Validation of the Network-based Dictionary Attack Detection
|
|
- Madeline Ryan
- 5 years ago
- Views:
Transcription
1 Validation of the Network-based Dictionary Attack Detection Jan Vykopal Tomáš Plesník Institute of Computer Science Masaryk University Brno, Czech Republic Pavel Minařík Abstract This paper presents a study of successful dictionary attacks against a SSH server and their network-based detection. On the basis of experience in the protection of university network we developed a detection algorithm based on a generic SSH authentication pattern. Thanks to the network-based approach, the detection algorithm is host independent and highly scalable. We deployed a high-interaction honeypot based on VMware to validate the SSH dictionary attack pattern that is able to recognize a successful The honeypot provides several user accounts secured by both weak and strong passwords. All the communication between the honeypot and other hosts was logged at the host and even network layer (the relevant NetFlow data were stored too). After successful or unsuccessful break-in attempt, we could reliably determine detection accuracy (the false positive and negative rate). The pattern was implemented using a dynamic decision tree technique, so we can propose some modifications of its parameters based on the results. In addition, we could validate the pattern because the detection relies only on the NetFlow data. This study also discusses the performance details of detection method and reveals methods and behaviour of present successful attackers. Next, these findings are compared to the conclusions of the previous study. In our future work, we will focus on an extension of the detection method to other network services and protocols than SSH. Further, the method should also provide some reasons for the decision that the attack occurred (e. g., distributed dictionary attack). Keywords: dictionary attack, SSH, NetFlow, attack pattern, validation, honeypot. 1 Introduction In our previous paper [1], we proposed a SSH dictionary attack pattern that is able to recognize a successful We inspected logs on attacked hosts and then identified appropriate traffic in NetFlow data collected at the border of a university network or its subnets. As a result, we derived the following dictionary attack pattern at NetFlow level: TCP port of the victim is 22, TCP port of the attacker is generally random and greater than 1024, many flows (tens or hundreds) from the attacker to the victim in a short time window (5 minutes), the flows from the attacker are small: from 10 to 30 packets and from to bytes, victims' responses are small too (typically the same number of packets and bytes), flow duration is up to 5 seconds, the last flow is different in case of successful attempt. 128 Security and Protection of Information 2009
2 Next, we analysed network traffic of various applications that utilize the SSH protocol (ssh, scp, Putty, WinSCP, sftp and rsync) to eliminate false positives. In short, we did not find any traffic that fully corresponds to the attack pattern derived from real dictionary attacks. What is more, the attack pattern matches all flows during our simulated attacks and, of course, the attacks captured in log files at the beginning of our research. The main idea of the detection algorithm is to monitor and tune up key indicators (flow duration, number of packets and number of bytes transferred in victim's reply to the attacker) of the proceeding attack between attacker and its victim and observe significant change of these indicators. After a pre-specified number of attempts an unsuccessful attack is reported. Sudden and significant change of the flow characteristics followed by the stop of the attack may indicate successful While attacks may vary among different attackers and victims, we need really adaptable approach to detect successful According to these requirements we chose decision tree method to implement the algorithm. Using dynamic decision tree, we are able to store network traffic statistics, attack indicators and relevant detection parameters persistently and what is most important to build the tree according to attacks in progress. In this paper, we evaluate detection accuracy (the false positive and negative rate). We deployed a highinteraction honeypot and examined behavior of attackers. Incoming network traffic to a honeypot is assumed malicious by the definition. Common network traffic should not reach the honeypot. When the attacker conducts a successful dictionary attack we are notified via . We can immediately validate if the detection algorithm is accurate or not, whether detected the dictionary attack itself and whether correctly determined that the attack was successful or not. In case of the inaccurate detection, we can tune the parameters of the detection pattern, run the improved pattern and validate the results again. Details of the test bed is described in the following section. Section 3 contains experimental results. Related work is summarized and results are compared to our work in Section 4. Section 5 concludes the paper. Security and Protection of Information
