Network Security. Chapter 18 Attack Detection and Prevention. Dr.-Ing. Falko Dressler
|
|
- Emory Rudolph Andrews
- 5 years ago
- Views:
Transcription
1 Network Security Chapter 18 Attack Detection and Prevention Dr.-Ing. Falko Dressler Computer Networks and Communication Systems Department of Computer Sciences University of Erlangen-Nürnberg Network Security, WS 2004/
2 Network Security Chapter 18 Attack Detection and Prevention Attack Overview, Taxonomy, and Examples Attack Detection Principles of Intrusion Detection Systems Knowledge-based Anomaly detection Distributed attack detection Attack Prevention Network Security, WS 2004/
3 Introduction Definition: Intrusion An Intrusion is unauthorized access to and/or activity in an information system. Definition: Intrusion Detection The process of identifying that an intrusion has been attempted, is occurring or has occurred. National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup Network Security, WS 2004/
4 Introduction (2) Intrusion Detection Attack- / Invasion detection: Tries to detect unauthorized access by outsiders Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts Intrusion Prevention An IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network connections or reconfiguring firewalls Network Security, WS 2004/
5 Introduction (3) Why Intrusion Detection? Common question: Why do I need Intrusion Detection? I've got a great firewall! Firewall blocks all unwanted network traffic, but allows traffic to services offered A firewall does usually not detect any attacks on offered services A firewall does not detect any attacks from the inside Firewalls can be bypassed by opening connections that are made from a Notebook infected by a Trojan or a BotNet-Client. => Can be detected by Intrusion Detection Systems Network Security, WS 2004/
6 Introduction (4) Attack Sophistication vs. Intruder Knowledge Network Security, WS 2004/
7 Attack Overview What makes DDoS attacks possible? End-to-end paradigm Best-effort packet forwarding service Resources are limited; intelligence and resources are not collocated Accountability is not enforced Control is distributed How are DDoS attacks performed? Recruit/exploit/infect strategy Why do people perpetrate DDoS attacks? To inflict damage on the victim Personal reasons, prestige, political reasons, sabotage/espionage Network Security, WS 2004/
8 Attack Taxonomy Source: [Mircovic2004] Network Security, WS 2004/
9 Attack Strategy Scan for vulnerabilities Detection of vulnerable hosts and applications Compromising hosts Manual hacking Viruses, Trojans, Worms Distributed denial-of-service attack Bandwidth depletion Resource depletion Network Security, WS 2004/
10 Port Scan Background Identification of vulnerable systems / applications Automated distribution of worms Scan types Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection Network Security, WS 2004/
11 Port Scan (2) Scan characteristics Port distribution Source distribution Scan rates for top 10 destination port categories between May-July, Distribution of coordinated, horizontal and vertical scans for the month of June, 2002 Source: [Yegneswaran2003] Network Security, WS 2004/
12 Distributed Denial-of-Service Attacks Bandwidth depletion Resource depletion Flood UDP flood ICMP flood Amplification (i.e. using a reflector network) Smurf (ICMP echo request) Fraggle (UDP echo, e.g. chargen) Protocol exploit TCP SYN PUSH+ACK (to unload TCP buffer + ACK to overflow a receiver) Malformed packet attacks Usage of incorrect formatted IP packets to crash the victim system Sleep deprivation Rendering a pervasive computing device inoperable by draining the battery Network Security, WS 2004/
13 Distributed Denial-of-Service Attacks (2) mostly ICMP traffic Source: [Moore2001] Network Security, WS 2004/
14 History of Intrusion Detection 1980 James Anderson: Computer Security Threat Monitoring and Surveillance 1983 Dorothy Denning (SRI-International): Analysis of audit trails from government mainframe computers 1984 Dorothy Denning: Intrusion Detection Expert System (IDES) 1988 Lawrence Liverpool Laboratories: Haystack Projekt 1990 Heberlein: A Network Security Monitor (NSM) 1994 Wheel Group: First commercial NIDS (NetRanger) 1997 ISS: Real Secure... Boom of Intrusion Detection System Network Security, WS 2004/
15 Intrusion Detection Data collection issues Reliable and complete data Collection is expensive, collecting the right information is important Detection techniques Misuse detection (or signature-based or knowledge-based) Anomaly detection Response Counteracting an attack Evaluation System effectiveness, performance, network-wide analysis False-positive rate False-negative rate Network Security, WS 2004/
16 Classification of Attack Detection Four dimensions Host based Knowledge based Anomaly detection Network based Network Security, WS 2004/
17 Classification of Attack Detection (2) Host Intrusion Detection Systems (HIDS) Works on information available on a system, e.g. OS-Logs, application-logs, timestamps Can easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkits Problems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems Network Intrusion Detection System (NIDS) Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysis Detects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scans Often used on network hubs, to monitor a segment of the network Network Security, WS 2004/
