Outline of Presentation. Data Mining and Intrusion Detection. Intrusion Detection Systems(IDS) IDS Where, How and Why? Issues and Problems
|
|
- Alannah Collins
- 5 years ago
- Views:
Transcription
1 Data Mining and Intrusion Detection A short presentation focusing on cost-sensitive issues submitted in partial fulfillment of CSE 8331 Data Mining, Spring Abhishek D. Sanwal Outline of Presentation Intrusion Detection Systems Where? How? Why? Issues and Problems Big Issue Cost Cost Sensitive Modeling Past, present and future Cost Factors Cost Metrics Cost Models Reducing Costs Implementation overview Summary Conclusions Future Directions Project1: Real-time DM IDS Analysis Architecture Q & A? 2 Intrusion Detection Systems(IDS) Why do we need them despite all other security measures? If we can make a network secure enough using a firewall and other precautions why is it not enough? Because A firewall is simply a fence around the network, with a couple of well-chosen gates A fence has no capability in detecting somebody trying to break-in (such as digging a hole/tunnel under it) Nor does a fence know if somebody coming through the gate is supposed to be allowed in it An IDS is analogous to having security guards, surveillance, and countermeasures, in addition to barbed wire fencing, high- tough to scale walls etc. Firewall Active Filtering. IDS Passive Monitoring IDS Where, How and Why? The sensors of an IDS are intuitively placed at locations close to the perimeter (though a secure perimeter it may be breached) adjoining the perimeter; inside and outside the enclave IDS could have Single Sensor Distributed Sensors (with) Central Processing Distributed Processing Co-related Decision Making 3 4 Issues and Problems Deployment Geographical Dispersal Installation Setup and customization Management Upgrading Modification as per change in network architecture Maintaining the sensors Data overload Changes in the Security World Integration Disparate Data Formats Lack of single cross-reference between data sources Time synchronization of sensors 5 What do we need to add to an IDS? Universal Data format for IDS data IDEF (Intrusion Detection Exchange Format) CIDF (Common Intrusion Detection Framework) (Intrusion Detection Working Group) Common cross-reference for different IDS for interoperability Time synchronization built into IDS Data reduction for analysis Reduce false alarms Updating of attack signatures on timely basis Automated encoding of intrusions and traffic into Models Previous systems - all knowledge-engineered 6 1
2 Tackling some Issues for now Cost Sensitive IDS Maybe later in the paper but not this presentation DM with Unlabeled Data DM with co-relation framework Detecting Novel Attacks Cost Sensitive Modeling for IDS-Why? Need to evaluate technical effectiveness IDSs fail to detect new and stealthy attacks Real-Time IDS exposed to Overload Attacks Intended Intrusion Successful Overload of Intrusion Reports forces admin to raise detection and response thresholds real attacks get ignored / overlooked 7 8 What is needed? Cost Effectiveness of the IDS As any investor in a business would say R O I (Return on Investment ) Motivation: To prevent losses Cost Sensitive Modeling - Why not in use? Complexity of IDS-cost analysis on a low priority Site-specific cost factors Addition of features Improvement of detection Rules Not all factors reduce to Discrete dollars Units of measurement Probabilities Solution: Qualitative Analysis Measure relative magnitudes of Cost Factors But how? Where do we go now? 9 10 there is hope Eureka! IDS Framework proposed by Wenke Lee [PhD Thesis] Automate development and lower development cost DM Algorithms are applied towards Computing Activity Patterns Extract Predictive Features Generate Detection Rules (using m/c Learning Algorithms) It will help in reducing the complexity in adding cost sensitive modeling due the adaptability of the framework 11 Cost Sensitive Modeling Cost Factors Cost Metrics Cost Models Cost Breakdown Damage Cost Response Cost Operational Cost The above costs are Site specific and depend on Security policies Information Assets Risk Factors 12 2