3 2 Test bed To validate results of the described detection method, we deployed several high-interaction honeypots and NetFlow probes in the Masaryk university network. The whole test bed depicts Figure 1. Figure 1: Test bed. 2.1 Honeypots We decided to deploy high-interaction honeypots because they are real systems, not only software simulating real systems. In order to lower costs and minimize maintenance effort, we employed VMware Server as a virtualization platform (host) and installed five virtual honeypots (guests) upon it. The guests were runing Ubuntu 8.10 Server Edition with a patched OpenSSH 5.1p1 server. The SSH server was modified in the following way: standard log file (auth.log) contains user names and even passwords entered in authentication process, a copy of standard log file (auth.log) is stored in uncommon path in file system, alert is sent after successful authentication via password. Each guest machine provides ten user accounts and one superuser account for maintenance purposes. These accounts were reachable from the whole Internet. We chose common user names and passwords on the basis of our previous research [1] and other studies [3, 4]. Superuser account called 'root' was disabled. 130 Security and Protection of Information 2009
4 SSH daemon was listening to the TCP port 22. Any other services and daemons were disabled. The guest machines only reply to ICMP echo requests, reset TCP connections except the TCP port 22 and send ICMP port error messages in case of a connection attempt to UDP ports. All outbound traffic from the guests was shaped to 32 kbps by Traffic Control in the Linux kernel [5]. When we observed tens scans of the TCP port 80, we deployed lighttpd web server on all honeypots to attract other attackers. 2.2 NetFlow Probes and Collector All incoming traffic passes the edge router and is monitored by FlowMon [6] probe connected via SPAN (mirror) port. In addition, another FlowMon probe monitors all traffic between guests and other hosts in the university network or the Internet. As a result, all network traffic of honeypots (regardless of its source or destination) is captured in NetFlow data exported by both FlowMon probes. NetFlow collector nfdump [7] stores NetFlow records and serve NetFlow data to the detection module. A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device. [8] The flow is commonly identified by the following 5-tuple: (srcip, dstip, proto, srcport, dstport). Particularly, there is no information about payload. NetFlow provides traffic aggregation (sum of packets, bytes, flow duration etc.) and thus is eligible for multigigabit networks. 2.3 Detection Module The dictionary attack detection module is generally based on decision tree technique. In contrast to traditional decision trees which are static sets of conditions organized in a structure, the tree presented will grow dynamically according to the classified data. Each tree node allows a set of conditions and operations to be connected. The satisfaction of given conditions controls data flow through the decision tree and the execution of operations. The detection module works with NetFlow data (processes individual flows). The main idea of the detection algorithm is to focus on key attack indicators (flow duration, number of packets and number of bytes transferred in victim's reply to the attacker) changes of the proceeding Sudden or significant change of the attack indicators followed by the stop of the attack may indicate successful The detection module starts with a set of input flows sorted by flow_start and processes flows one by one in a sequence. Detection also starts with generic bounds for attack indicators that fit to most of the attacks. For each pair (attacker, victim) arrays of attack indicators are build (duration array, packets array and bytes array) until attack attempts threshold is reached. New bounds for given attacker and victim are calculated using toleration parameters afterwards. From that moment each flow between the bounds is considered as unsuccessful attack and each flow out of bounds is considered as successful