Can the Best Defense be to Attack?
|
|
- Steven Hodge
- 6 years ago
- Views:
Transcription
1 Can the Best Defense be to Attack? MITACS Digital Security Seminar Series at Carleton University Presenter: Dr. Nur Zincir-Heywood Dalhousie University, Faculty of Computer Science
2 Arms Race Security engineers vs black hat attackers Attackers to evade defense systems Security research/technology to patch/new systems Even in research environments Defender systems White hat attackers (vulnerability testing and evasion) MITACS Seminar, 2007 Zincir-Heywood 2
3 Bad guys Intelligent Malicious intentions Automated tools Botnets MITACS Seminar, 2007 Zincir-Heywood 3
4 Good guys Confidentiality, integrity, authentication cryptography Policies Access Control Firewalls Virus checkers Worm detectors MITACS Seminar, 2007 Zincir-Heywood 4
5 How do we know we are attacked? Alerts from security tools used Usually signature based Poor in new attacks Low FP, but Monitoring traffic Expert(s) perform forensic analysis after the event Deep packet inspection Results in patches and new releases MITACS Seminar, 2007 Zincir-Heywood 5
6 First egg or chicken? Do we need to be attacked first to understand that there is a new attack? What about Penetration and Vulnerability checking Blind-spot analysis (evasion) MITACS Seminar, 2007 Zincir-Heywood 6
7 Mimicry Attacks Assume a core attack Modify it to look different but actually does the same/similar damage Hiding in normal behavior Hiding in blind-spot of the detector Hiding it in a less harmful attack MITACS Seminar, 2007 Zincir-Heywood 7
8 Two Sides of the Arms Race Defender Signature based IDSs Anomaly based IDSs Attacker Mimicry attacks Evasion attacks MITACS Seminar, 2007 Zincir-Heywood 8
9 Defender Anomaly based Stide Improved versions Signature based Snort (Mutz( et al, 03; Vigna et al, 04; Kayacik et al, 05) ISS RealSecure (Mutz et al, 03) Symantec Net prowler (Vigna( et al, 04) MITACS Seminar, 2007 Zincir-Heywood 9
10 Anomaly Based Detectors: Host based Three categories: Black Box Black box, gray box and white box Black-box Techniques Extract info only from system calls Fixed length - Stide (Forrest et al, 96) Alternative data models (Warrender( et al, 99) Variable length (Wespi( et al, 00) MITACS Seminar, 2007 Zincir-Heywood 10
11 Anomaly Based Detectors: Gray-Box Extract info from system calls + run-time process execution state Utilize a Finite State Automata (FSA) to characterize normal behavior (Sekar( et al, 01) Instead of FSA utilize a virtual path table details not only where the system call is executed from, but also describes the point where the execution is returned (Feng( et al, 03) Generate an execution graph to understand the max subset of program control flow graph (Gao( et al, 04) MITACS Seminar, 2007 Zincir-Heywood 11
12 Anomaly Based Detectors: White-box Extract info from the monitored program Static analysis of source code or binary image System calls represented by a state machine extracted from control-flow graph (Wagner et al, 01; Giffin et al, 02 and 04) System call inlining and notify calls are introduced (Lam et al, 04) Static analysis to extract an automaton with call stack information is introduced (Feng( et al, 04) multiple detection models are applied to system call arguments overall aggregate score of these models is introduced (Mutz et al, 06) MITACS Seminar, 2007 Zincir-Heywood 12
13 Attacker: Mimicry Attacks Modify system call sequence of an exploit rendering it undetectable to a specific IDS (Wagner et al, 02) - wb,, manual Similar approach based on modifying the exploit code (Tan et al, 02) - wb,, manual Generate variations of signatures to test the quality of detection against Snort, ISS RealSecure, Symantec Net Prowler (Mutz( et al, 03; Vigna et al, 04) - bb (!), automatic Generate attack against gray-box detectors (Gao( et al, 04) - gb,, manual Evolve mimicry attack against Snort (Kayacik( et al, 05) - bb, automatic MITACS Seminar, 2007 Zincir-Heywood 13