3 To produce meaningful cost metrics? Attack Type U2R R2L DOS PROBE Essentially the Attack Taxonomy group intrusions into types Categorized / analyzed from different perspectives Description User->Illegal Root Outside->Inside DOS of Target Target Info Sub- Category Local Remote Single Multiple Crashing Consumption Simple Stealth Cause -More complex attacks Various Buffer Overflow Attacks 1-event Multiple Events, hosts, days etc. Malicious Event (e.g. teardrop) Repeated Malicious Events (e.g.synflood) Probe events over a short time(e.g.portscan) Probe events distributed sparsely over a long time window (e.g.slow stealthy portscan) 13 DCost RCost Highest Lowest Damage Cost Criticality Importance or Value depending on functional role in the organization or Relative cost of replacement/unavailability/disclosure Lethality Degree of Damage that could potentially be caused by the attack Progress Is a measure of how successful the attack is in achieving its goal i.e. percentage of max. DCost that should be accounted for For each attack category Define a relativit lethality scale Use it as the base damage cost (based) Hence, DCost = Criticality x based i.e. Dcost = Criticality x Lethality Actual Cost = Progress x Criticality x based DCost = Criticality of Target x Lethality of Attack x Attack Progress 14 Response Cost Response Mechanisms depend on IDS Capabilities Site-specific policies Attack type, target resource Response Cost - Repair downtime Is greater for more complex attacks marked orange in the attack taxonomy RCost = criticality x baser [base response cost]..to respond or.. not to respond.. is the question.. For an Intrusion Response Cost > Damage Cost => Simple Logging Response Cost Damage Cost => Take appropriate response such that RCost remains less than Dcost Responses Termination of network connection/session Rebooting targeted system Notify admin of offending machine(s) Recording session for evidence and further investigation (to avoid action against false positives) Identification, Containment, Eradication, Recovery Operational Cost Inherent Cost of running an IDS Amount of Time & Computing Resources required to extract and test features OpCost is associated with time because a real-time IDS must detect an attack while it is in progress and generate an alarm as quickly as possible so that the damage can be minimized A slower IDS which uses features with higher computational costs should be penalized Even the cost of computational resources is a factor Since, a resource in use for an IDS may not be used by another task at the same time 17 Operational Cost (contd..) More features => Operational Cost Increases e.g. co-relation analysis to detect extended-coordinated attacks Features are classified relatively on their Computational Costs Level 1- can be computed from the 1 st packet itself (e.g. service) Level 2 - can be computed at any point during the life of the connection (e.g. connection state) Level 3 - can be computed at the end of the connection using information only about the connection being examined (e.g. bytes sent during the connection) Level 4 - can be computed at the end of the connection, but require access to data of potentially many other prior connections (e.g. temporal and statistical features and are most costly to compute) 18 3
4 Cost Models Operational Costs (OpCost) Inherent cost of running an IDS In the absence of an IDS the OpCost will decrease (costs will be only the other non-ids security measures) But, that will be sensible only if the value or damage cost to the system, its downtime and repair cost and is acceptable and does not make it feasible to install and run an IDS with higher costs Consequential Costs (CCost) Consequential Costs are incurred as a consequence of a predictions made for an event and response(s) generated, if any 19 Cost Models (contd..) For an event e = (a,p,r) under observation described by.. attack type a progress p of the attack and, the target resource r the detection outcome of event e can be one of the following: False Negative (FN) cost of not detecting an attack False Positive (FP) cost of responding to and the penalty incurred while treating a legitimate event as an intrusion True Positive (TP) cost of detecting attack & possibly responding to it True Negative (TN) the cost of finding events to be legitimate Misclassified Hit (MCH) the cost of mis-identifying an attack, responding to it incorrectly (if RcostDcost) and also incurring the cost of damage due to the true attack & the effect of its progress until an appropriate response is generated and takes effect 20 Cost Models (contd..) Model for Consequential Cost [Wenke Cost ACM 2001] Outcome False Negative (FN) Miss False Positive (FP) False Alarm True Positive (TP) Hit True Negative (TN) Normal Activity Misclassified Hit Mistaken Attack Consequential Cost - CCost(e) DCost(e) RCost(e ) + PCost(e) 0 RCost(e) + 1 DCost(e), DCost(e) 0 1 is a function of the progress of the attack RCost(e ) + 2 DCost(e), DCost(e) 2 is a function of the progress and the effect of the incorrect response Condition If RCost(e ) DCost(e ) If RCost(e ) > DCost(e ) If RCost(e) DCost(e) If RCost(e) > DCost(e) If RCost(e ) DCost(e ) If RCost(e ) > DCost(e) Cost Models (contd..) Therefore, for a labeled test set E, where