from TCP flags Asymmetry between in-bound and out-bound packet or byte rates can be used for detecting (D)DoS attacks using TCP protocol and, also, using UDP protocol for SIP traffic, as SIP is a symmetric request/response protocol 31
32 Statistical Anomaly Detection Techniques - Examples 32 Peakflow is an IPS system/device of Arbor Networks for network profiling and anomaly detection, mitigation, and prevention Models legitimate relationships (matrices) between users, machines, and applications, using basic packet information Behavioral fingerprint traffic profiling and violation detection Behavior-based worm detection Rate-based anomaly detection Slow and fast scan detection (D)DoS detection Intelligent attack mitigation and prevention 32
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationDenial of Service (DoS)
Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationData Communication. Chapter # 5: Networking Threats. By: William Stalling
Data Communication Chapter # 5: By: Networking Threats William Stalling Risk of Network Intrusion Whether wired or wireless, computer networks are quickly becoming essential to everyday activities. Individuals
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationConfiguring IP Services
This module describes how to configure optional IP services. For a complete description of the IP services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference. To
More informationHillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis
Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Keywords: Intelligent Next-Generation Firewall (ingfw), Unknown Threat, Abnormal Parameter, Abnormal Behavior,
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationLecture 12. Application Layer. Application Layer 1
Lecture 12 Application Layer Application Layer 1 Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers
More informationNISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks
NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks Background This NISCC technical note is intended to provide information to enable organisations in the UK s Critical
More information9. Security. Safeguard Engine. Safeguard Engine Settings
9. Security Safeguard Engine Traffic Segmentation Settings Storm Control DoS Attack Prevention Settings Zone Defense Settings SSL Safeguard Engine D-Link s Safeguard Engine is a robust and innovative technology
More informationA SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK
A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK P.Priya 1, S.Tamilvanan 2 1 M.E-Computer Science and Engineering Student, Bharathidasan Engineering College, Nattrampalli. 2
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationResources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can
Resources and Credits Denial of Service COMP620 Information on Denial of Service attacks can be found on Wikipedia. Graphics and some text in these slides was taken from the Wikipedia site The textbook
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationIntroduction to Security. Computer Networks Term A15
Introduction to Security Computer Networks Term A15 Intro to Security Outline Network Security Malware Spyware, viruses, worms and trojan horses, botnets Denial of Service and Distributed DOS Attacks Packet
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationIntrusion prevention systems are an important part of protecting any organisation from constantly developing threats.
Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationSYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet
SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationCheck Point DDoS Protector Introduction
Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2 (D)DoS Attack Methods
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationA Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art
2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April 21-23 in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week) 7. Denial-of-Service Attacks 7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationNETWORK SECURITY. Ch. 3: Network Attacks
NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network
More informationDenial of Service (DoS) attacks and countermeasures
Dipartimento di Informatica Università di Roma La Sapienza Denial of Service (DoS) attacks and countermeasures Definitions of DoS and DDoS attacks Denial of Service (DoS) attacks and countermeasures A
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More information1. Intrusion Detection and Prevention Systems
1. Intrusion Detection and Prevention Systems Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More information10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network
10 Key Things Your Firewall Should Do When voice joins applications and data on your network Table of Contents Making the Move to 3 10 Key Things 1 Security is More Than Physical 4 2 Priority Means Clarity
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationThe Telephony Denial of Service (TDoS) Threat
The Telephony Denial of Service (TDoS) Threat An Analysis of the TDoS Threat in Voice Network Security A Whitepaper From SecureLogix Corporation Telephony Denial-of-Service (TDoS) and The Public Voice
More informationCloudflare Advanced DDoS Protection
Cloudflare Advanced DDoS Protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationWhy IPS Devices and Firewalls Fail to Stop DDoS Threats
Arbor White Paper Why IPS Devices and Firewalls Fail to Stop DDoS Threats How to Protect Your Data Center s Availability About Arbor Networks Arbor Networks, Inc. is a leading provider of network security
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 9 Attacks and Attack Detection (Prevention, Detection and Response) Attacks and Attack
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationCTS2134 Introduction to Networking. Module 08: Network Security
CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationDenial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu
Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationVoIP Security Threat Analysis
2005/8/2 VoIP Security Threat Analysis Saverio Niccolini, Jürgen Quittek, Marcus Brunner, Martin Stiemerling (NEC, Network Laboratories, Heidelberg) Introduction Security attacks taxonomy Denial of Service
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationAnti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 11 Date 2018-05-28 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationFirewalls, IDS and IPS. MIS5214 Midterm Study Support Materials
Firewalls, IDS and IPS MIS5214 Midterm Study Support Materials Agenda Firewalls Intrusion Detection Systems Intrusion Prevention Systems Firewalls are used to Implement Network Security Policy Firewalls
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationDenial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu
Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information
More informationSecurity for SIP-based VoIP Communications Solutions
Tomorrow Starts Today Security for SIP-based VoIP Communications Solutions Enterprises and small to medium-sized businesses (SMBs) are exposed to potentially debilitating cyber attacks and exploitation
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationHuawei NIP2000/5000 Intrusion Prevention System
Huawei 2000/5000 Intrusion Prevention System Huawei series is designed for large- and medium-sized enterprises, industries, and carriers to defend against network threats and ensure proper operations of
More informationhaltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
More informationDoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors
DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1 Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team
More informationSecurity Gap Analysis: Aggregrated Results
Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:
More informationA Firewall Architecture to Enhance Performance of Enterprise Network
A Firewall Architecture to Enhance Performance of Enterprise Network Hailu Tegenaw HiLCoE, Computer Science Programme, Ethiopia Commercial Bank of Ethiopia, Ethiopia hailutegenaw@yahoo.com Mesfin Kifle
More informationAcceptable Use Policy
Acceptable Use Policy. August 2016 1. Overview Kalamazoo College provides and maintains information technology resources to support its academic programs and administrative operations. This Acceptable
More informationWHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks
WHITE PAPER 2017 DDoS of Things SURVIVAL GUIDE Proven DDoS Defense in the New Era of 1 Tbps Attacks Table of Contents Cyclical Threat Trends...3 Where Threat Actors Target Your Business...4 Network Layer
More informationDDoS PREVENTION TECHNIQUE
http://www.ijrst.com DDoS PREVENTION TECHNIQUE MADHU MALIK ABSTRACT A mobile ad hoc network (MANET) is a spontaneous network that can be established with no fixed infrastructure. This means that all its
More informationChapter 4. Network Security. Part I
Chapter 4 Network Security Part I CCNA4-1 Chapter 4-1 Introducing Network Security Introduction to Network Security CCNA4-2 Chapter 4-1 Introducing Network Security Why is Network Security important? Rapid
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationYuri Gushin & Alex Behar
Yuri Gushin & Alex Behar Ø Introduction Ø DoS Attacks overview & evolution Ø DoS Protection Technology Ø Operational mode Ø Detection Ø Mitigation Ø Performance Ø Wikileaks (LOIC) attack tool analysis
More informationDONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY
DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an
More informationCIH
mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Intruders significant issue hostile/unwanted
More informationNetwork Anomaly Detection Using Autonomous System Flow Aggregates
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationIntrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis
Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion
More information