Cloud Security (WS 2015/16)
|
|
- Melina Fleming
- 5 years ago
- Views:
Transcription
1 Cloud Security (WS 2015/16) 8. OpenNebula, Intrusion Detection, Honeypots Hans P. Reiser Winter semester 2015/2016, Hans P. Reiser Vervielfältigung nur mit Genehmigung
2 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.2
3 OpenNebula...see slides section 5.39ff Hans P. Reiser CloudSec (Part 8) 8.3
4 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.4
5 Motivation Preventive security measures work maybe 99% of the time Increasing this coverage to 100% is extremely hard Martin Holste: Detection is the new prevention In many cases, most damage can be prevented by detection and containment Not everyone agrees (Jim Brennan, IBM Security Program Director: This notion moves us unnecessarily and dangerously in the wrong direction. ) Real systems require both prevention and detection in a coordinated manner! Hans P. Reiser CloudSec (Part 8) 8.6
6 Motivation Several aspects of detection Intrusion detection Honeypots Computer forensics Detection, virtualization, and cloud computing Hans P. Reiser CloudSec (Part 8) 8.7
7 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.8
8 Basic terminology Intrusion: Attempt of some adversary to break into or misuse your system Adversary may be insider or outsider, with or without physical access to your system Many forms of attacks and vulnerabilities Buffer overflows Race conditions Missing input sanitization ( SQL injection, etc.) Broken protocols (authentication, etc.) Privilege escalation... Many of them are subject of software security! Hans P. Reiser CloudSec (Part 8) 8.9
9 Definitions Intrusion: any activity that violates the security policy of the system Intrusion Detection: process used to identify intrusions Intrusion Detection System (IDS): System that monitors network or system activities for detecting malicious activity or policy violations and produces a report about these incidents Intrusion Prevention System (IPS): Extension of IDS that can also actively prevent or block intrusions (also called Intrusion Detection and Prevention System IDPS) Rational: If we are unable to build a secure system (and apparently we are...), we should at least try to detect when things go wrong and apply corrective measures Hans P. Reiser CloudSec (Part 8) 8.10
10 Classification of IDS Where to detect intrusions? Host based (HIDS) Network based (NIDS) Hypervisor based (HV-IDS) How to detect intrusions? Signature based Anomaly detection Hans P. Reiser CloudSec (Part 8) 8.11
11 Where to detect intrusions? Host-based IDS Host OS or application provide information Example: authentication events, open files, running processes, etc. Analysis of these logs Advantages Detailed system information available Example: OS data (open files, processes, etc.), system log files, Application-internal data Near-realtime detection Disadvantages: Problem of selecting appropriate information to log (detectability of intrusion vs. logging overhead) Risk of manipulation of log information by intruder Hans P. Reiser CloudSec (Part 8) 8.12
12 Where to detect intrusions? Network-based IDS Observation and analysis of network traffic Advantages Monitoring independent of target OS / system Isolation: no influence on behaviour, presence of IDS not detectable for adversary Disadvantages Access to limited amount of information (e.g., no information about host-internal activities of intruder) Difficulty of analysing encrypted network traffic Hans P. Reiser CloudSec (Part 8) 8.13
13 Where to detect intrusions? Virtualization-based IDS Monitoring in separate VM on same physical host as target VM Access to target disk, target main memory (VMI), and network communication Advantages Host-based IDS with isolation Network-based IDS without dedicated monitoring hardware Benefits by combining HIDS and NIDS (e.g., extract encryption key) Disadvantages Difficulty of interpreting VM-internal data structures from outside the VM (e.g., where in memory can we find the process list?) Physical host needs resources to run both IDS system and target system Hans P. Reiser CloudSec (Part 8) 8.14