14 Mimicry Attacks: Kruegel et al, 05 Automatic attack generation White box testing Assumes vulnerable application is known Assumes a core attack is known Against a gray-box (Sekar( et al, 01) and a white-box detector (Feng et al, 04) Utilize the details of how the detector works in attack generation Statically analyze victim x86 binaries Approach employs symbolic execution Objective is to identify code pointers that can be modified to point to the attacker code Tested on 3 sample programs protected by the above IDSs MITACS Seminar, 2007 Zincir-Heywood 14
15 Symbolic execution (Kruegel et al, 05) MITACS Seminar, 2007 Zincir-Heywood 15
16 Deriving an Appropriate Configuration (Kruegel et al, 05) MITACS Seminar, 2007 Zincir-Heywood 16
17 Results for Real World Applications (Kruegel et al, 05) MITACS Seminar, 2007 Zincir-Heywood 17
18 Execution Steps and Time (Kruegel et al, 05) MITACS Seminar, 2007 Zincir-Heywood 18
19 Design Requirements Developing a static analysis tool for each binary system White box testing approach Expensive (knowledge) Limited semantic coverage Exhaustive search (constrained by the above item) using symbolic execution Solving a linear constraint can be exponential in the number of inequalities Assumes that each symbolic expression refer to different memory location Not all symbolic expressions can be resolved (see the above item) MITACS Seminar, 2007 Zincir-Heywood 19
20 Mimicry Attacks: Giffin et al, 06 Automatic attack generation White box testing Assumes vulnerable application is known Assumes a core attack is known Develop a model of OS wrt security critical state Manually construct the OS model Manually construct the malicious OS state Apply model checking to prove that no reachable OS configuration corresponds to the effect of an attack Test it against Stide IDS using wu-ftpd ftpd,, restore, traceroute, passwd applications MITACS Seminar, 2007 Zincir-Heywood 20
21 OS Model Manually identify what OS state variables constitute security relevant states Initial assignment of values to OS state variables encode the OS state configuration before execution of a process For each system call a relation is provided for how it changes state based upon the previous state (pre- and post- conditions) MITACS Seminar, 2007 Zincir-Heywood 21
22 Architecture (Giffin et al, 06) MITACS Seminar, 2007 Zincir-Heywood 22
23 Describing Stide Model for Each Application (Giffin et al, 06) MITACS Seminar, 2007 Zincir-Heywood 23
24 Evaluation of the Stide Model to Detect Attacks Yes - indicates Detected, No - indicates Undetected (Giffin et al, 06) MITACS Seminar, 2007 Zincir-Heywood 24
25 Model Checking Running Times (Giffin et al, 06) MITACS Seminar, 2007 Zincir-Heywood 25
26 Design Requirements Developing OS model manually White box testing approach Expensive (knowledge) Limited semantic coverage Exhaustive search (constrained by the above item) using model checking What if the OS model abstraction is wrong? MITACS Seminar, 2007 Zincir-Heywood 26
27 Mimicry Attacks: Kayacik et al, 07a Automatic attack generation Black box testing Assumes vulnerable application is known Assumes a core attack is known Against Stide,, using traceroute application Search space too large to deploy exhaustive methods Genetic Programming employed MITACS Seminar, 2007 Zincir-Heywood 27
28 Methodology Motivations for using GP Goal based objectives Representation Intron Code Training data for traceroute Previous work employ: Traceroute nis.nsf nsf.net Fitness function for GP MITACS Seminar, 2007 Zincir-Heywood 28
29 Occurrence of System Calls (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 29
30 Parameter Types (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 30
31 Fitness Function (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 31
32 Training Data (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 32
33 Stide Anomaly Rates against Training Data (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 33
34 Stide Anomaly Rates against Exploits (Kayacik et al, 07a) MITACS Seminar, 2007 Zincir-Heywood 34
35 Mismatch rates (%) Reported by Stide (Kayacik et al, 07b) MITACS Seminar, 2007 Zincir-Heywood 35
36 Contribution of Preamble (Kayacik et al, 07b) MITACS Seminar, 2007 Zincir-Heywood 36
