Intrusion Detection and Malware Analysis
|
|
- Mary Hardy
- 6 years ago
- Views:
Transcription
1 Intrusion Detection and Malware Analysis Anomaly-based IDS Pavel Laskov Wilhelm Schickard Institute for Computer Science
2 Taxonomy of anomaly-based IDS Features: Packet headers Byte streams Syntactic events Methods Manual modeling: no training, model constructed by hand Learning from clean data: training requires attack-free data Learning from noisy data: training is required but contamination with attacks can be tolerated Online learning: no training, detection on the fly after a short initialization period.
3 Anomaly-based IDS to be discussed PHAD: packet header features, learning from clean data ALAD: TCP connection features and application keywords, learning from clean data PAYL: content byte stream features, learning from clean data (Re)MIND: content byte stream and structured features, learning from noisy data, online learning
4 PHAD features Ethernet IP TCP UDP ICMP size dest hi dest lo src hi src lo proto src port dst port len checksum hlen tos len frag id frag ptr ttl proto checksum src addr dest addr src port dst port seq num ack num hlen flags wsize checksum urg ptr options type code checksum
5 PHAD algorithm Probability of novel feature values Suppose an attribute x has previously assumed r values in n observations (r < n). Then the probability that the next value of x is different from previously seen values is approximately r n. Computation of the anomaly score For each attribute x in the training data compute the ratio r n. For every new packet p, let Q be a set of attributes whose values were not seen in the training data. Let t i be the time since the last anomalous value has been seen in the attribute i. Then the anomaly score of the packet p is: t s(p) = i n i r i Q i
6 PHAD example Training data: {[ A 1 r ], [ ] B, 2 [ ] B, 3 [ ] C, 4 [ ] A, 1 n -values: { } 3/8 1/2 Test data: {[ ] A, 1 Score for the last packet: [ ] D, 2 [ ] B, 3 [ ] A, 2 [ ]} E 5 [ ] C, 3 s(p 4 ) = 2 8/ = [ ]} C 4
7 Feature clustering in PHAD Problem: each PHAD feature is 4 byte long: 2 32 values are possible Storing n r ratios for every possible value is infeasible
8 Feature clustering in PHAD Problem: each PHAD feature is 4 byte long: 2 32 values are possible Storing n r ratios for every possible value is infeasible Feature clustering: Put a cap C on the number of values to be considered for each feature (e.g. C = 32). Every time this cap is exceeded, merge two nearest values (or ranges) into a new range. e.g. (for C = 3): {3-5, 8, 10-15, 20} {3-5, 8-15, 20} A value of an attribute of a packet p is considered unseen if it falls outside of known ranges.
9 PHAD resume Simple algorthm for anomaly scoring (+) High performance (ca. 75,000 packets/s) (+) Easy to implement (ca. 400 lines of C++ code) ( ) Clean training data required ( ) Poor detection rates: 28% on the DARPA 1999 dataset Packet header features: (+) Easy to extract ( ) Are not useful for detection of real exploits
10 ALAD features P(src ip dst ip): a set of client hosts for each host P(src ip dst ip, dst port): a set of client hosts for each service and each host. P(dst ip, dst port): a set of normal servers on a site (unusual values may be indicative of probes) P(tcp flags dst port): usual patterns of TCP connection initiation and closure for each service. P(keywords dst port): typical application-level keywords for each service.
11 ALAD algorithm Detection is carried out at a connection level. For conditional features, the n r models are computed for each pre-conditioner (i.e. dst ip, dst port or a {dst ip, dst port} pair). For the joint feature, the count r is computed for all pairs of values divided by the total number of connection. No feature clustering is performed.
12 ALAD resume Similar algorithm and same problems as PHAD Limited application-level features slightly improve detection of difficult attacks in the DARPA 1999 dataset.
13 PAYL: payload byte sequence analysis Motivation: detect anomalous packet payloads.
14 PAYL: payload byte sequence analysis Motivation: detect anomalous packet payloads. Problem 1: how can one define a normal packet payload?