More detail and formal explanation of the detection algorithm is available in [1]. From a performance point of view the detection module based on decision trees is able to handle thousands of events per second on COTS (cost of-the-shelf) hardware. Particular results will depend on actual tree structure. An analysis of performance demonstrates that the approach presented is able to handle the detection of dictionary attacks real time in a large high-speed network ( computers, 10 Gigabit Ethernet interface, all traffic approximately 220 million flows per day, SSH traffic approximately 1.5 million flows per day). Particular performance results are presented in section Results First of all, we define some important notions. An unsuccessful attack is at least 20 repetitive attempts to log in a guest machine in a short time originating from the only one IP address. Two contiguous attempts Security and Protection of Information
5 must occur in 30 minutes otherwise they are considered to be two different attacks. The attack is successful if and only if the password provided by the attacker is correct and he or she is successfully loged in. TCP SYN or TCP SYN/RST scan (of port X) is a reconnaissance probe to a server (to the TCP port X) when no TCP connection is established (connection handshake is exploited). It originates from the only one IP address. Similarly, UDP scan is a UDP probe to a server originating from the only one IP address regardless of the server reply. 3.1 Behaviour of Attackers We observed totally 65 SSH dictionary attacks during a 23 day period. Despite the fact that the fifty user accounts on five machines were secured by weak passwords, only 3 attacks were successful (4,61 %). Next, we also observed less than 20 repetitive log-in attempts for 16 times. No traffic (including TCP and UDP scans) originating in the defended network and destined to the honeypots was not observed. On the contrary, there were logged totally 938 TCP and 501 UDP scans originating outside the network. Table 1 shows numbers and types of scans destined to particular honeypots. Honeypot Total number of TCP scans Number of TCP SYN scans Number of TCP SYN/RST scans Total number of UDP scans H H H H H Table 1: Numbers and types of scans destined to particular honeypots. The most popular TCP ports was 1433 (MS SQL) with 197 scans followed by 80 (HTTP) with 79 scans and 4899 (radmin) with 67 scans. Considering UDP ports, the majority of scans were aimed at ports 1026 and 1027 (106 and 83 scans). Considering scans of standard SSH port (TCP port 22), we observed that 21 of 34 scans were followed by SSH dictionary attacks originating from the same IP address. The time between the scan and the attack varied from 6 minutes to 2 hours. In case of the successful attacks, only one of three attacks was preceded by the scan as was defined above. Other two successful attacks was preceded by an establishing of TCP connection to the port 22 (further SSH scan) about 1 and 9 hours before the According to the log file, the attackers did not try any password. The log files say that sshd did not receive identification string from attacker's IP address. Next, we identified the following attack scenarios and groups (AGx in short) comprising both successful and unsuccessful attacks. We chose all attacks conducted by intruders that were successful for at least one time. The first successful attack (in AG1) was preceded by SSH scan of all five honeypots. Finally, the attacker was logged on the only one honeypot as guest by password guest123. He or she was successful in 1 minute and 4 seconds, after 44 log-in attempts. The vast majority of attempts were tried with password as same as username. After successful break-in, the attacker continued with the dictionary attack until the honeypot was shut down. The total number of log-in attempts was No other attacker's activity was observed (e. g., modification of filesystem or file downloading). 132 Security and Protection of Information 2009