each e E has a label of normal or one of the intrusions We define the Cumulative Cost of the IDS as: Cumulative Cost(E) = ( CCost ( e) + OpCost( e)) e E It may not always be possible to put damage costs into the same measurement units Hence each of it is analyzed on its own relative scale We have to thus compare and then combine the two so that we can compute CCost(e) for use in calculation of relevant cost Cost Sensitive Modeling Cost-sensitive modeling must be performed periodically because cost metrics must take into account changes in Information assets Security policies Therefore it is important to develop tools that can automatically produce cost-sensitive models for given cost metrics Machine learning methods for reducing the Cumulative Cost of intrusion detection have been developed and evaluated We shall describe the particular methods which have proven most effective in building cost-sensitive models. 23 Cost Sensitive Modeling: Reducing Costs Reducing OpCost Use the cheaper features in the ID models Less computationally intensive Lesser delay Reducing CCost If for an intrusion RCost > DCost Then Do not respond to the attack 24 4
5 Reducing Operational Costs A multiple model approach Build multiple rule-sets, each with features of different cost levels Originally computational costs of features were not considered as accuracy was the only concern Use cheaper rule-sets first (less accurate), costlier ones later only for required higher accuracy A simple way to incorporate cost-sensitive rule induction in RIPPER (i.e. make it more sensitive to feature costs) Modify search heuristic s.t. it considers information gain & feature cost Different types of intrusions can enforce a notion of a different per-class sensitivity e.g. for very damaging intrusions, it is desirable to produce a model that is as accurate as possible, without much consideration to the cost of features for intrusions that cause little harm, it is desirable to have a model that is very cheap even if accuracy is sacrificed 25 Reducing Consequential Costs MetaCost Purposely re-label intrusions with RCost > DCost as normal The main idea behind metacost is to first re-label each record in the training dataset using the record s optimal class, which may not be the same as its actual class then apply a standard machine learning algorithm to the relabeled training set Post-Detection decision module Action depends on comparison of RCost and DCost Eliminates the time consuming need to retrain models when cost factors change Detection Module Intrusion Report - Attack Names - Targets Compute -Dcost -RCOst Decision Module Log: Intrusion Report Response Module RDBMS/Files 26 Implementation Baseline(Flat), NC and FSM Rulesets Ordered Ruleset Unordered Ruleset -Evaluation of an ordered -Here there is atleast one rule ruleset does not require each for each class and many rules rule to be tested, but proceeds for frequently occuring from the top of the ruleset to classes the bottom until any rule -There is also a default class evaluates to true. which is used for prediction -The OpCost to evaluate an OR when none of the rules are for a given event is the total satisfied cost of computing unique -The advatage : all rulesare features until a prediction is evaluated during prediction made and conflicts are broken by -For ID a freq. Ruleset is using the more accurate rule usually lowest in OpCost -Unordered Rulesets ie.accurately classifies normal generally contain more rules events (the1st rules identify and are less efficient in normal, which is usually the execution than freq & + freq most frequently occuring class) ordered rulesets but, -Otherside, a +freq ruleset will -There are usually several mostlikely be higher in OpCost rules of high precision for the but more accurate in most frequent class, resulting classifying intrusions in accurate classification of normal events FSM Approach -This is the hand coded attempt to model the decision tree approach used in many IDS applications -At the top level, packets are classified by protocol and then proceed in the FSM -All the rules ina catgory are grouped into a single decision tree, with leaves of the tree classified as attacks or normal connections -Features are computed at each point in the tree, cheapest first Conclusions.. Trade-offs exist between various factors The total expected Cost of an IDS is the sum of its Operational Cost and Consequential Costs A multiple model machine learning approach for reducing the operational cost A post-detection module for reducing consequential cost Future Directions Until now the cost and the attack analysis was performed for individual attacks In the real world, it is required to study cost-sensitive