15 PAYL: payload byte sequence analysis Motivation: detect anomalous packet payloads. Problem 1: how can one define a normal packet payload? Problem 2: how can one measure the degree of anomality of a packet payload?
16 packet, packet, packet, and and there and there is there already is already is already a very a very a clear very clear pattern clear pattern patter with w displays displays displays the the the variability of the of the of the frequency distributions a PAYL features: raw byte histograms The The two The two plots two plots plots characterize two two different two different different distributions same same web same web server, web server, server, port port 80 port for 80 for 80 two for two different two different different lengths, leh other other 1,460 other 1,460 bytes. 1,460 bytes. Clearly, bytes. Clearly, Clearly, a single a single a single monolithic model not not not represent the the the distributions accurately. A byte histogram is an array of size 256 measuring frequency of all possible byte values in a given packet payload. Examples: port 22 (SSH) port 25 (SMTP) port 80 (HTTP) Advantages of byte histograms: Computation of mean and standard deviation Computation of a distance between two histograms
17 PAYL algorithm Training For each observed packet length, compute average byte histograms with standard deviations. Cluster average models for neighboring packet lengths by merging two histograms if their distance is less than some pre-defined threshold t. Anomaly detection For each new packet p compute its distance from the normal profile for the corresponding packet length (cluster): s(p) = 256 f i (p) f i ( p) σ i=1 i ( p)
18 PAYL resume Anomaly detection over packet payload byte sequencies. Reasonable accuracy: over 50% detection rate for remote attacks at 1% FP rate. Simple detection algorithm: computationally efficient. Drawbacks: Packet mode operation: evasion problems! Primitive data structures: only single-byte histograms possible. Clean training data required.
19 MIND: machine learning IDS Motivation: Learning from contaminated data Improvement of accuracy: good detection at extremely small FP rates needed! Incorporation of semantic structure using advanced learning models.
20 MIND: machine learning IDS Motivation: Learning from contaminated data Improvement of accuracy: good detection at extremely small FP rates needed! Incorporation of semantic structure using advanced learning models. Problem 1: How can one compare packets (connections) in a more structural way than simple histograms?
21 MIND: machine learning IDS Motivation: Learning from contaminated data Improvement of accuracy: good detection at extremely small FP rates needed! Incorporation of semantic structure using advanced learning models. Problem 1: How can one compare packets (connections) in a more structural way than simple histograms? Problem 2: How can one learn in the presence of attacks in training data?
22 Learning from clean data Training: find a smallest enclosing sphere min R,c R 2 s.t. x i c 2 R 2, i = 1,..., M. c R
23 Learning from clean data Training: find a smallest enclosing sphere min R,c R 2 s.t. x i c 2 R 2, i = 1,..., M. Detection: compute a distance from the center x c 2 > R alarm x c 2 R normal c R
24 Learning from contaminated data Training: soften constraints using slack variables. min R,c R 2 +η M i=0 ξ i, s.t. x i c 2 R 2 +ξ i, i = 1,..., M, ξ i 0 c R
25 Learning from contaminated data Training: soften constraints using slack variables. min R,c R 2 +η M i=0 ξ i, s.t. x i c 2 R 2 +ξ i, i = 1,..., M, ξ i 0 Constant η controls the acceptable noise rate in the training data. c R
26 Learning from contaminated data Training: soften constraints using slack variables. min R,c R 2 +η M i=0 ξ i, s.t. x i c 2 R 2 +ξ i, i = 1,..., M, ξ i 0 Constant η controls the acceptable noise rate in the training data. Detection: compute a distance from the center. c R
27 Beyond the mathematical abstraction How do we apply this geometric intuition to network security?
28 Beyond the mathematical abstraction How do we apply this geometric intuition to network security? Interesting observation: the only operation on data involved in the learning approach is computation of similarity between two points: x c.
29 Beyond the mathematical abstraction How do we apply this geometric intuition to network security? Interesting observation: the only operation on data involved in the learning approach is computation of similarity between two points: x c. If we can compute similarity between a pair of observed network events, any learning algorithm can be plugged in!