14 How to detect intrusions? Anomaly detection Model for normal system operation Detection of deviations of this normal behaviour Advantages: Ability to detect novel attacks Disadvantages: False negatives if intrusion does not result in sufficiently unusual behaviour False positives may be triggered by regular variations of behaviour Hans P. Reiser CloudSec (Part 8) 8.15
15 How to detect intrusions? Signature based Observed behaviour matches known attack description Advantages: No knowledge about normal behaviour required Often simple implementations (e.g., simple pattern match on network messages) Disadvantages: Unable to detect novel attacks New detection mechanism needs to implemented for each new attack Possibility of false alarms Hans P. Reiser CloudSec (Part 8) 8.16
16 Homework Read the article Anomaly-based network intrusion detection: Techniques, systems and challenges by Pedro García-Teodoro, Jesús Díaz-Verdejo, Gabriel Maciá-Fernández, Enrique Vázquez. In Computers & Security 28(1-2): (2009) doi: /j.cose (to be discussed next week) Hans P. Reiser CloudSec (Part 8) 8.17
17 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.18
18 Example HIDS: OSSEC OSSEC: Open source HIDS 2005: first release by Daniel B. Cid 2008: acquisition by Third Brigade, acquired by Trend Micro in 2009 Main features: Log analysis File integrity monitoring Registry integrity checking (Windows) Rootkit detection (host-based anomaly detection on Unix) Active response Cross-platform (Linux, Solaris, AIX, HP-UX, MacOS, Windows) Hans P. Reiser CloudSec (Part 8) 8.19
19 Example HIDS: OSSEC Hans P. Reiser CloudSec (Part 8) 8.20
20 Example HIDS: OSSEC Main focus: Log analysis Multiple logs (e.g., syslog, http logs, mail logs) Correlation between logs Log-based Intrusion Detection (LIDS): Definition by Daniel B. Cid: Log Analysis for intrusion detection is the process or techniques used to detect attacks on a specific environment using logs as the primary source of information. LIDS is also used to detect computer misuse, policy violations and other forms of inappropriate activities. Hans P. Reiser CloudSec (Part 8) 8.21
21 Example HIDS: OSSEC: possible configurations Local operation: Collect Collect (ossec-logcollector) OSSEC Agent Collect Collect (ossec-logcollector) Decode Analyze (ossec-analysisd) Distributed operation: OSSEC Server Decode Analyze (ossec-analysisd) Alert (ossec-maild) (ossec-execd) Alert (ossec-maild) (ossec-execd) Hans P. Reiser CloudSec (Part 8) 8.22
22 Example HIDS: OSSEC: agent/server communication Compressed Encrypted (using pre-shared keys with Blowfish algorithm) UDP messages (default: port 1514) Agent 1 Agentd Agent 2 Agentd UDP port 1514 OSSEC Server Remoted Analysisd Device 1 Syslog Hans P. Reiser CloudSec (Part 8) 8.23
23 Example HIDS: OSSEC: details Further details ( inside ossec-analysisd ): see Hans P. Reiser CloudSec (Part 8) 8.24
24 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.25
25 Example NIDS: snort What is snort? Open-source network-based intrusion detection and prevention system Rule-based language for specifying message inspection methods Most widely deployed NIDS (according to snort webpage) 1998: created by Martin Roesch in : M. Roesch founded by Sourcefire 2013: Sourcefire aquired by Cisco Hans P. Reiser CloudSec (Part 8) 8.26
26 Example NIDS: snort Main features: Operating modes: sniffer, packet logger, NIDS Portable (runs on Linux, Winodws, MacOS, Solaris, BSD, and many more) Small (+- 800kLOC) and fast Highly configurable (rule language, flexible reporting options) Wide range of detection capabilities (port scans, buffer overflows, back doors, CGI exploits, etc.) Hans P. Reiser CloudSec (Part 8) 8.27
27 Example NIDS: snort see and exercise class for details Hans P. Reiser CloudSec (Part 8) 8.28
28 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.29