analysis and modeling for detection of complex attack scenarios Also, incorporating uncertainity of cost analysis due to incomplete or imprecise estimation esp. in anomaly detection systems into the process of cost-sensitive modeling Project 1: Some Real DM Analysis in an IDS Global Data Guard(GDG) developed Empirical Surveillance Program (ESP) Application of behavioral techniques to IDS for 10 years assembled into one Next generation IDS with continual adaptive data collection, analysis and correlation engine ESP is believed to be the most advanced behavioral IDS due to Adaptive adapts to changing and evolving networks Behavioral Analyzes raw packet information, along with firewall and router logs, to find anomalous behavior Historical Discovers slow/stealth attacks by leveraging historical data Captures forensics data Scalable Runs on a multi-server system which facilities distributed processing Easy-to-use Proven Layered Defense combining behavioral with the traditional Knowledge-based IDS Database Server with Host Intrusion Detection ESP Analysis System Private Network ESP Sensor & Network Analysis Stage 2 Private Zone FIREWALL Server Stage 1 RDBMS Public Zone Web Server Internet FIREWALL Stage 3 FIREWALL 768-Bit Encrypted Tunnel Perimeter Device ESP is compromised of: Analysis and correlation engine Supports customer specific and global correlation Unified Console e-tunnel (in development) Ability to plug into any knowledgebased IDS Includes knowledge-based, behavioral-based and host-based agents ESP is a passive network device, therefore no impact on customer s network ESP supports threat deflection via managed honeypot 29 Internal Sensor External Sensor 30 5
6 Case Study Case Studies performed Will be a part of the project report Combined project 1 and 2 31 Fini The term paper will incorporate a complete look at Data Mining for IDS and will not be simply focussed on the Cost sensitive Modeling References ( will be in the term paper ) Any Questions? My other interests include: Mobile Ad Hoc Networks ( Security and QoS) Security and Intrusion Detection If you really liked what I have here.. I am considering employment opportunities Contact:: Abhishek Sanwal asanwal@engr.smu.edu asanwal@graffiti.net
Toward Cost-Sensitive Modeling for Intrusion Detection and Response
Toward Cost-Sensitive Modeling for Intrusion Detection and Response Wenke Lee College of Computing Georgia Institute of Technology 801 Atlantic Drive Georgia, GA 30332-0280 wenke@cc.gatech.edu Matthew
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationMeasuring Intrusion Detection Capability: An Information- Theoretic Approach
Measuring Intrusion Detection Capability: An Information- Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee Georgia Tech Boris Skoric Philips Research Lab Outline Motivation Problem Why
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationIntroduction and Statement of the Problem
Chapter 1 Introduction and Statement of the Problem 1.1 Introduction Unlike conventional cellular wireless mobile networks that rely on centralized infrastructure to support mobility. An Adhoc network
More informationIntrusion prevention systems are an important part of protecting any organisation from constantly developing threats.
Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis
More informationIncident Response. Figure 10-1: Incident Response. Figure 10-2: Program and Data Backup. Figure 10-1: Incident Response. Figure 10-2: Program and Data
Figure 10-1: Incident Response Incident Response Chapter 10 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Incidents Happen Protections sometimes break down Incident Severity
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationAgenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks
More informationDifferent attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationNetwork Security Terms. Based on slides from gursimrandhillon.files.wordpress.com
Network Security Terms Based on slides from gursimrandhillon.files.wordpress.com Network Security Terms Perimeter is the fortified boundary of the network that might include the following aspects: 1. Border
More informationLecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations
Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations Prateek Saxena March 3 2008 1 The Problems Today s lecture is on the discussion of the critique on 1998 and 1999 DARPA IDS evaluations conducted
More informationNETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.
NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING. The old mantra of trust but verify just is not working. Never trust and verify is how we must apply security in this era of sophisticated breaches.