30 Embedding of sequences in metric spaces Sequences 1. blabla blubla blablabu aa 2. bla blablaa bulab bb abla 3. a blabla blabla ablub bla 4. blab blab abba blabla blu Subsequences Histograms of subsequences Geometry 2 3 Features blablabu blablaa blablu blabla bulab ablub blab abla abba blu bla bb aa b a 1 4
31 X = abrakadabra Y = barakobama Embedding example
32 Embedding example X = abrakadabra Y = barakobama X Y X Y a/5 a/4 20 b/2 b/2 4 d/1 k/1 k/1 1 m/1 o/1 r/2 r/ XY = 21.5
33 Embedding example X = abrakadabra Y = barakobama X Y X Y a/5 a/4 20 b/2 b/2 4 d/1 k/1 k/1 1 m/1 o/1 r/2 r/ XY = 21.5 X Y X Y ab/2 ad/1 ak/1 ak/1 1 am/1 ar/1 ba/2 br/2 da/1 ka/1 ko/1 ma/1 ob/1 ra/2 ra/ XY = 77.5
34 Experimental evaluation of MIND Data: 3 weeks of HTTP-Traffic at FIRST (622,734 HTTP requests) 120 attacks generated by Metasploit Quality measure: Receiver Operating Characteristic (ROC) True positive rate ReMIND Snort IDS False positive rate True positive rate ReMIND SSAD Anagram Tokengram False positive rate
35 MIND resume Anomaly detection over connection payloads Excellent accuracy: over 90% detection with no false alarms Learning in the presense of attacks. Sophisticated data structures. Drawbacks: Computationally more involved: efficient data structures and fine-tuning are required. Delay in detection until completion of TCP connections: incremental processing is needed.
36 Lessons learned Modern anomaly detection methods can achieve superior detection accuracy to signature-based IDS with low false alarm rates. Anomaly detection methods must be equipped for learning from contaminated date (or be able to automatically clean data) Efficient data structures for feature extraction are the key to success of anomaly detection.
37 Recommended reading M. Mahoney and P. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proc. of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pages , M. Mahoney and P. Chan. Learning rules for anomaly detection of hostile network traffic. In Proc. of International Conference on Data Mining (ICDM), K. Rieck and P. Laskov. Language models for detection of unknown attacks in network traffic. Journal in Computer Virology, 2(4): , K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In Recent Adances in Intrusion Detection (RAID), pages , 2004.
Measuring Intrusion Detection Capability: An Information- Theoretic Approach
Measuring Intrusion Detection Capability: An Information- Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee Georgia Tech Boris Skoric Philips Research Lab Outline Motivation Problem Why
More informationNetwork Intrusion Detection and Mitigation Against Denial of Service Attack
University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science 1-1-2013 Network Intrusion Detection and Mitigation Against Denial of Service Attack Dong
More information"GET /cgi-bin/purchase?itemid=109agfe111;ypcat%20passwd mail 200
128.111.41.15 "GET /cgi-bin/purchase? itemid=1a6f62e612&cc=mastercard" 200 128.111.43.24 "GET /cgi-bin/purchase?itemid=61d2b836c0&cc=visa" 200 128.111.48.69 "GET /cgi-bin/purchase? itemid=a625f27110&cc=mastercard"
More informationMachine Learning for Network Intrusion Detection
Machine Learning for Network Intrusion Detection ABSTRACT Luke Hsiao Stanford University lwhsiao@stanford.edu Computer networks have become an increasingly valuable target of malicious attacks due to the
More informationPyrite or gold? It takes more than a pick and shovel
Pyrite or gold? It takes more than a pick and shovel SEI/CERT -CyLab Carnegie Mellon University 20 August 2004 John McHugh, and a cast of thousands Pyrite or Gold? Failed promises Data mining and machine
More informationA Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models
A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models Marc Ph. Stoecklin Jean-Yves Le Boudec Andreas Kind
More informationPacket Header Formats
A P P E N D I X C Packet Header Formats S nort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used