18 Placement of a Network Intrusion Detection System Monitors all incoming traffic High load High rate of false alarms Internet Monitors all traffic to and from systems in the DMZ Reduced amount of Data Can only detect Intrusions on these Computers Monitors all traffic within the corporate LAN Possible detection of misuse by insiders Possible detection of intrusion via mobile machines (notebooks...) DMZ LAN Network Security, WS 2004/
19 Knowledge-based Detection Based on signatures or patterns of well-known attacks Working principles Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databases Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets Patterns can be specified at each protocol level Network protocol (e.g. IP, ICMP) Transport protocol (e.g. TCP, UDP) Application protocol (e.g. HTTP, SMTP) Pros Fast, requires few state information, low false-positive rate Cons Recognizes only known attacks Examples Snort, Bro Network Security, WS 2004/
20 Snort OpenSource Support for Windows, UNIX, Linux,... Rule Based Intrusion Detection Ruleset can be edited individually Huge number of predefined rules Daily community rules update Reporting into: Logfiles, LogServer, Database Different formats for captured data supported: libpcap,... Supports packet de-fragmentation, protocol decoding, state inspection Possible reactions: TCP reset, ICMP unreachable, configuration of firewalls, alerting via , pager, SMS (plugins) Graphical tools for administration and analysis are available Network Security, WS 2004/
21 Snort (2) Mainly signature based, each intrusion needs a predefined rule alert tcp $HOME_NET any -> any 9996 \ (msg:"sasser ftp script to transfer up.exe"; \ content:" 5F75702E "; depth:250; flags:a+; classtype: misc-activity; \ sid: ; rev:3) Three step processing of captured information (capturing is done by libpcap): Preprocessing (normalized and reassembled packets) Detection Engine works on the data and decides what action should be taken Action is taken (log, alert, pass) Modular structure allows to change many parts as Preprocessor, Detection, Action Modules Network Security, WS 2004/
22 Snort (3) Snort-Inline, Snort as IPS IPTables inserts packets into a queue Snort receives packets from queue. If packets are not received the are dropped Preprocessing of data (normalization, reassembly, ) Scan engine performs string detection upon the data delivered by the preprocessor Possible algorithms Wu Manber Boyer More Aho-Corasick After detecting an intrusion the correspondent action is taken Snort-Inline has the capability to make the packet filter to drop packets, close connections... Also reconfigures (commercial) firewalls Network Security, WS 2004/
23 Bro OpenSource Available for Unix and Linux Signature based intrusion detection (can work with Snort rules) Signatures can be edited individually Huge number of predefined signatures Reporting: into Logfiles, Log-Hosts, via Saves captured data into libpcap compatible files Supports packet de-fragmentation, protocol decoding, state inspection Reaction possibilities: connection reset, reconfiguration of firewalls No graphical administration or analysis tools available Network Security, WS 2004/
24 Bro (2) Bro uses several steps to process data The amount of data is reduced by every step The less data has to be processed the more sophisticated actions can be done Lipcab is used the capture data from network A packet filter removes all packets that are not examined Event engine does some first examinations passes events to the next level Event is created if: header check failed,... Packet de-fragmentation is done on this level Signature Engine is used to define reoccurring events Policy engine analyses the network traffic, processes all events created by event engine Network Security, WS 2004/
25 Bro (3) Event layer only knows that something has happened, not what Bro signatures make use of regular expressions to also detect variations of a certain intrusion Example of a bro signature to detect variations of the formmail shell command exploit: signature formmail-cve { ip-proto == tcp dst-ip == /16 dst-port = 80 http /.*formmail.*\?.*recipient=[ˆ&]*[; ]/ event "formmail shell command } Bro uses a scripting language specially designed to facilitate network traffic analysis and to detect anomalies due to its high flexibility (implicit typing,...) it is very powerful Network Security, WS 2004/
26 Anomaly Detection Based on the analysis of long-term and short-term traffic behavior Working principles Scan for anomalies in Traffic behavior Protocol behavior Application behavior Pros Recognizes unknown attacks as well Cons False-positive rate might be high Examples PHAD/ALAD, Emerald Network Security, WS 2004/
27 Anomaly Detection (2) Generic anomaly detection system Source: [Estevez-Tapiador2004] Network Security, WS 2004/
28 Anomaly Detection (3) Source: [Estevez-Tapiador2004] Network Security, WS 2004/
29 Anomaly Detection (4) Classification criteria Source: [Estevez-Tapiador2004] Network Security, WS 2004/