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationAn Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree
An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree P. Radoglou-Grammatikis and P. Sarigiannidis* University of Western Macedonia Department of Informatics & Telecommunications
More informationIntrusion Detection -- A 20 year practice. Outline. Till Peng Liu School of IST Penn State University
Intrusion Detection -- A 20 year practice Peng Liu School of IST Penn State University Pennsylvania State Unviersity 1 Outline Motivation Intrusion Detection Techniques Intrusion Detection Products Some
More informationFigure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues
1 Managing the Security Function Chapter 11 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Top Management Support Top-Management security awareness briefing (emphasis on brief)
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationIntrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis
Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationStochastic Analysis of Horizontal IP Scanning
Stochastic Analysis of Horizontal IP Scanning Derek Leonard, Zhongmei Yao,, Xiaoming Wang, and Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University
More informationDESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN
------------------- CHAPTER 4 DESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN In this chapter, MAC layer based defense architecture for RoQ attacks in Wireless LAN
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationAutomated Network Anomaly Detection with Learning and QoS Mitigation. PhD Dissertation Proposal by Dennis Ippoliti
Automated Network Anomaly Detection with Learning and QoS Mitigation PhD Dissertation Proposal by Dennis Ippoliti Agenda / Table of contents Automated Network Anomaly Detection with Learning and QoS Mitigation
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationIntrusion Detection System
Intrusion Detection System Marmagna Desai March 12, 2004 Abstract This report is meant to understand the need, architecture and approaches adopted for building Intrusion Detection System. In recent years
More informationPresented by Joe Burns Kentucky Rural Water Association July 19, 2005
Infrastructure Security for Public Water and Wastewater Utilities Presented by Joe Burns Kentucky Rural Water Association July 19, 2005 Public Health Security and Bioterrorism Preparedness and Response
More informationData Sources for Cyber Security Research
Data Sources for Cyber Security Research Melissa Turcotte mturcotte@lanl.gov Advanced Research in Cyber Systems, Los Alamos National Laboratory 14 June 2018 Background Advanced Research in Cyber Systems,
More informationA Response Strategy Model for Intrusion Response Systems
A Response Strategy Model for Intrusion Response Systems Nor Badrul Anuar 1,2, Maria Papadaki 1, Steven Furnell 1,3, and Nathan Clarke 1,3 1 Centre for Security, Communications and Network Research (CSCAN),
More informationSecurity Information & Event Management (SIEM)
Security Information & Event Management (SIEM) Datasheet SIEM in a nutshell The variety of cyber-attacks is extraordinarily large. Phishing, DDoS attacks in combination with ransomware demanding bitcoins
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationHow can we gain the insights and control we need to optimize the performance of applications running on our network?
SOLUTION BRIEF CA Network Flow Analysis and Cisco Application Visibility and Control How can we gain the insights and control we need to optimize the performance of applications running on our network?
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Professor, SIS Lecture 12 2016 Intrusion Detection, Auditing System Firewalls & VPN 1 Intrusion Detection 2 Intrusion Detection/Response Denning:
More informationGuide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis Objectives Explain the fundamental concepts of risk analysis Describe different approaches to
More informationDDoS Managed Security Services Playbook
FIRST LINE OF DEFENSE DDoS Managed Security Services Playbook INTRODUCTION Distributed Denial of Service (DDoS) attacks are major threats to your network, your customers and your reputation. They can also
More informationMobile Agent Based Adaptive Intrusion Detection and Prevention Systems
Vol. 5, 108 Mobile Agent Based Adaptive Intrusion Detection and Prevention Systems 1 Ameya Gangamwar, 2 Anand Kanani, 3 Vivek Singh, 4 Rachana Srivastav and 5 Deven Shah Abstract- The proposed system using
More informationAn Autonomic Framework for Integrating Security and Quality of Service Support in Databases
An Autonomic Framework for Integrating Security and Quality of Service Support in Databases Firas Alomari The Volgenau School of Engineering George Mason University Daniel A. Menasce Department of Computer
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationAutomated Threat Management - in Real Time. Vectra Networks
Automated Threat Management - in Real Time Security investment has traditionally been in two areas Prevention Phase Active Phase Clean-up Phase Initial Infection Key assets found in the wild $$$$ $$$ $$
More informationCYBERBIT P r o t e c t i n g a n e w D i m e n s i o n
CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n CYBETBIT in a Nutshell A leader in the development and integration of Cyber Security Solutions A main provider of Cyber Security solutions for the
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationPerimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN
T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN Perimeter Defenses Enterprises need to take their security strategy beyond stacking up layers of perimeter defenses to building up predictive
More informationBehavior-Based IDS: StealthWatch Overview and Deployment Methodology
Behavior-Based IDS: Overview and Deployment Methodology Lancope 3155 Royal Drive, Building 100 Alpharetta, Georgia 30022 Phone: 770.225.6500 Fax: 770.225.6501 www.lancope.com techinfo@lancope.com Overview
More informationSecuring the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.