More informationNetwork Traffic Anomaly Detection Based on Packet Bytes ABSTRACT Bugs in the attack. Evasion. 1. INTRODUCTION User Behavior. 2.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology Technical Report CS-2002-13 mmahoney@cs.fit.edu ABSTRACT Hostile network traffic is often "different"
More informationLearning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks (Technical Report CS )
Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks (Technical Report CS-2002-06) Matthew V. Mahoney and Philip K. Chan Department of Computer Sciences Florida Institute
More informationLecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations
Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations Prateek Saxena March 3 2008 1 The Problems Today s lecture is on the discussion of the critique on 1998 and 1999 DARPA IDS evaluations conducted
More informationCovert channel detection using flow-data
Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data
More informationCisco Stealthwatch. Internal Alarm IDs 7.0
Cisco Stealthwatch Internal Alarm IDs 7.0 Stealthwatch Internal Alarm IDs Some previously used alarms are now obsolete and no longer listed in this file. 1 Host Lock Violation 5 SYN Flood 6 UDP Flood 7
More informationMcPAD and HMM-Web: two different approaches for the detection of attacks against Web applications
McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications Davide Ariu, Igino Corona, Giorgio Giacinto, Fabio Roli University of Cagliari, Dept. of Electrical and
More informationHybrid Modular Approach for Anomaly Detection
Hybrid Modular Approach for Anomaly Detection A.Laxmi Kanth Associate Professor, M.Tech (IT) Sri Indu College of Engineering & Technology, Sheriguda, IBP. Suresh Yadav Assistant Professor, (M.Tech),B.Tech,
More informationEnhancing Byte-Level Network Intrusion Detection Signatures with Context
Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute
More informationPolymorphic Blending Attacks. Slides by Jelena Mirkovic
Polymorphic Blending Attacks Slides by Jelena Mirkovic 1 Motivation! Polymorphism is used by malicious code to evade signature-based IDSs Anomaly-based IDSs detect polymorphic attacks because their byte
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationDenial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows S. Farzaneh Tabatabaei 1, Mazleena Salleh 2, MohammadReza Abbasy 3 and MohammadReza NajafTorkaman 4 Faculty of Computer
More informationAnomaly Detection for Application Level Network Attacks Using Payload Keywords
Anomaly Detection for Application Level Network Attacks Using Payload Keywords Like Zhang, Gregory B. White Department of Computer Science University of Texas at San Antonio San Antonio, Texas 78249 USA
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis IDS Taxonomy and Architecture Pavel Laskov Wilhelm Schickard Institute for Computer Science IDS functionality IDS functionality Restrict access to legitimate service
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationIP : Internet Protocol
1/20 IP : Internet Protocol Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: July 30, 1999 Agenda 2/20 IP functions IP header format Routing architecture IP layer 3/20 defines
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationInternational Journal of Data Mining & Knowledge Management Process (IJDKP) Vol.7, No.3, May Dr.Zakea Il-Agure and Mr.Hicham Noureddine Itani
LINK MINING PROCESS Dr.Zakea Il-Agure and Mr.Hicham Noureddine Itani Higher Colleges of Technology, United Arab Emirates ABSTRACT Many data mining and knowledge discovery methodologies and process models
More informationExploiting n-gram location for intrusion detection
Exploiting n-gram location for intrusion detection Fabrizio Angiulli, Luciano Argento, Angelo Furfaro DIMES University of Calabria P. Bucci, 41C I-87036 Rende (CS), Italy Email: {f.angiulli, l.argento,
More informationCasting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou,
Casting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou, Department of Computer Science George Mason University Joint work with Gabriela Cretu, Michael E. Locasto, Salvatore J.