37 Design Requirements Attack = preamble + exploit Anomaly rate should be calculated over both There is no attack with 0% anomaly even for the previous work when we analyze the whole attack Can work with any IDS - bb Evolutionary computation Efficient sampling of large search space Longer training times MITACS Seminar, 2007 Zincir-Heywood 37
38 Van Oorschot et al, 05 Hardware assisted circumvention of self- hashing software tamper resistance Attack generation against self-hashing technique on many modern processors (x86, UltraSparc,, AMD64, ARM ) White-box Assumes vulnerable application is known Manual generation MITACS Seminar, 2007 Zincir-Heywood 38
39 What s s next? White box vs black box testing Preamble vs exploit generation Dynamic vs static Deterministic vs stochastic Allergy attacks Co-evolution of attackers & detectors Theoretical modeling of the arms race Experimental results to explore the models MITACS Seminar, 2007 Zincir-Heywood 39
40 Why bother? To be able to predict To be a step a head if possible To understand attacker behavior To test defense systems before attackers To improve defense systems Automatic signature generation Automatic attack training data generation To generate anti-botnet teams :-) MITACS Seminar, 2007 Zincir-Heywood 40
41 One final thought When asked Vint Cerf told that there are 2 important events that started Internet s evolution: Launch of Sputnik Breakup of AT&T What about security: Bombing of 9/11?? MITACS Seminar, 2007 Zincir-Heywood 41
42 References Mutz D., Vigna G., Kemmerer R., An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems, ACSAC, Vigna,, G., Robertson, W., Balzarotti D., Testing Network Based Intrusion Detection Signatures Using Mutant Exploits, ACM CCS, Kayacik H. G., Zincir-Heywood A. N., Heywood M. I., Evolving Successful Stack Overflow Attacks for Vulnerability Testing, ACSAC, Forrest S., Hofmeyr S. A., Somayaji A., Longstaff T. A., A sense of self for Unix processes, IEEE SP, Warrender C., Forrest S., Pearlmutter BA, Detecting intrusions using system calls: Alternative data models, IEEE SP, Wespi,, A., Dacier,, M., and Debar, H., Intrusion Detection Using Variable-Length Audit Trail Patterns, RAID, Sekar R., Bendre M., Dhurjati D., Bollineni P., A Fast Automation-based Method for Detecting Anomalous Program Behavior, IEEE SP, Feng H., Kolesnikov O., Fogla P., Lee W., Gong W., Anomaly detection using call stack information, IEEE SP, Gao D., Reiter M., Song D., Gray box extraction of execution graphs for anomaly detection, ACM CCS, Wagner D., Dean D., Intrusion detection via static analysis, IEEE SP, J. Giffin,, S. Jha,, and B. Miller. Detecting Manipulated Remote Call Streams, Usenix Security, MITACS Seminar, 2007 Zincir-Heywood 42
43 References J. Giffin,, S. Jha,, and B.P. Miller. Efficient context sensitive intrusion detection, NDSS, H. Feng,, J. Giffin,, Y. Huang, S. Jha,, W. Lee, B. Miller. Formalizing sensitivity in static analysis for intrusion detection, IEEE SP, L. Lam and T. Chiueh.. Automatic Extraction of Accurate Application-Specific Sandboxing Policy, RAID, Mutz D., Valeur F., Vigna G., Kruegel C., Anomalous System Call Detection, ACM Transactions on Information system and Security, Wagner D., Soto P., Mimicry attacks on host based intrusion detection systems, ACM CCS, Tan, K. M. C., Killourhy,, K. S., Maxion,, R. A., Undermining an Anomaly-based Intrusion Detection System using Common Exploits, RAID, D. Gao,, M. Reiter, and D. Song. On Gray-Box Program Tracking for Anomaly Detection, Usenix Security, Kruegel C., Kirda E., Mutz D., Robertson W., Vigna G., Automating mimicry attacks using static binary analysis, USENIX Security Symposium, Giffin J. T., Jha S., Miller BP, Autoated Discovery of Mimicry Attacks, RAID, Kayacik HG, Zincir-Heywood AN, Heywood MI, Automatically Evading IDS Using GP Authored Attacks, IEEE CISDA, 2007a. Kayacik HG, Zincir-Heywood AN, On the Contribution of Preamble to Information Hiding in Mimicry Attacks, IEEE SSNDS, 2007b. Van Oorschot PC, Somayaji A., Wurster G., Hardware Assisted circumvention of self hashing software tamper resistance, IEEE Transactions on Dependable and Secure Computing, MITACS Seminar, 2007 Zincir-Heywood 43