29 Honeypots: Motivation Fact: The more you know about your enemy, the better you can protect yourself But how to anticipate actions of the enemy? Anticipate: detect actions before they target your production system Goal of Honeypots: detection of real attacks, but not on a real system Basic approach: Offer a fake target to the enemy Collect information about attacks Hans P. Reiser CloudSec (Part 8) 8.30
30 Honeypot: Definition Lance Spitzner in Honeypots: Definitions and Value of Honeypots (2003): A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Many real manifestations (in terms of functionality of the systems) No real use, so all actions of / interactions with honeypot are likely to be related to attacks Purposes: monitor, detect, and analyze attacks Hans P. Reiser CloudSec (Part 8) 8.31
31 Honeypot: Short history 1989: Cliffard Stoll: The Cuckoo s Egg: Tracking a Spy Through the Maze of Computer Espionage ISBN-13: /1991: Bill Cheswick, AT&T Bell Labs: An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied : Deception Toolkit 1998: snort 1999: The Honeynet project Hans P. Reiser CloudSec (Part 8) 8.32
32 Classification of Honeypots Interaction High / Low / (Medium) Implementation Virtual / Physical Purpose Research / Production Hans P. Reiser CloudSec (Part 8) 8.33
33 Level of interaction Low-interaction honeypot Simulation of some parts of a real system Easy to deploy, with minimal risk Limited information acquisition (functionality not 100% identical to real system) High-interaction honeypot All parts of a real system are available High risk, as it can be fully compromised More information acquisition Hans P. Reiser CloudSec (Part 8) 8.34
34 Level of interaction Some authors also define medium-interaction honeypots Not a real system But extended support for interaction, such as Implement (sufficiently enough) parts of application-level behaviour Allow exploits that inject some shellcode Execute the shellcode, e.g., to download additional malware Usually requires some access to local resource (disk, etc.) Hans P. Reiser CloudSec (Part 8) 8.35
35 Implementation Physical Real machines Virtual Simulation of real machines Single honeypot may simulate a lot of different virtual honeypots Hans P. Reiser CloudSec (Part 8) 8.36
36 Purpose Production honeypots: Protect the system... by adding detection capability to the system Not feasible to analyse all logs in production system High probability of detecting unknown attacks Complement to other IDS components... by adding prevention capability to the system Analysis of attacks yields information about potential vulnerabilities These vulnerabilities can be fixed on real system... by adding reaction capability to the system Taking production systems offline is often undesirable Production operation pollutes traces of attacker Honeypot may help to obtain high-quality evidence / forensic data Hans P. Reiser CloudSec (Part 8) 8.37
37 Purpose Research honeypots: Learn about attacks and attackers Learn about the identity of the adversary Learn about motives and tactics of adversary Learn about specific threats Collect malware samples for analysis Long-term impact on security by improving attack prevention, detection or reaction but only little benefit to the direct security of a system Hans P. Reiser CloudSec (Part 8) 8.38
38 Overview OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.39
39 Example: Honeyd Niels Provos (University of Michigan): Honeyd: A virtual honeypot framework 13th USENIX Security Symposium, 2004 Low-interaction honeypot: Simulate real systems Multiple virtual hosts simulated by single process Responds to network requests according to configured services Matches network behaviour of configured operating system personality Simulate arbitrary network / routing topology Hans P. Reiser CloudSec (Part 8) 8.40
40 Example: Honeyd Hans P. Reiser CloudSec (Part 8) 8.41
41 Example: Honeyd Hans P. Reiser CloudSec (Part 8) 8.42