6 The second successful attack (in AG2) was preceded by TCP SYN/RST scan of all five honeypots. Similarly to AG1, although the attacker conducted dictionary attacks against all honeypots, he or she was successful on the only one honeypot. After 56 attempts tried in 3 minutes and 6 seconds, the attacker was logged as guest by password Again, no other attacker's activity was observed. After 4,5 hours, the attacker performed another TCP SYN/RST scan of the same honeypot and then after 38 minutes tried to log in as other users than guest for 9 times. The third successful attack (in AG3) was preceded by SSH scan of four honeypots. Similarly to AG1 and AG2, the attacker conducted attacks against four honeypots, but succeeded on the only one host after 401 attempts in 21 minutes and 48 seconds. He or she was logged as test by password qwerty. Again, the majority of log-in attempts were tried with password as same as username and no other attacker's activity was observed. Further, the attacker continued with attacks against other three honeypots. 3.2 Parameters of Detection and Results The detection was performed with default parameters set a follows: bpplimitreplies = 250; Maximum of bytes per packet in a SSH login reply flow, other flows are ignored. bpplimitrequests = 150; Maximum of bytes per packet in a SSH login request flow, other flows are ignored. deltabytescoefficient = 1.2; Tolerance in difference of bytes in a flow to report a successful deltadurationcoefficient = 1.2; Tolerance in difference of flow duration to report a successful deltapacketscoefficient = 1.2; Tolerance in difference of packets in a flow to report a successful failedattackresponsebytes = "1400,5000"; Initial bounds for bytes in a flow representing an failedattackresponseduration = "0.400,5.000"; Initial bounds for duration of a flow representing an failedattackresponsepackets = "10,30"; Initial bounds for packets in a flow representing an manyattackattempts = 20; Minimal count of attempts to report an tsdeltathreshold = 1800; Minimal slack in seconds between two flows to distinguish between two different attacks from a single attacker to a single victim. The parameters are described in details in [1]. Security and Protection of Information
7 Next, we validate the detection of the three selected attack groups AG1, AG2 and AG3. All 14 SSH dictionary attacks (5 in AG1, 5 in AG2 and 4 in AG3) were detected. What is more, no other attacks were detected and all attacks were correctly labeled as successful or unsuccessful except one. The false positive is caused by the fact that the attacker continued with the attack after successful intrusion. This is opposed to our expectations. The detection was run within a time window of each attack on NetFlow data collected on the honeypot interface eth1 (see Figure 1). 3.3 Performance Analysis To obtain results of performance tests, we also used NetFlow data collected on SPAN port of the edge router as input. The processed traffic was a few times greater than on the honeypot interface. Unfortunately, the detection accuracy was not satisfactory in this case. It was caused by biased primary data - network packets provided by the SPAN port. For instance, the edge router mirrors the passing packets in nondeterministic way. Table 2 shows number of processed flows and duration in seconds of key operations of the whole detection and the performance measured in flows per second: data_delivery comprises loading data from nfdump and receiving to the detection module server, stored_in_memory stands for a storing data to the memory, pairs_created an operation of flow pairing according to [9], port_filtered filtering TCP traffic (port 22), break_detected SSH dictionary attack detection including storing results in a relation table. This measurement was done for all three attack groups. Operations Attack group AG1 AG2 AG3 data_delivery stored_in_memory pairs_created port_filtered break_detected Number of processed flows Performance of the detection module Total time Overall performance in flows per second Table 2: Duration of key operation and performance of the detection module for selected attacks. 134 Security and Protection of Information 2009
8 4 Related Work Our results concerning behaviour of attackers can be compared to results of [3] and [4]. Both studies utilize honeypots to create an attacker profile. In contrast to these studies, we did not observed any activities including downloading, installing, running malicious software or password change in case of three successful attacks. But we can confirm very low percentage of successful attacks. Generally, attempted username and password patterns are very similar as in [3] and [4]. Next, we observed the majority of attacks were preceded by TCP scans that is different to the findings in [4]. On the contrary, we confirm other findings in [4] that the attacks follow very simple and repetitive patterns such attacks continued although the attacker has already guessed the correct password. 