More information! ' ,-. +) +))+, /+*, 2 01/)*,, 01/)*, + 01/+*, ) 054 +) +++++))+, ) 05,-. /,*+), 01/-*+) + 01/.*+)
! "#! # $ %& #! '!!!( &!)'*+' '(,-. +) /,*+), 01/-*+) + 01/.*+) ) 05,-. +))+, /+*, 2 01/)*,, 01/)*, + 01/+*, ) 054 +) +++++))+,3 4 +. 6*! ) ) ) ) 5 ) ) ) ) + 5 + + ) ) ) 5 9 + ) ) + 5 4 ) ) + ) 5, ) )
More informationStealthwatch System v6.9.0 Internal Alarm IDs
Stealthwatch System v6.9.0 Internal Alarm IDs Copyrights and Trademarks 2017 Cisco Systems, Inc. All rights reserved. NOTICE THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
More informationCS519: Computer Networks. Lecture 5, Part 1: Mar 3, 2004 Transport: UDP/TCP demux and flow control / sequencing
: Computer Networks Lecture 5, Part 1: Mar 3, 2004 Transport: UDP/TCP demux and flow control / sequencing Recall our protocol layers... ... and our protocol graph IP gets the packet to the host Really
More informationPacket Header Anomaly Detection Using Bayesian Belief Network
26 ECTI TRANSACTIONS ON COMPUTER AND INFORMATION TECHNOLOGY VOL.3, NO.1 MAY 2007 Packet Header Anomaly Detection Using Bayesian Belief Network Mongkhon Thakong 1 and Satra Wongthanavasu 2, Non-members
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Automatic signature generation Pavel Laskov Wilhelm Schickard Institute for Computer Science The quest for attack signatures Post-mortem: security research, computer
More informationCS 465 Networks. Disassembling Datagram Headers
CS 465 Networks Disassembling Datagram Headers School of Computer Science Howard Hughes College of Engineering University of Nevada, Las Vegas (c) Matt Pedersen, 2006 Recall the first 5x4 octets of the
More informationCAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory
More informationAn Architecture for Inline Anomaly Detection
An Architecture for Inline Anomaly Detection Tammo Krueger, Christian Gehl, Konrad Rieck and Pavel Laskov Fraunhofer Institute FIRST Intelligent Data Analysis, Berlin, Germany {krutam,gehl,rieck,laskov}@first.fraunhofer.de
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationCS395/495 Computer Security Project #2
CS395/495 Computer Security Project #2 Important Dates Out: 1/19/2005 Due: 2/15/2005 11:59pm Winter 2005 Project Overview Intrusion Detection System (IDS) is a common tool to detect the malicious activity
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationIntroduction to TCP/IP networking
Introduction to TCP/IP networking TCP/IP protocol family IP : Internet Protocol UDP : User Datagram Protocol RTP, traceroute TCP : Transmission Control Protocol HTTP, FTP, ssh What is an internet? A set
More informationSelf-Learning Systems for Network Intrusion Detection
Self-Learning Systems for Network Intrusion Detection Konrad Rieck Computer Security Group University of Göttingen GEORG-AUGUST-UNIVERSITÄT GÖTTINGEN About Me» Junior Professor for Computer Security» Research
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More informationFlowMatrix Tutorial. FlowMatrix modus operandi
FlowMatrix Tutorial A message from the creators: When developing FlowMatrix our main goal was to provide a better and more affordable network anomaly detection and network behavior analysis tool for network
More informationNetwork Interconnection
Network Interconnection Covers different approaches for ensuring border or perimeter security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Lecture
More informationNetwork and Security: Introduction
Network and Security: Introduction Seungwon Shin KAIST Some slides are from Dr. Srinivasan Seshan Some slides are from Dr. Nick Mckeown Network Overview Computer Network Definition A computer network or
More informationK2289: Using advanced tcpdump filters
K2289: Using advanced tcpdump filters Non-Diagnostic Original Publication Date: May 17, 2007 Update Date: Sep 21, 2017 Topic Introduction Filtering for packets using specific TCP flags headers Filtering
More informationAnomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10
Anomaly Detection of Network Traffic Based on Analytical Discrete Transform Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE 2010 1 10/06/10 Introduction MAIN OBJECTIVES : -a new detection mechanism of network
More informationCooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems
Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems Kai Hwang, Fellow IEEE, Hua Liu, Student Member and Ying Chen, Student Member Abstract: Network-centric