42 Example: Nepenthes and Dionaea Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling: The Nepenthes Platform: An Efficient Approach to Collect Malware. RAID 06 Hans P. Reiser CloudSec (Part 8) 8.43
43 Example: Nepenthes Low-interaction honeypot: simulation of vulnerable services Sometimes labelled medium-interaction honeypot : high degree of expressiveness : full emulation of (necessary part of) complex protocols Flexible modular design: Vulnerability modules, shellcode parsing modules, fetch modules Main goal: collect malware samples Hans P. Reiser CloudSec (Part 8) 8.44
44 Example: Nepenthes Hans P. Reiser CloudSec (Part 8) 8.45
45 Example: Nepenthes Results (from paper): Nepenthes assigned to a /18 network 5.5 million exploitation attempts within 33 hours 1.5 million successful downloads of binaries 508 unique binaries within 33 hours 15,500 unique binaries within four month period % of the samples detected by popular antivirus engines Hans P. Reiser CloudSec (Part 8) 8.46
46 Example: Nepenthes Hans P. Reiser CloudSec (Part 8) 8.47
47 Nepenthes limitations Too many attacks using windows SMB sessions (port 445) shellcode detection: using regular expressions (only works well for known shellcode) extendibility: not many contributions, seems like people did not like C++ TLS encryption IPv6... Hans P. Reiser CloudSec (Part 8) 8.48
48 Example: Dionaea Started in 2009 as a successor to Nepenthes Main goal: implement SMB protocol Funded by the Honeynet project as part of Honeynets Summer of Code Hans P. Reiser CloudSec (Part 8) 8.49
49 Example: Dionaea Hans P. Reiser CloudSec (Part 8) 8.50
50 Example: Honeybrid Honeybrid: hybrid approach Combination of low-interaction and high-interaction honeypots Decision Engine to filter incoming traffic Control Engine to limit outgoing traffic Redirection Engine to redirect traffic for further analysis Log Engine to log traffic Hans P. Reiser CloudSec (Part 8) 8.51
51 Example: Honeybrid Hans P. Reiser CloudSec (Part 8) 8.52
52 Summary for today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.53
Honey Pot Be afraid Be very afraid
Honey Pot Be afraid Be very afraid Presented By Shubha Joshi M.Tech(CS) Problems with internet Why? Problems The Internet security is hard New attacks every day Our computers are static targets What should
More informationIntroduction to Honeypot Technologies
Introduction to Honeypot Technologies A Tool For Improving Network Forensic Analysis Alexandre Dulaunoy alexandre.dulaunoy@circl.lu January 13, 2012 Introduction and Source of Honeynet Research With the
More informationIntroduction Honeynets/pots - Types and variation Honeynets/pots - Advantages/Disadvantages Conclusion Q and A Diagrams. Honeynets
Introduction /pots - Types and variation /pots - Advantages/Disadvantages Conclusion Q and A Diagrams Introduction to Honeypot/Honeynet technologies and Its Historical Perspective January 21, 2011 Introduction
More informationVirtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE
International Journal of Scientific & Engineering Research, Volume 4, Issue 4, April-2013 1492 Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE,
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationEmerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan
Emerging Threat Intelligence using IDS/IPS Chris Arman Kiloyan Who Am I? Chris AUA Graduate (CS) Thesis : Cyber Deception Automation and Threat Intelligence Evaluation Using IDS Integration with Next-Gen
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationComparative Study of Different Honeypots System
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 2, Issue 10 (August 2012), PP. 23-27 Ashish Girdhar 1, Sanmeet Kaur 2 1 Student
More informationWhat a Honeynet Is H ONEYPOTS
79_HONEY.ch02 Page 9 Thursday, August 9, 2001 10:17 AM 2 What a Honeynet Is H ONEYPOTS The concept of honeypots has been around for years. Simply put, honeypots are systems designed to be compromised by
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationIntrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.