30 PHAD Packet Header Anomaly Detection (PHAD) [Mahoney2001] Protocol analysis learns normal ranges of values for each header field (link, network, transport layer) score field = t n/r t time since previous anomaly n number of observations r number of distinct values Learning phase + detection phase Network Security, WS 2004/
31 ALAD Application Layer Anomaly Detection (ALAD) [Mahoney2002] Extension to PHAD Five models: 1. P(src IP dest IP) Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service 2. P(src IP dest IP, dest port) Like (1), but one model for each server on each host 3. P(dest IP, dest port) Learns the set of local servers which normally receive requests 4. P(TCP flags dest port) Learns the set of TCP flags for all packets of a particular connection 5. P(keyword dest port) Examines the text in the incoming request (first 1000 bytes) Network Security, WS 2004/
32 EMERALD Event Monitoring Enabling Responses to Anomalous Live Disturbances [Porras1997] Network Security, WS 2004/
33 CATS Cooperating Autonomous Detection Systems (CATS) [Dressler2004] P : Monitoring probe CATS CATS : Autonomous detection system monitoring data exchange of monitoring data and alert information CATS P P P Attackers P P Victim CATS Network Security, WS 2004/
34 CATS (2) Concept and benefits of CATS Separation of monitoring and detection Utilization of a distributed monitoring environment Deployment of multiple independently working autonomous detection systems Self-X properties of the detection systems Improved detection performance through cooperation between multiple detection systems Combination of knowledge-based and anomaly detection techniques using both local and global context information Export of packet data and flow statistics utilizing standardized protocols, e.g. IPFIX and PSAMP Network Security, WS 2004/
35 CATS (3) PSAMP Data IPFIX Data Events & Characterization Events & Characterization Anomaly detection looking for unusual behavior without any precognition - comparing long-time behavior to short-time behavior - maintaining different profiles (per destination, aggregate,...) Potential Techniques: - statistical tests, neural networks, Bayes networks Knowledge-based detection looking for known signatures and misbehavior Potential Tools: - Snort & Plugins -Bro Statistical measures - bit rate, packet rate, # of connections,... - gathered per aggregate or single flow Packet monitoring & sampling Raw Packet Data PSAMP Data IPFIX Data Network Security, WS 2004/
36 Defense Taxonomy Source: [Mircovic2004] Network Security, WS 2004/
37 Defense Challenges Need for a distributed response at many points on the Internet Coordinated response is necessary for successful countermeasures Economic and social factors Deployment of response systems at parties that do not suffer direct damage from the DDoS attack Lack of detailed information Thorough understanding of attacks is required Lack of defense system benchmarks Difficulty of large-scale testing Network Security, WS 2004/
38 Attack Prevention / Counteracting Anti-Spoof Mechanisms Filtering of forged packets Cryptographic authentication Traceback Counteracting DDoS attacks Counteracting TCP SYN flood Distributed Firewalling Congestion control Network Security, WS 2004/
39 Anti-Spoof Mechanisms Filtering of forged packets Ingress filtering: implementation of anti-spoof ACLs based on (static/dynamic) knowledge about own IP address range RPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancing SAVE: source address validity enforcement protocol [Li2002] Associates interfaces with valid source address ranges Also useful for RPF check, e.g. for multicast routing Cryptographic authentication IPSec authentication, problem: key management Traceback Real-time / Forensic methods Most promising solution! Network Security, WS 2004/
40 TCP-SYN flood >90% of DDoS attacks use TCP [Moore2001] Several defense mechanisms SYN cache, SYN cookies, SynDefender, SYN proxying, stateful, have to be installed at victims FW, rely on traceback Flooding detection system (FDS) [Wang2002] Stateless, low computation overhead Relies on SYN-FIN/RST pairs Uses CUSUM (cumulative sum) algorithm Automated model approach [Tupakula2004] Controller-agent model #SYN - #ACK > limit? Agent sends an alarm to the controller Central controller verifies alarm signatures and issues countermeasures Basic idea: detection, source identification, firewall configuration Network Security, WS 2004/
41 DDoS Defense Secure Collective Defense System (SCOLD) [Chow2004] Key idea is to provide clients with alternate routes via proxies Main techniques: indirect route and secure DNS updates Network Security, WS 2004/
42 Congestion Control Handling congestion leads to indirect detection and recovery from DDoS attacks Push-forward mechanism [Krishnamoorthy2004] Once an access router identifies potential attack traffic, it alerts the downstream router using a push-forward message On-path-mechanism Architecture Collection module Statistics module Drop module Push-forward message generation module Network Security, WS 2004/