5 Conclusions The achieved results show that network-based attack detection has a large potential to substitute traditional host-based methods. During the detection pattern evaluation we identified only one false negative when a successful attack was identified as an unsuccessful Another important result consists in validation of primary data quality according to probe wiring. Using SPAN port connection the quality of primary data goes down rapidly which influences results of the attack detection. From the performance point of view presented method is capable to process the whole university SSH traffic in real time. Concerning behaviour of successful attackers we observed no malicious activities on the host even in network traffic in hours after intrusions. Surprisingly, one attacker continued with the dictionary attack after successful log in. This behaviour could advert to low-skilled attacker. In our future work we will focus on the on-line detection method deployment which has been already started. We would also like to validate the SSH attack pattern on other authenticated services like FTP or web logins. Acknowledgement This work was supported by the Czech Ministry of Defence under Contract No. SMO02008PR980- OVMASUN References [ 1 ] Vykopal, J., Plesnik, T., and Minarik, P.: Network-based Dictionary Attack Detection, in Proc. Of ICFN 2009, Bangkok, pp , ISBN [ 2 ] VMware, Inc. web site. [ 3 ] Ramsbrock, D., Berthier, R., and Cukier, M.: Profiling Attacker Behavior Following SSH Compromises, in Proc. 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp , [ 4 ] Alata, E., Nicomette, V., Kaâniche, M., Dacier, M., and Herrb, M.: Lessons learned from the deployment of a high-interaction honeypot, in Proc. 6th European Dependable Computing Conference (EDCC-6), Coimbra, pp , [ 5 ] Linux Advanced Routing & Traffic Control. [ 6 ] FlowMon probe web site. [ 7 ] Nfdump web site. Security and Protection of Information
9 [ 8 ] Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational), [ 9 ] Trammell, B. and Boschi, E.: Bidirectional Flow Export Using IP Flow Information Export (IPFIX). RFC 5103, Security and Protection of Information 2009
Network-based Dictionary Attack Detection
Network-based Dictionary Attack Detection Jan Vykopal 1 Tomas Plesnik 1 Pavel Minarik 1,2 Institute of Computer Science 1 Botanicka 68a, Brno, Czech Republic {vykopal, plesnik, minarik}@ics.muni.cz Mycroft
More informationFlows at Masaryk University Brno
Flows at Masaryk University Brno Jan Vykopal Masaryk University Institute of Computer Science GEANT3/NA3/T4 meeting October 21st, 2009, Belgrade Masaryk University, Brno, Czech Republic The 2nd largest
More informationFrom Signature-Based Towards Behaviour-Based Anomaly Detection (Extended Abstract)
From Signature-Based Towards Behaviour-Based Anomaly Detection (Extended Abstract) Pavel Minarik, Jan Vykopal Masaryk University CZECH REPUBLIC minarik@ics.muni.cz / vykopal@ics.muni.cz INTRODUCTION It
More informationHOW TO ANALYZE AND UNDERSTAND YOUR NETWORK
Handbook HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK Part 3: Network Traffic Monitoring or Packet Analysis? by Pavel Minarik, Chief Technology Officer at Flowmon Networks www.flowmon.com In previous two
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationNetwork Management and Monitoring
Network Management and Monitoring Introduction to Netflow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationFlowMon ADS implementation case study
FlowMon ADS implementation case study Kamil Doležel Kamil.dolezel@advaict.com AdvaICT, a.s. Brno, Czech Republic Abstract FlowMon ADS implementation provides completely new insight into networks of all
More informationIntroduction to Netflow
Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationIt s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security
It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security Pavel Minařík, Chief Technology Officer Neutral Peering Days 2018, The Hague Your customers depend on your
More informationMachine Learning for Detecting Brute Force Attacks at the Network Level
2014 IEEE 14th International Conference on Bioinformatics and Bioengineering Machine Learning for Detecting Brute Force Attacks at the Network Level Maryam M. Najafabadi, Taghi M. Khoshgoftaar, Clifford
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationNetwork Security Monitoring with Flow Data
Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture
More informationDDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch)
DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch) Pavel Minarik, Chief Technology Officer SwiNOG meeting, 9 th Nov 2017 Backbone DDoS protection Backbone protection
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationMonitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks
Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...
More informationCAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationFirewall Identification: Banner Grabbing
Honey POt Firewall Identification: Banner Grabbing Banners are messages sent out by network services during the connection to the service. Banners announce which service is running on the system. Banner
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationFlow-based Traffic Visibility
Flow-based Traffic Visibility Operations, Performance, Security Pavel Minařík, Chief Technology Officer What is Flow Data? Modern method for network monitoring flow measurement Cisco standard NetFlow v5/v9,
More information1 STUDENT LEARNING OUTCOMES 2 INTRODUCTION
CIT 485/585 Netflow Analysis The objective of this assignment is to learn how to use flow records to understand what is happening on the network. While flow records cannot reveal the content of data transferred,
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationDefinition of firewall
Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationHPE Intelligent Management Center
HPE Intelligent Management Center Service Health Manager Administrator Guide Abstract This guide provides introductory, configuration, and usage information for Service Health Manager (SHM). It is for
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationOn Assessing the Impact of Ports Scanning on the Target Infrastructure
2018 On Assessing the Impact of Ports Scanning on the Target Infrastructure Dr Mahdi Aiash 4/24/2018 1. Introduction A port scan is a method for determining which ports on a network are open. As ports
More informationIdentifying Operating System Using Flow-based Traffic Fingerprinting
Identifying Operating System Using Flow-based Traffic Fingerprinting Tomáš Jirsík, Pavel Čeleda {jirsik celeda}@ics.muni.cz Institute of Computer Science, Masaryk University EUNICE 2014 September, 1. 5.,
More informationTechnical Report CIDDS-001 data set
Technical Report CIDDS-001 data set Markus Ring, Sarah Wunderlich and Dominik Grüdl April 28, 2017 CIDDS-001 (Coburg Intrusion Detection Data Set) [2] is a labelled flowbased data set for evaluation of
More informationRouter and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface
CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *
More informationThe Reconnaissance Phase
The Reconnaissance Phase Detecting the Enemy Before the Attack Carrie Gates PhD Candidate, Dalhousie University Visiting Scientist, CERT, Carnegie Mellon University Outline! Indicate a gap in our defences!
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationDDoS Protection in Backbone Networks
DDoS Protection in Backbone Networks The Czech Way Pavel Minarik, Chief Technology Officer Holland Strikes Back, 3 rd Oct 2017 Backbone DDoS protection Backbone protection is specific High number of up-links,
More informationIPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall
More informationAnalysis of TCP Segment Header Based Attack Using Proposed Model
Chapter 4 Analysis of TCP Segment Header Based Attack Using Proposed Model 4.0 Introduction Though TCP has been extensively used for the wired network but is being used for mobile Adhoc network in the
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationFundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
More informationTechnical Report CIDDS-002 data set
Technical Report CIDDS-002 data set Markus Ring and Sarah Wunderlich October 25, 2017 CIDDS-002 (Coburg Intrusion Detection Data Set) [4] is a labelled flowbased port scan data set for evaluation of anomaly
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationINTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4
TESTING & INTEGRATION GROUP TECHNICAL DOCUMENT DefensePro out of path with Cisco router INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4 CONFIGURATION... 4 TRAFFIC FLOW... 4 SOFTWARE AND
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationConfiguring IP Services
This module describes how to configure optional IP services. For a complete description of the IP services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference. To
More informationinside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN
THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 inside: SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN & The Advanced Computing Systems Association & The System Administrators
More informationProtection Against Distributed Denial of Service Attacks
Protection Against Distributed Denial of Service Attacks The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level
More informationChapter 6 Global CONFIG Commands
Chapter 6 Global CONFIG Commands aaa accounting Configures RADIUS or TACACS+ accounting for recording information about user activity and system events. When you configure accounting on an HP device, information
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationComputer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key
Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key DAY CLASS Dr. William M. Farmer DURATION OF EXAMINATION: 2 Hours MCMASTER UNIVERSITY FINAL EXAMINATION April 2008 THIS EXAMINATION
More informationUsage of Honeypot to Secure datacenter in Infrastructure as a Service data
Usage of Honeypot to Secure datacenter in Infrastructure as a Service data Ms. Priyanka Paliwal M. Tech. Student 2 nd yr.(comp. Science& Eng.) Government Engineering College Ajmer Ajmer, India (Erpriyanka_paliwal06@rediffmail.com)
More informationPort Scanning A Brief Introduction