or Detection Comp Sci 3600 Security Outline or 1 2 3 4 5 or 6 7 8 Classes of or Individuals or members of an organized crime group with a goal of financial reward Their activities may include: Identity
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationAgenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21
Agenda Review: DNS Security Intrusion Detection and Prevention Systems 1/21 The DNS system is organized in a structure. A. bitmap B. tree C. matrix D. array E. doubly linked list F. queue 2/21 The FactCheck.org
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationHoneypots. Security on Offense. by Kareem Sumner
Honeypots Security on Offense by Kareem Sumner Agenda Introduction What Are Honeypots? Objectives Successful Deployment Advantages And Disadvantages Types Of Honeypots Honeypot Software Future of Honeypots/Honeynets
More informationIntroduction Challenges with using ML Guidelines for using ML Conclusions
Introduction Challenges with using ML Guidelines for using ML Conclusions Misuse detection Exact descriptions of known bad behavior Anomaly detection Deviations from profiles of normal behavior First proposed
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationA Distributed Intrusion Alert System
A Distributed Intrusion Alert System Chih-Yao Lin, Hsiang-Ren Shih, and Yomin Hou Taiwan National Computer Emergency Response Team {chinyao, shr, yominhou}@twncert.org.tw Abstract In this paper, a distributed
More informationUsage of Honeypot to Secure datacenter in Infrastructure as a Service data
Usage of Honeypot to Secure datacenter in Infrastructure as a Service data Ms. Priyanka Paliwal M. Tech. Student 2 nd yr.(comp. Science& Eng.) Government Engineering College Ajmer Ajmer, India (Erpriyanka_paliwal06@rediffmail.com)
More informationTraining for the cyber professionals of tomorrow
Hands-On Labs Training for the cyber professionals of tomorrow CYBRScore is a demonstrated leader in professional cyber security training. Our unique training approach utilizes immersive hands-on lab environments
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationIntrusion Detection and Prevention
Intrusion Detection and Prevention Outlines: Intrusion Tpesof Types Intrusion Intrusion Detection Models Intrusion Prevention Models By: Arash Habibi Lashkari July 2010 Network Security 07 1 Definition
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationSecuring AWS with HIDS. Gaurav Harsola Mayank Gaikwad
Securing AWS with HIDS» Gaurav Harsola Mayank Gaikwad IDS What? Why? How? Intrusion Detection System An IDS is a software application that monitors network or system activities for malicious activities.
More informationIntrusion Detection and Prevention in Telecommunications Networks
Intrusion Detection and Prevention in Telecommunications Networks Tietoturvatapahtuma 2010, Helsinki February 11 Gabriel Waller, Head of Product Security Nokia Siemens Networks For Tietoturvatapahtuma
More informationCE Advanced Network Security Honeypots
CE 817 - Advanced Network Security Honeypots Lecture 12 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationIJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology
ISSN 2229-5518 321 Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology Abstract - Nowadays all are working with cloud Environment(cloud
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationHSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort
HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort Divya Asst. Prof. in CSE Department Haryana Institute of Technology, India Surender Lakra Asst. Prof. in CSE Department
More informationIntrusion prevention systems are an important part of protecting any organisation from constantly developing threats.
Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis
More informationJournal Online Jaringan COT POLIPD (JOJAPS) Network Defender with Fake Server: A New Way for Network Protection
JOJAPS eissn 2504-8457 Abstract Journal Online Jaringan COT POLIPD (JOJAPS) Network Defender with Fake Server: A New Way for Network Protection Mohd Tamizan Abu Bakar 1, Mariati bt Mad Samad 1 & Akhyari
More informationSCADA Environments. Jess Garcia. esecurity.com
Log Monitoring & Forensics in SCADA Environments Jess Garcia jess.garcia@one esecurity.com Security Strategy Protect Detect React Objectives Monitoring & Response Monitoring: Detect Possible Security Problems,
More informationIndicate whether the statement is true or false.
Indicate whether the statement is true or false. 1. NIDPSs can reliably ascertain if an attack was successful or not. 2. Intrusion detection consists of procedures and systems that identify system intrusions
More informationIntrusion Detection Systems and Network Security
Intrusion Detection Systems and Network Security Chapter 13 Background A layered network security approach starts with a well-secured system: Up-to-date application and operating system patches. Well-chosen
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationHoneypots & Honeynets
Honeypots & Honeynets Adli Wahid Issue Date: Revision: 1 Contents 1. Objectives 2. Definition of Honeypot & Honeynets 3. Benefits & Risk consideration 4. Example of Honeypot tools 5. The Honeynet Project
More informationRaj Jain. Washington University in St. Louis
Intrusion Detection Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationDifferent attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationPresentation by Brett Meyer
Presentation by Brett Meyer Traditional AV Software Problem 1: Signature generation Signature based detection model Sheer volume of new threats limits number of signatures created by one vendor Not good
More informationEnhancing Byte-Level Network Intrusion Detection Signatures with Context
Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationsystem to cover their tracks, the HIDS can provide an independent audit trail of the attack.