More informationDetecting Novel Attacks by Identifying Anomalous Network Packet Headers
Detecting Novel Attacks by Identifying Anomalous Network Packet Headers Matthew V. Mahoney and Philip K. Chan Department of Computer Sciences Florida Institute of Technology Melbourne, FL 32901 {mmahoney,pkc}@cs.fit.edu
More informationnetwork security s642 computer security adam everspaugh
network security s642 adam everspaugh ace@cs.wisc.edu computer security today Announcement: HW3 to be released WiFi IP, TCP DoS, DDoS, prevention 802.11 (wifi) STA = station AP = access point BSS = basic
More informationComputer Network Fundamentals Spring Week 4 Network Layer Andreas Terzis
Computer Network Fundamentals Spring 2008 Week 4 Network Layer Andreas Terzis Outline Internet Protocol Service Model Addressing Original addressing scheme Subnetting CIDR Fragmentation ICMP Address Shortage
More informationAn Analysis of the 1999 DARPA/Lincoln Laboratories Evaluation Data for Network Anomaly Detection
An Analysis of the 1999 DARPA/Lincoln Laboratories Evaluation Data for Network Anomaly Detection Matthew V. Mahoney and Philip K. Chan Dept. of Computer Sciences Technical Report CS-2003-02 Florida Institute
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationFeature Selection in the Corrected KDD -dataset
Feature Selection in the Corrected KDD -dataset ZARGARI, Shahrzad Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/17048/ This document is the author deposited
More informationUNIVERSITY OF NAIROBI
UNIVERSITY OF NAIROBI College of Biological and Physical Science School of Computing and Informatics COMPARATIVE ANALYSIS OF ANOMALLY DETECTION ALGORITHMS By PATRICK KABUE P53/65356/2013 SUPERVISOR DR.
More informationMahalanobis Distance Map Approach for Anomaly Detection
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2010 Mahalanobis Distance Map Approach for Anomaly Detection Aruna Jamdagnil
More informationA Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters
A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters Slobodan Petrović NISlab, Department of Computer Science and Media Technology, Gjøvik University College,
More informationProtocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS
Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS Mail seban649@student.liu.se Protocol Hi Hi Got the time? 2:00 time TCP connection request TCP connection response Whats
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationIntroduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis
Introduction to Internet Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis What about inter-networks communications? Between LANs? Ethernet?? Ethernet Example Similarities and Differences between
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationAnalyzing TCP Traffic Patterns Using Self Organizing Maps
Analyzing TCP Traffic Patterns Using Self Organizing Maps Stefano Zanero D.E.I.-Politecnico di Milano, via Ponzio 34/5-20133 Milano Italy zanero@elet.polimi.it Abstract. The continuous evolution of the
More informationLayered Networking and Port Scanning
Layered Networking and Port Scanning David Malone 22nd June 2004 1 IP Header IP a way to phrase information so it gets from one computer to another. IPv4 Header: Version Head Len ToS Total Length 4 bit
More informationK-Nearest-Neighbours with a Novel Similarity Measure for Intrusion Detection
K-Nearest-Neighbours with a Novel Similarity Measure for Intrusion Detection Zhenghui Ma School of Computer Science The University of Birmingham Edgbaston, B15 2TT Birmingham, UK Ata Kaban School of Computer
More informationAnalyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer
Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer The Beautiful World of IoT 06.03.2018 garcia@tk.tu-darmstadt.de
More informationExperiences with IPFIX-based Traffic Measurement for IPv6 Networks. Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi
Experiences with IPFIX-based Traffic Measurement for IPv6 Networks Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi Seoul National Univ *Chungnam National Univ 27. 8. 31 (Fri) SIGCOMM 27 IPv6
More informationPacket Capturing with TCPDUMP command in Linux
Packet Capturing with TCPDUMP command in Linux In this tutorial we will be looking into a very well known tool in Linux system administrators tool box. Some times during troubleshooting this tool proves