Securing the Smart Grid Understanding the BIG Picture The Power Grid The electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change
More informationFirewalls, IDS and IPS. MIS5214 Midterm Study Support Materials
Firewalls, IDS and IPS MIS5214 Midterm Study Support Materials Agenda Firewalls Intrusion Detection Systems Intrusion Prevention Systems Firewalls are used to Implement Network Security Policy Firewalls
More informationManaged Security Services - Automated Analysis, Threat Analyst Monitoring and Notification
Service Description Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification The services described herein are governed by the terms and conditions of the agreement specified
More informationMechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.
Mechanisms for Database Intrusion Detection and Response Michael Sintim - Koree SE 521 March 6, 2013. Article Title: Mechanisms for Database Intrusion Detection and Response Authors: Ashish Kamra, Elisa
More informationCA Host-Based Intrusion Prevention System r8
PRODUCT BRIEF: CA HOST-BASED INTRUSION PREVENTION SYSTEM CA Host-Based Intrusion Prevention System r8 CA HOST-BASED INTRUSION PREVENTION SYSTEM (CA HIPS) BLENDS A STAND-ALONE FIREWALL WITH INTRUSION DETECTION
More informationCS Review. Prof. Clarkson Spring 2017
CS 5430 Review Prof. Clarkson Spring 2017 Recall: Audit logs Recording: what to log what not to log how to log locally remotely how to protect the log Reviewing: manual exploration automated analysis MANUAL
More informationA Data Mining Framework for Building Intrusion Detection Models
A Data Mining Framework for Building Intrusion Detection Models Wenke Lee Salvatore J. Stolfo Kui W. Mok Computer Science Department, Columbia University 500 West 120th Street, New York, NY 10027 {wenke,sal,mok}@cs.columbia.edu
More informationIntrusion Detection Using Data Mining Technique (Classification)
Intrusion Detection Using Data Mining Technique (Classification) Dr.D.Aruna Kumari Phd 1 N.Tejeswani 2 G.Sravani 3 R.Phani Krishna 4 1 Associative professor, K L University,Guntur(dt), 2 B.Tech(1V/1V),ECM,
More informationFlowMon ADS implementation case study
FlowMon ADS implementation case study Kamil Doležel Kamil.dolezel@advaict.com AdvaICT, a.s. Brno, Czech Republic Abstract FlowMon ADS implementation provides completely new insight into networks of all
More informationArchitectural Solutions for Next Generation Software Systems
Architectural Solutions for Next Generation Software Systems Presenter: Faheem Ullah & Nguyen K. Tran PhD Students Supervisor: M. Ali Babar The Centre for Research on Engineering Software Technologies
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationPolymorphic Blending Attacks. Slides by Jelena Mirkovic
Polymorphic Blending Attacks Slides by Jelena Mirkovic 1 Motivation! Polymorphism is used by malicious code to evade signature-based IDSs Anomaly-based IDSs detect polymorphic attacks because their byte
More informationEmpirical Study of Automatic Dataset Labelling
Empirical Study of Automatic Dataset Labelling Francisco J. Aparicio-Navarro, Konstantinos G. Kyriakopoulos, David J. Parish School of Electronic, Electrical and System Engineering Loughborough University
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 First, the news The Great Cannon of China https://citizenlab.org/2015/04/chinas-great-cannon/ KAMI VANIEA 2 Today Open System Interconnect (OSI) model
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationSubscriber Data Correlation
Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service
More informationIntrusion Detection Systems Overview
Intrusion Detection Systems Overview Chris Figueroa East Carolina University figueroac13@ecu.edu Abstract Modern intrusion detection systems provide a first line of defense against attackers for organizations.