A host-based IDS (HIDS) works differently from a network-based version of IDS. While a network-based IDS resides on a network segment and monitors activities across that segment, a host-based IDS resides
More informationSOC Operations on the Autobahn. Don t let the green grass fool you
SOC Operations on the Autobahn Don t let the green grass fool you Who am I? Adrian Kelley 15+ Years of IT Experience Current: Sands Corp. (Vulnerability Management Engineer) United States Computer Emergency
More informationOverview of Honeypot Security System for E-Banking
Prajakta Shirbhate, Vaishnavi Dhamankar, Aarti Kshirsagar, Purva Deshpande & Smita Kapse Department of Computer Technology, YCCE, Nagpur, Maharashtra, India E-mail : prajakta.2888@gmail.com, vaishnavi.dhamankar@gmail.com,
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis IDS Taxonomy and Architecture Pavel Laskov Wilhelm Schickard Institute for Computer Science IDS functionality IDS functionality Restrict access to legitimate service
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationA Novel Approach to Detect and Prevent Known and Unknown Attacks in Local Area Network
International Journal of Wireless Communications, Networking and Mobile Computing 2016; 3(4): 43-47 http://www.aascit.org/journal/wcnmc ISSN: 2381-1137 (Print); ISSN: 2381-1145 (Online) A Novel Approach
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationBotnet Detection Using Honeypots. Kalaitzidakis Vasileios
Botnet Detection Using Honeypots Kalaitzidakis Vasileios Athens, June 2009 What Is Botnet A Botnet is a large number of compromised computers, controlled by one or more Command-and-Control Servers, the
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Intruders significant issue hostile/unwanted
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More informationCIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration
CIS Top 20 #12 Boundary Defense Lisa Niles: CISSP, Director of Solutions Integration CSC # 12 - Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus
More informationCASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)
CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001) Gregg, Michael ISBN-13: 9781118083192 Table of Contents Foreword xxi Introduction xxvii Assessment Test xliv Chapter 1 Cryptographic
More informationDetecting and Preventing Network Address Spoofing
Detecting and Preventing Network Address Spoofing Hamza A. Olwan 1, Mohammed A. Babiker 2 and Mohammed E. Hago 3 University of Khartoum, Sudan olwan777@gmail.com 1, moh_teg821@hotmail.com 2 and melzain88@gmail.com
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationDeploying File Based Security on Dynamic Honeypot Enabled Infrastructure as a Service Data Centre
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 6, Issue 7 (April 2013), PP. 23-27 Deploying File Based Security on Dynamic Honeypot
More informationA Comparative Study of Teaching Forensics at a University Degree Level
A Comparative Study of Teaching Forensics at a University Degree Level Martin Mink University of Mannheim, Germany IMF 2006, Stuttgart October 19 Joint Work Laboratory for Dependable Distributed Systems
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationHoneypot Hacker Tracking and Computer Forensics
Honeypot Hacker Tracking and Computer Forensics Manfred Hung manfred.hung@pisa.org.hk Agenda Honeypot History Value of Honeypot Honeypot Technology Common Honypot products/solutions Honeypot deployment
More informationVulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.
Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationFirewall Identification: Banner Grabbing
Honey POt Firewall Identification: Banner Grabbing Banners are messages sent out by network services during the connection to the service. Banners announce which service is running on the system. Banner
More informationLogging and Log Management
Logging and Log Management The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management Dr. Anton A. Chuvakin Kevin J. Schmidt Christopher Phillips Partricia Moulder, Technical
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationA Data Driven Approach to Designing Adaptive Trustworthy Systems
A Data Driven Approach to Designing Adaptive Trustworthy Systems Ravishankar K. Iyer (with A. Sharma, K. Pattabiraman, Z. Kalbarczyk, Center for Reliable and High-Performance Computing Department of Electrical
More informationCS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events,
More informationHONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale
HONEYNET SOLUTIONS A deployment guide Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale United States Military Academy Abstract: Key words: Honeynets provide network and system managers a unique intrusion
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationAdvanced Diploma on Information Security
Course Name: Course Duration: Prerequisites: Course Fee: Advanced Diploma on Information Security 300 Hours; 12 Months (10 Months Training + 2 Months Project Work) Candidate should be HSC Pass & Basic
More informationMake the Intrusion detection system by IDS-AM-Clust, honeyd, honeycomb and honeynet
Make the Intrusion detection system by IDS-AM-Clust, honeyd, honeycomb and honeynet CHAIMAE SAADI*, HABIBA CHAOUI ** Systems Engineering Laboratory, Data Analysis and Security Team National School of Applied
More informationAn Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree
An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree P. Radoglou-Grammatikis and P. Sarigiannidis* University of Western Macedonia Department of Informatics & Telecommunications
More informationHYBRID HONEYPOT -SYSTEM FOR PRESERVING PRIVACY IN NETWORKS
HYBRID HONEYPOT -SYSTEM FOR PRESERVING PRIVACY IN NETWORKS K.SURESH, KUSH KUMAR YADAV, R.SRIJIT, KARTHIK.P.BHAT STUDENT 3 rd YEAR - INFORMATION TECHNOLOGY SRI SAIRAM ENGINEERING COLLEGE, WEST TAMBARAM,
More informationHoneynet Weekly Report Canadian Institute for Cybersecurity (CIC)
Report (20) Captured from 21-09-2018 to 05-10-2018 1-Introduction The first honeypot studies were released by Clifford Stoll in 1990 in his book The Cuckoo s Egg. Since then the demand for honeypot technology
More informationActive defence through deceptive IPS
Active defence through deceptive IPS Authors Apostolis Machas, MSc (Royal Holloway, 2016) Peter Komisarczuk, ISG, Royal Holloway Abstract Modern security mechanisms such as Unified Threat Management (UTM),
More informationIntrusion Detection. October 19, 2018
Intrusion Detection October 19, 2018 Administrative submittal instructions answer the lab assignment s questions in written report form, as a text, pdf, or Word document file (no obscure formats please)
More informationVulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?
Detection Vulnerability Assessment Week 4 Part 2 How Much Danger Am I In? Vulnerability Assessment Aspects of Assessment Vulnerability Assessment is a systematic evaluation of asset exposure to threats
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationegambit Your defensive cyber-weapon system. You have the players. We have the game. TEHTRIS
egambit Your defensive cyber-weapon system. You have the players. We have the game. 2010-2017 1 NIDS egambit is the awarded product that can monitor and improve your IT Security against complex threats
More informationCIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Incident Response and Honeypots CIT 380: Securing Computer Systems Slide #1 Incident Response What is an Incident? Phases of Incident Response 1. Preparation 2. Identification
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationImplementation of Signature-based Detection System using Snort in Windows
Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day
More informationHands-On Ethical Hacking and Network Defense 3 rd Edition
Hands-On Ethical Hacking and Network Defense 3 rd Edition Chapter 13 Network Protection Systems Last modified 1-11-17 Objectives Explain how routers are used to protect networks Describe firewall technology
More informationSymantec Endpoint Protection Family Feature Comparison
Symantec Endpoint Protection Family Feature Comparison SEP SBE SEP Cloud SEP Cloud SEP 14.2 Device Protection Laptop, Laptop Laptop, Tablet Laptop Tablet & & Smartphone Smartphone Meter Per Device Per
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More informationWeek Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development
Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods
More informationEMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security
EMERGING THREATS & STRATEGIES FOR DEFENSE Paul Fletcher Cyber Security Evangelist @_PaulFletcher Threats by Customer Environment Cloud Environment On Premise Environment 1.96% 0.13% 0.02% application-attack
More information