More informationAutomated Network Anomaly Detection with Learning and QoS Mitigation. PhD Dissertation Proposal by Dennis Ippoliti
Automated Network Anomaly Detection with Learning and QoS Mitigation PhD Dissertation Proposal by Dennis Ippoliti Agenda / Table of contents Automated Network Anomaly Detection with Learning and QoS Mitigation
More informationPedestrian Detection Using Correlated Lidar and Image Data EECS442 Final Project Fall 2016
edestrian Detection Using Correlated Lidar and Image Data EECS442 Final roject Fall 2016 Samuel Rohrer University of Michigan rohrer@umich.edu Ian Lin University of Michigan tiannis@umich.edu Abstract
More informationIntrusion Detection System based on Support Vector Machine and BN-KDD Data Set
Intrusion Detection System based on Support Vector Machine and BN-KDD Data Set Razieh Baradaran, Department of information technology, university of Qom, Qom, Iran R.baradaran@stu.qom.ac.ir Mahdieh HajiMohammadHosseini,
More informationNetwork Traffic Measurements and Analysis
DEIB - Politecnico di Milano Fall, 2017 Introduction Often, we have only a set of features x = x 1, x 2,, x n, but no associated response y. Therefore we are not interested in prediction nor classification,
More informationModeling Intrusion Detection Systems With Machine Learning And Selected Attributes
Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes Thaksen J. Parvat USET G.G.S.Indratrastha University Dwarka, New Delhi 78 pthaksen.sit@sinhgad.edu Abstract Intrusion
More informationPrediction of Network Anomaly Detection through Statistical Analysis
International Conference on Computer, Networks and Communication Engineering (ICCNCE 203) Prediction of Network Anomaly Detection through Statistical Analysis Abrar A. Qureshia,, Kamel Rekabb a Department
More informationCSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management
CSE/EE 461 Lecture 13 Connections and Fragmentation Tom Anderson tom@cs.washington.edu Peterson, Chapter 5.2 TCP Connection Management Setup assymetric 3-way handshake Transfer sliding window; data and
More informationINF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi
INF5290 Ethical Hacking Lecture 3: Network reconnaissance, port scanning Universitetet i Oslo Laszlo Erdödi Lecture Overview Identifying hosts in a network Identifying services on a host What are the typical
More informationIntrusion Detection System via a Machine Learning Based Anomaly Detection Technique
1143 Intrusion Detection System via a Machine Learning Based Anomaly Detection Technique Adedoyin Adeyinka*, and Oloyede Muhtahir O.** Department of Info. and Comm. Science, University of Ilorin, Ilorin,
More informationIntrusion Detection Using Data Mining Technique (Classification)
Intrusion Detection Using Data Mining Technique (Classification) Dr.D.Aruna Kumari Phd 1 N.Tejeswani 2 G.Sravani 3 R.Phani Krishna 4 1 Associative professor, K L University,Guntur(dt), 2 B.Tech(1V/1V),ECM,
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationFPGA based Network Traffic Analysis using Traffic Dispersion Graphs
FPGA based Network Traffic Analysis using Traffic Dispersion Graphs 2 nd September, 2010 Faisal N. Khan, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department
More informationAnomaly based Network Intrusion Detection System
Synopsis on Anomaly based Network Intrusion Detection System Submitted by Under the guidance of : Dinakara K (06CS6026) MTech (CSE) 2nd Year : Prof. Jayanta Mukhopadhyay Dept. of CSE Prof. S K Ghosh School
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationBEHAVIOR-BASED NETWORK ACCESS CONTROL: A PROOF-OF-CONCEPT
BEHAVIOR-BASED NETWORK ACCESS CONTROL: A PROOF-OF-CONCEPT Intrusion Detection Systems Lab Columbia University Vanessa Frias-Martinez, vf2001@cs.columbia.edu Salvatore J. Stolfo, sal@cs.columbia.edu Angelos
More informationCluster Ensembles for Network Anomaly Detection
Art Munson Rich Caruana Department of Computer Science, Cornell University, Ithaca, NY 4853 USA mmunson@cs.cornell.edu caruana@cs.cornell.edu Abstract Cluster ensembles aim to find better, more natural
More informationStager. A Web Based Application for Presenting Network Statistics. Arne Øslebø