43 References [Dressler2004] F. Dressler, G. Münz, and G. Carle, "CATS - Cooperating Autonomous Detection Systems," Proceedings of 1st IFIP TC6 WG6.6 International Workshop on Autonomic Communication (WAC 2004), Berlin, Germany, October [Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp [Hussain2003] A. Hussain, J. Heidemann, and C. Papadopoulos, "A Framework for Classifying Denial of Service Attacks," Proceedings of ACM SIGCOMM Conference, Karlsruhe, Germany, August 2003, pp [Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE Computer - Special Issue on Security and Privacy, April 2002, pp [Krishnamoorthy2004] S. Krishnamoorthy and P. Dasgupta, "Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December [Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, [Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June [Mahoney2001] M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic," Florida Tech., Technical Report CS , [Mahoney2002] M. V. Mahoney and P. K. Chan, "Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks," Proceedings of 8th ACM International Conference on Knowledge Discovery and Data Mining, 2002, pp [Mahoney2003] M. V. Mahoney, "A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic," Ph.D. Thesis, Florida Tech., Network Security, WS 2004/
44 References (2) [Martin2004] T. Martin, M. Hsiao, D. Ha, and J. Krishnaswami, "Denial-of-Service Attacks on Batterypowered Mobile Computers," Proceedings of Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), Orlando, Florida, March [Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp [Moore2001] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," Proceedings of USENIX Security Symposium, Washington, DC, August [Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, December 1999, pp [Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October [Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp [Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoS Attacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December [Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, [Yegneswaran2003] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proceedings of ACM SIGMETRICS, June Network Security, WS 2004/
Network Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 9 Attacks and Attack Detection (Prevention, Detection and Response) Attacks and Attack
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 11 Attack prevention, detection and response Acknowledgments This course is based
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 9 Attacks and Attack Detection (Prevention, Detection and Response) Attacks and Attack
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationAttack Detection using Cooperating Autonomous Detection Systems (CATS)
Attack Detection using Cooperating Autonomous Detection Systems (CATS) Falko Dressler, Gerhard Münz, Georg Carle University of Tübingen, Wilhelm-Schickard-Insitute of Computer Science, Computer Networks
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationDDoS PREVENTION TECHNIQUE
http://www.ijrst.com DDoS PREVENTION TECHNIQUE MADHU MALIK ABSTRACT A mobile ad hoc network (MANET) is a spontaneous network that can be established with no fixed infrastructure. This means that all its
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationThe Protocols that run the Internet
The Protocols that run the Internet Attack types in the Internet Seminarvortrag Sommersemester 2003 Jens Gerken Content Internet Attacks Introduction Network Service Attacks Distributed Denial of Service
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationNetwork Intrusion Detection and Mitigation Against Denial of Service Attack
University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science 1-1-2013 Network Intrusion Detection and Mitigation Against Denial of Service Attack Dong
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationOutline. 0 Topic 6.1: Attack Mitigation and Countermeasures 0 Topic 6.2: Attack Detection
Outline 0 Topic 6.1: Attack Mitigation and Countermeasures 0 Topic 6.2: Attack Detection 2 DoS & DDoS 0 Recall ICMP flood 0 Attack type 1 Ping flood 0 Send huge amounts of ICMP messages to block computational
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationYour projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100
You should worry if you are below this point Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /0 * 100 o Optimistic: (Your
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationApplied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.
Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationOverview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)
CSC 474 Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) 1 Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly detection
More informationImplementation and Analysis of DoS Attack Detection Algorithms
Implementation and Analysis of DoS Attack Detection Algorithms Rupesh Jaiswal 1, Dr. Shashikant Lokhande 2, Aditya Gulavani 3 1 Assistant Professor, Dept. of E&TC, Pune Institute of Computer Technology,
More informationHardware Supports for Network Traffic Anomaly Detection
Hardware Sups for Network Traffic Anomaly Detection Dae-won Kim and Jin-tae Oh Electronics and Telecommunications Research Institute in Korea Abstract - Modern network systems are plagued with unknown
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationExperience with SPM in IPv6
Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More informationIntroduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.