44 THANKS A LOT! ANY QUESTIONS? COMMENTS? MITACS Seminar, 2007 Zincir-Heywood 44
Generating Mimicry Attacks using Genetic Programming: A Benchmarking Study
Generating Mimicry Attacks using Genetic Programming: A Benchmarking Study H. Güneş Kayacık 1, A. Nur Zincir-Heywood 1, Malcolm I. Heywood 1, Stefan Burschka 2 1 Dalhousie University, Faculty of Computer
More informationOn Effective Model-Based Intrusion Detection
On Effective Model-Based Intrusion Detection Jonathon T. Giffin Somesh Jha Barton P. Miller Computer Sciences Department University of Wisconsin Madison, Wisconsin Technical Report 1543 Abstract Model-based
More informationEvolutionary Computation as an Artificial Attacker
Noname manuscript No. (will be inserted by the editor) Evolutionary Computation as an Artificial Attacker Generating Evasion Attacks for Detector Vulnerability Testing Hilmi Güneş Kayacık A. Nur Zincir-Heywood
More informationBridging the Gap between Data-flow and Control-flow Analysis for Anomaly Detection
28 Annual Computer Security Applications Conference Bridging the Gap between Data-flow and Control-flow Analysis for Anomaly Detection Peng Li University of North Carolina at Chapel Hill pengli@email.unc.edu
More informationEvolving Successful Stack Overflow Attacks for Vulnerability Testing
Evolving Successful Stack Overflow Attacks for Vulnerability Testing H. Güneş Kayacık, A. Nur Zincir-Heywood, Malcolm Heywood Dalhousie University, Faculty of Computer Science, 6050 University Avenue,
More informationLearning Rules from System Call Arguments and Sequences for Anomaly Detection
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Technical Report CS-2003-20 Florida Institute of Technology Melbourne,
More informationCSE543 - Computer and Network Security Module: Intrusion Detection
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger 1 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus a successful
More informationTaint-Enhanced Anomaly Detection
Taint-Enhanced Anomaly Detection Lorenzo Cavallaro 1 and R. Sekar 2 1 Department of Computer Science, Vrije Universiteit Amsterdam, The Netherlands 2 Department of Computer Science, Stony Brook University,
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationMcPAD and HMM-Web: two different approaches for the detection of attacks against Web applications
McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications Davide Ariu, Igino Corona, Giorgio Giacinto, Fabio Roli University of Cagliari, Dept. of Electrical and
More informationEnvironment-Sensitive Intrusion Detection
Environment-Sensitive Intrusion Detection Jonathon T. Giffin Somesh Jha Barton P. Miller University of Wisconsin {giffin,jha,bart}@cs.wisc.edu David Dagon Wenke Lee Georgia Institute of Technology {dagon,wenke}@cc.gatech.edu
More informationPolymorphic Blending Attacks. Slides by Jelena Mirkovic
Polymorphic Blending Attacks Slides by Jelena Mirkovic 1 Motivation! Polymorphism is used by malicious code to evade signature-based IDSs Anomaly-based IDSs detect polymorphic attacks because their byte
More informationThe Evolution of System-call Monitoring
The Evolution of System-call Monitoring Stephanie Forrest Steven Hofmeyr Anil Somayaji December, 2008 Outline of Talk A sense of self for Unix processes (Review) Emphasize method rather than results Evolutionary
More informationHiding Intrusions: From the Abnormal to the Normal and Beyond
Hiding Intrusions: From the Abnormal to the Normal and Beyond Kymie Tan 1,JohnMcHugh 2, and Kevin Killourhy 1 1 Carnegie Mellon University, Department of Computer Science Pittsburgh, PA 15213 USA {kmct,ksk}@cs.cmu.edu,
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationUsing Code Bloat to Obfuscate Evolved Network
Using Code Bloat to Obfuscate Evolved Network Traffic Patrick LaRoche, Nur Zincir-Heywood, and Malcolm I. Heywood Faculty of Computer Science, Dalhousie University Halifax, Nova Scotia, Canada {plaroche,zincir,mheywood}@cs.dal.ca
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationDetecting Manipulated Remote Call Streams