Stager A Web Based Application for Presenting Network Statistics Arne Øslebø Keywords: Network monitoring, web application, NetFlow, network statistics Abstract Stager is a web based
More informationA Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence
2nd International Conference on Electronics, Network and Computer Engineering (ICENCE 206) A Network Intrusion Detection System Architecture Based on Snort and Computational Intelligence Tao Liu, a, Da
More informationliberate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently
liberate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently Fangfan Li, Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Choffnes, Phillipa Gill,
More informationAnomaly Detection. You Chen
Anomaly Detection You Chen 1 Two questions: (1) What is Anomaly Detection? (2) What are Anomalies? Anomaly detection refers to the problem of finding patterns in data that do not conform to expected behavior
More informationQuadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks
European Journal of Applied Sciences 8 (1): 41-46, 2016 ISSN 2079-2077 IDOSI Publications, 2016 DOI: 10.5829/idosi.ejas.2016.8.1.22852 Quadratic Route Factor Estimation Technique for Routing Attack Detection
More informationcs144 Midterm Review Fall 2010
cs144 Midterm Review Fall 2010 Administrivia Lab 3 in flight. Due: Thursday, Oct 28 Midterm is this Thursday, Oct 21 (during class) Remember Grading Policy: - Exam grade = max (final, (final + midterm)/2)
More informationGraph-based Detection of Anomalous Network Traffic
Graph-based Detection of Anomalous Network Traffic Do Quoc Le Supervisor: Prof. James Won-Ki Hong Distributed Processing & Network Management Lab Division of IT Convergence Engineering POSTECH, Korea lequocdo@postech.ac.kr
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationDetecting Credential Spearphishing Attacks in Enterprise Settings
Detecting Credential Spearphishing Attacks in Enterprise Settings Grant Ho UC Berkeley Aashish Sharma, Mobin Javed, Vern Paxson, David Wagner 1 Spear Phishing Targeted email that tricks victim into giving
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationIPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and
INTERNET PROTOCOL VERSION 6 (IPv6) Introduction IPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and addressing
More informationData Mining for Improving Intrusion Detection
Data Mining for Improving Intrusion Detection presented by: Dr. Eric Bloedorn Team members: Bill Hill (PI) Dr. Alan Christiansen, Dr. Clem Skorupka, Dr. Lisa Talbot, Jonathan Tivel 12/6/00 Overview Background
More informationTraffic Classification Using Visual Motifs: An Empirical Evaluation
Traffic Classification Using Visual Motifs: An Empirical Evaluation Wilson Lian 1 Fabian Monrose 1 John McHugh 1,2 1 University of North Carolina at Chapel Hill 2 RedJack, LLC VizSec 2010 Overview Background
More informationE : Internet Routing
E6998-02: Internet Routing Lecture 18 Overlay Networks John Ioannidis AT&T Labs Research ji+ir@cs.columbia.edu Copyright 2002 by John Ioannidis. All Rights Reserved. Announcements Lectures 1-18 are available.
More informationEC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane
EC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane This presentation is adapted from slides produced by Jim Kurose and Keith Ross for their book, Computer Networking:
More informationModule : ServerIron ADX Packet Capture
Module : ServerIron ADX Packet Capture Objectives Upon completion of this module, you will be able to: Describe Brocade ServerIron ADX (ADX) Packet Capture feature Configure and verify the Packet Capture
More informationIntroduction to Internetworking
Introduction to Internetworking Stefano Vissicchio UCL Computer Science COMP0023 Internetworking Goal: Connect many networks together into one Internet. Any computer can send to any other computer on any
More informationEE 122: Transport Protocols. Kevin Lai October 16, 2002
EE 122: Transport Protocols Kevin Lai October 16, 2002 Motivation IP provides a weak, but efficient service model (best-effort) - packets can be delayed, dropped, reordered, duplicated - packets have limited
More informationNetwork Layer: Internet Protocol
Network Layer: Internet Protocol Motivation Heterogeneity Scale Intering IP is the glue that connects heterogeneous s giving the illusion of a homogenous one. Salient Features Each host is identified by
More information