Port Scanning A Brief Introduction Sven Helmer April 4, 2018 Contents 1 Background 2 1.1 Ports.................................... 2 1.2 Port Scanning............................... 2 1.3 Port Scanning
More informationSYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet
SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document
More informationEnhancing Byte-Level Network Intrusion Detection Signatures with Context
Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute
More informationDetection of DNS Traffic Anomalies in Large Networks
Detection of Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak celeda vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014,
More informationEnhancing Network Security: Host Trustworthiness Estimation
Enhancing Network Security: Host Trustworthiness Estimation Tomáš Jirsík, Pavel Čeleda {jirsik celeda}@ics.muni.cz Institute of Computer Science, Masaryk University Goal 25,739% Tomáš Jirsík, Pavel Čeleda
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationDDoS and Traceback 1
DDoS and Traceback 1 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2 TCP Handshake client SYN seq=x server SYN seq=y,
More informationConfiguring Cisco IOS IP SLA Operations
CHAPTER 58 This chapter describes how to use Cisco IOS IP Service Level Agreements (SLA) on the switch. Cisco IP SLA is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels
More informationset active-probe (PfR)
set active-probe (PfR) set active-probe (PfR) To configure a Performance Routing (PfR) active probe with a forced target assignment within a PfR map, use the set active-probe command in PfR map configuration
More informationConfiguring Commonly Used IP ACLs
Configuring Commonly Used IP ACLs Document ID: 26448 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration Examples Allow a Select Host to Access the Network Deny a
More informationSYN Flood Attack Protection Technology White Paper
Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Keywords: flood, Cookie, Safe Reset Abstract: This document describes the technologies and measures provided
More informationConfiguring IP Services
CHAPTER 8 Configuring IP Services This chapter describes how to configure optional IP services supported by the Cisco Optical Networking System (ONS) 15304. For a complete description of the commands in
More informationWeek Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development
Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods
More informationOSSIM Fast Guide
----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments Objectives Define risk and risk management Describe the components of risk management List
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationHow to Configure a Remote Management Tunnel for an F-Series Firewall
How to Configure a Remote Management Tunnel for an F-Series Firewall If the managed NextGen Firewall F-Series cannot directly reach the NextGen Control Center, it must connect via a remote management tunnel.
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationSVILUPPO DI UNA TECNICA DI RICONOSCIMENTO STATISTICO DI APPLICAZIONI SU RETE IP
UNIVERSITÀ DEGLI STUDI DI PARMA FACOLTÀ di INGEGNERIA Corso di Laurea Specialistica in Ingegneria delle Telecomunicazioni SVILUPPO DI UNA TECNICA DI RICONOSCIMENTO STATISTICO DI APPLICAZIONI SU RETE IP
More informationFlowMatrix Tutorial. FlowMatrix modus operandi
FlowMatrix Tutorial A message from the creators: When developing FlowMatrix our main goal was to provide a better and more affordable network anomaly detection and network behavior analysis tool for network
More informationFirewall Stateful Inspection of ICMP
The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated
More informationNETWORK SECURITY. Ch. 3: Network Attacks
NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More informationConfiguring Cisco IOS IP SLAs Operations
CHAPTER 50 This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationConfiguring Advanced Firewall Settings
Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule
More informationChapter 2. Switch Concepts and Configuration. Part II
Chapter 2 Switch Concepts and Configuration Part II CCNA3-1 Chapter 2-2 Switch Concepts and Configuration Configuring Switch Security MAC Address Flooding Passwords Spoofing Attacks Console Security Tools
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationConfiguring NAT for IP Address Conservation
This module describes how to configure Network Address Translation (NAT) for IP address conservation and how to configure inside and outside source addresses. This module also provides information about
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationipv6 hello-interval eigrp
ipv6 hello-interval eigrp ipv6 hello-interval eigrp To configure the hello interval for the Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 routing process designated by an autonomous system
More informationfirewalls perimeter firewall systems firewalls security gateways secure Internet gateways
Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationHost Identity Sources
The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationChapter-3. Reasons and Remedies of False Positive
3.1 False Positive Basics Chapter-3 In this chapter, we have started with few real life examples of false positive and their effects. We have discussed about few basic terminologies about normal and attack
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More information