More informationPREEMPTIVE PREventivE Methodology and Tools to protect utilities
PREEMPTIVE PREventivE Methodology and Tools to protect utilities 2014 2017 1 With the financial support of FP7 Seventh Framework Programme Grant agreement no: 607093 Preemptive goal The main goal of PREEMPTIVE
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationSSL Automated Signatures
SSL Automated Signatures WilliamWilsonandJugalKalita DepartmentofComputerScience UniversityofColorado ColoradoSprings,CO80920USA wjwilson057@gmail.com and kalita@eas.uccs.edu Abstract In the last few years
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationImproving Positron Emission Tomography Imaging with Machine Learning David Fan-Chung Hsu CS 229 Fall
Improving Positron Emission Tomography Imaging with Machine Learning David Fan-Chung Hsu (fcdh@stanford.edu), CS 229 Fall 2014-15 1. Introduction and Motivation High- resolution Positron Emission Tomography
More informationCS Review. Prof. Clarkson Spring 2016
CS 5430 Review Prof. Clarkson Spring 2016 SECURING THE LOG Securing the log Good practice: limit access to log files Least Privilege Append-only access for most users: no read, rename, delete permission
More informationCND Exam Blueprint v2.0
EC-Council C ND Certified Network Defende r CND Exam Blueprint v2.0 CND Exam Blueprint v2.0 1 Domains Objectives Weightage Number of Questions 1. Computer Network and Defense Fundamentals Understanding
More informationThis shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict
1 This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict access between segments This creates a layered defense
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationModeling Intrusion Detection Systems With Machine Learning And Selected Attributes
Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes Thaksen J. Parvat USET G.G.S.Indratrastha University Dwarka, New Delhi 78 pthaksen.sit@sinhgad.edu Abstract Intrusion
More informationRELEVANT IMPACT: Building a Successful Threat Management Program. NTX ISSA 3 rd Semi-Annual Cyber Security Conference
RELEVANT IMPACT: Building a Successful Threat Management Program NTX ISSA 3 rd Semi-Annual Cyber Security Conference 10-2-15 Threat Management Definition Current State of Threat Management in Most Organizations
More informationNetwork Intrusion Detection Systems. Beyond packet filtering
Network Intrusion Detection Systems Beyond packet filtering Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 Similar statements are found in most content hosting website privacy policies. What is it about how the internet works that makes this statement necessary
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationOnline Intrusion Alert Based on Aggregation and Correlation
Online Intrusion Alert Based on Aggregation and Correlation Kunchakarra Anusha 1, K.V.D.Sagar 2 1 Pursuing M.Tech(CSE), Nalanda Institute of Engineering & Technology,Siddharth Nagar, Sattenapalli, Guntur.,
More informationalign security instill confidence
align security instill confidence cyber security Securing data has become a top priority across all industries. High-profile data breaches and the proliferation of advanced persistent threats have changed
More informationFirewalls (IDS and IPS) MIS 5214 Week 6
Firewalls (IDS and IPS) MIS 5214 Week 6 Agenda Defense in Depth Evolution of IT risk in automated control systems Security Domains Where to put firewalls in an N-Tier Architecture? In-class exercise Part
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationCisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers
Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers The Cisco Intrusion Prevention System Advanced Integration Module (IPS AIM) and Network Module Enhanced
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationModule 2: AlienVault USM Basic Configuration and Verifying Operations
AlienVault USM for Security Engineers 5 day course outline Course Introduction Module 1: Overview The Course Introduction provides students with the course objectives and prerequisite learner skills and
More informationFlowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert
Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks Anna Giannakou, Daniel Gunter, Sean Peisert Research Networks Scientific applications that process large amounts of data
More informationA Real-world Demonstration of NetSocket Cloud Experience Manager for Microsoft Lync
A Real-world Demonstration of NetSocket Cloud Experience Manager for Microsoft Lync Introduction Microsoft Lync connects people everywhere as part of their everyday productivity experience. When issues
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationA Firewall Architecture to Enhance Performance of Enterprise Network
A Firewall Architecture to Enhance Performance of Enterprise Network Hailu Tegenaw HiLCoE, Computer Science Programme, Ethiopia Commercial Bank of Ethiopia, Ethiopia hailutegenaw@yahoo.com Mesfin Kifle
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #11 - Identity Mgmt.; Routing Security 2016 Patrick Tague 1 Class #11 Identity threats and countermeasures Basics of routing in ad hoc networks
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More information