Detecting Manipulated Remote Call Streams Jonathon Giffin, Somesh Jha, Barton Miller Computer Sciences Department University of Wisconsin giffin@cs.wisc.edu Intrusion Detection and Specification-Based
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationOn Gray-Box Program Tracking for Anomaly Detection
On Gray-Box rogram Tracking for Anomaly Detection Debin Gao Michael K. eiter Dawn ong Carnegie Mellon University dgao@ece.cmu.edu reiter@cmu.edu dawnsong@cmu.edu Abstract Many host-based anomaly detection
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationAccurate and Automated System Call Policy-Based Intrusion Prevention
Accurate and Automated System Call Policy-Based Intrusion Prevention Lap Chung Lam Wei Li Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu Abstract One way to prevent
More informationA NEW APPROACH TO INTRUSION DETECTION SYSTEM
A NEW APPROACH TO INTRUSION DETECTION SYSTEM 1 A. KARTIT, 2 A. SAIDI, 3 F. BEZZAZI, 4 M. EL MARRAKI, 5 A. RADI 1,2,3,4,5 Laboratoire de Recherche en Informatique et Télécommunications, Faculty of Sciences,
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationOn Detection of Erratic Arguments
On Detection of Erratic Arguments Jin Han, Qiang Yan, Robert H. Deng, and Debin Gao Singapore Management University, Singapore {jin.han.2007,qiang.yan.2008,robertdeng,dbgao}@smu.edu.sg Abstract. Due to
More informationDifferent attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationApproach Using Genetic Algorithm for Intrusion Detection System
Approach Using Genetic Algorithm for Intrusion Detection System 544 Abhijeet Karve Government College of Engineering, Aurangabad, Dr. Babasaheb Ambedkar Marathwada University, Aurangabad, Maharashtra-
More informationTechnical Aspects of Intrusion Detection Techniques
Technical Aspects of Intrusion Detection Techniques Final Year Project 2003-04 Project Plan Version 0.2 28th, November 2003 By Cheung Lee Man 2001572141 Computer Science and Information Systems Supervisor
More informationYou will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.
IDPS Effectiveness and Primary Takeaways You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent. IDPS Effectiveness and Primary
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 After All Else Fails Intrusion prevention Find buffer overflows and remove them Use
More informationUnit 5. System Security
Unit 5 System Security Intrusion Techniques The password file can be protected in one of two ways: One-way function: The system stores only the value of a function based on the user's password. When the
More informationApplying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers
Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers arxiv:1611.03053v1 [cs.cr] 9 Nov 2016 Amr S. Abed Department of Electrical & Computer Engineering Virginia
More informationHandling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection
Journal of Computer Science 7 (2): 255-261, 2011 ISSN 1549-3636 2011 Science Publications Handling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection Selvamani Kadirvelu and Kannan
More informationEvading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes
More informationOnline Network Forensics for Automatic Repair Validation
Online Network Forensics for Automatic Repair Validation Michael E. Locasto 1, Matthew Burnside 2, and Angelos D. Keromytis 2 1 Institute for Security Technology Studies, Dartmouth College 2 Department
More informationArtificial Immune System against Viral Attack
Artificial Immune System against Viral Attack Hyungjoon Lee 1, Wonil Kim 2*, and Manpyo Hong 1 1 Digital Vaccine Lab, G,raduated School of Information and Communication Ajou University, Suwon, Republic
More informationCSE543 - Computer and Network Security Module: Intrusion Detection
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger CMPSC443 - Introduction to Computer and Network Security 1 2 Intrusion An authorized action... that exploits a
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationNext Generation Endpoint Security Confused?