IDS & IPD CSH6 Chapter 27 Intrusion Detection & Intrusion Prevention Devices Rebecca Gurley Bace Topics Security Behind the Firewall Main Concepts Intrusion Prevention Information Sources Analysis Schemes
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationCS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events,
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms
More informationDenial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows S. Farzaneh Tabatabaei 1, Mazleena Salleh 2, MohammadReza Abbasy 3 and MohammadReza NajafTorkaman 4 Faculty of Computer
More informationInternational Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN
International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December-2016 360 A Review: Denial of Service and Distributed Denial of Service attack Sandeep Kaur Department of Computer
More informationDenial of Service. Serguei A. Mokhov SOEN321 - Fall 2004
Denial of Service Serguei A. Mokhov SOEN321 - Fall 2004 Contents DOS overview Distributed DOS Defending against DDOS egress filtering References Goal of an Attacker Reduce of an availability of a system
More informationCSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)
CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationAn Efficient and Practical Defense Method Against DDoS Attack at the Source-End
An Efficient and Practical Defense Method Against DDoS Attack at the Source-End Yanxiang He Wei Chen Bin Xiao Wenling Peng Computer School, The State Key Lab of Software Engineering Wuhan University, Wuhan
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationOutline. Internet Security Mechanisms. Basic Terms. Example Attacks
Outline AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Instructor: Dr. Kun Sun Firewalls Filtering firewalls Proxy firewalls Outline Intrusion Detection System
More informationIntrusion Detection System
Intrusion Detection System Marmagna Desai March 12, 2004 Abstract This report is meant to understand the need, architecture and approaches adopted for building Intrusion Detection System. In recent years
More informationNISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks
NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks Background This NISCC technical note is intended to provide information to enable organisations in the UK s Critical
More informationDenial of Service (DoS)
Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:
More informationH3C SecPath Series High-End Firewalls
H3C SecPath Series High-End Firewalls Attack Protection Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210
More informationDDoS Attacks Detection Using GA based Optimized Traffic Matrix
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing DDoS Attacks Detection Using GA based Optimized Traffic Matrix Je Hak Lee yitsup2u@gmail.com Dong
More informationImplementation of Signature-based Detection System using Snort in Windows
Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationFlashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities
Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience
More informationKey Words: Intrusion Detection System (IDS), Host-based, Network-based, Signature, Security log.
69 Scientia Africana, Vol. 13 (No.2), December 2014. Pp69-80 College of Natural and Applied Sciences, University of Port Harcourt, Printed in Nigeria ISSN 1118-1931 COMBINING HOST-BASED AND NETWORK-BASED
More informationHP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
More informationDENIAL OF SERVICE ATTACKS
DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016 Contents 7.1 Denial of Service... 2 7.2 Targets of DoS attacks... 2 7.3 Purpose of flood attacks... 2 7.4 Packets used during flood attacks...
More informationECE 435 Network Engineering Lecture 23
ECE 435 Network Engineering Lecture 23 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 30 November 2017 HW#11 will be posted Announcements Don t forget projects next week Presentation
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationCSC Network Security
CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationNetworking Security SPRING 2018: GANG WANG
Networking Security SPRING 2018: GANG WANG About the Midterm Close book; Close notes; Close computer/phone/calculator; No cheat sheet. You are NOT allowed to leave the room during the exam There are 6
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week) 7. Denial-of-Service Attacks 7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based
More informationDDoS and Traceback 1
DDoS and Traceback 1 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2 TCP Handshake client SYN seq=x server SYN seq=y,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationIJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology
ISSN 2229-5518 321 Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology Abstract - Nowadays all are working with cloud Environment(cloud
More informationCS System Security 2nd-Half Semester Review
CS 356 - System Security 2nd-Half Semester Review Fall 2013 Final Exam Wednesday, 2 PM to 4 PM you may bring one 8-1/2 x 11 sheet of paper with any notes you would like no cellphones, calculators This
More informationVenusense UTM Introduction
Venusense UTM Introduction Featuring comprehensive security capabilities, Venusense Unified Threat Management (UTM) products adopt the industry's most advanced multi-core, multi-thread computing architecture,
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More informationINFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY
INFS 766 Internet Security Protocols Lecture 1 Firewalls Prof. Ravi Sandhu INTERNET INSECURITY Internet insecurity spreads at Internet speed Morris worm of 1987 Password sniffing attacks in 1994 IP spoofing
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationFirewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A
Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 6 / 2 017 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer
More informationCIH
mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationIntrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.
or Detection Comp Sci 3600 Security Outline or 1 2 3 4 5 or 6 7 8 Classes of or Individuals or members of an organized crime group with a goal of financial reward Their activities may include: Identity
More informationSecurity System and COntrol 1
Security System and COntrol 1 Network Security Reading list Recommended: www.cert.org Security System and COntrol 3 Internet Connectivity Advantage: private networks able to reach and communicate with
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of
More informationLab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?
Lab1 Definition of Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Passive Sniffing: It is called passive because it is difficult
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationComputer Security and Privacy
CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for
More information