SESSION ID: CEM-W06 Next Generation Endpoint Security Confused? Greg Day VP & Chief Security Officer, EMEA Palo Alto Networks @GreDaySecurity Brief Intro Questions we will answer Do I need a new (NG) endpoint
More informationMORPHEUS: Motif Oriented Representations to Purge Hostile Events from Unlabeled Sequences
MORPHEUS: Motif Oriented Representations to Purge Hostile Events from Unlabeled Sequences Gaurav Tandon Debasis Mitra Philip Chan Department of Computer Sciences Technical Report CS-2004-09, Florida Institute
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationLast lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code
4/25/2006 Lecture Notes: DOS Beili Wang Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection Aps Monitor OS Internet Shell code Model In
More informationA Defense-Centric Attack Taxonomy
A Defense-Centric Attack Taxonomy Roy A. Maxion Dependable Systems Laboratory Computer Science Department Carnegie Mellon University Pittsburgh, PA 1513 Email: maxion@cs.cmu.edu IFIP WG 10.4 Workshop on
More informationReliably Determining the Outcome of Computer Network Attacks
Reliably Determining the Outcome of Computer Network Attacks 18 th Annual FIRST Conference Capt David Chaboya Air Force Research Labs Anti-Tamper and Software Protection Initiative (AT-SPI) Technology
More informationPsycoTrace: Virtual and Transparent Monitoring of a Process Self
PsycoTrace: Virtual and Transparent Monitoring of a Process Self Fabrizio Baiardi, Dario Maggiari Polo G. Marconi, La Spezia Università di Pisa, Italy {baiardi, maggiari}@di.unipi.it Daniele Sgandurra,
More informationCISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline
CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker Learn to find security vulnerabilities before the bad guys do! The Certified Ethical Hacker (CEH) class immerses students in an interactive environment
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationSecure Programming for Fun and Profit
Secure Programming for Fun and Profit (Real World Experiences in Secure Programming) Scott D. Miller Security Analyst Arxan Research, Inc. Doctoral Student in CS Advisors: Aditya Mathur; Ray DeCarlo January
More informationCYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationSecure, High Privacy & Low Power consuming Data Aggregation Method for Intrusion Detection in MANET
Secure, High Privacy & Low Power consuming Data Aggregation Method for Intrusion Detection in MANET Mayank Tiwari 1, Dr. Vineet Richhariya 2 Prof. Mahesh Parmar 3 Department of omputer Science & Engineering,
More informationPyrite or gold? It takes more than a pick and shovel
Pyrite or gold? It takes more than a pick and shovel SEI/CERT -CyLab Carnegie Mellon University 20 August 2004 John McHugh, and a cast of thousands Pyrite or Gold? Failed promises Data mining and machine
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationTrend Micro and IBM Security QRadar SIEM
Trend Micro and IBM Security QRadar SIEM Ellen Knickle, PM QRadar Integrations Robert Tavares, VP IBM Strategic Partnership February 19, 2014 1 Agenda 1. Nature of the IBM Relationship with Trend Micro
More informationCISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1
CISCO BORDERLESS NETWORKS 2009 Cisco Systems, Inc. All rights reserved. 1 Creating New Business Models The Key Change: Putting the Interaction Where the Customer Is Customer Experience/ Innovation Productivity/
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationIntruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence
More informationAnalysis of Security Techniques for Detecting Suspicious Activities and Intrusion Detection in Network Traffic
www.ijcsi.org 259 Analysis of Security Techniques for Detecting Suspicious Activities and Intrusion Detection in Network Traffic FaseeUllah 1, Waqas Tariq 1, Dr. Muhammad Arshad 1, Muhammad Saqib 1, Noor
More informationBEHAVIOR-BASED NETWORK ACCESS CONTROL: A PROOF-OF-CONCEPT
BEHAVIOR-BASED NETWORK ACCESS CONTROL: A PROOF-OF-CONCEPT Intrusion Detection Systems Lab Columbia University Vanessa Frias-Martinez, vf2001@cs.columbia.edu Salvatore J. Stolfo, sal@cs.columbia.edu Angelos
More informationData Sheet. DPtech Anti-DDoS Series. Overview. Series
Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to
More informationDataflow Anomaly Detection
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model
More informationI R TECHNICAL RESEARCH REPORT. Finite Automata Models for Anomaly Detection. by Vahid Ramezani, Shah-An Yang, John Baras TR
TECHNICAL RESEARCH REPORT Finite Automata Models for Anomaly Detection by Vahid Ramezani, Shah-An Yang, John Baras TR 2002-42 I R INSTITUTE FOR SYSTEMS RESEARCH ISR develops, applies and teaches advanced
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationAuthentication System
A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication
More informationThe Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company
The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company November 12, 2014 Malware s Evolution Why the change? Hacking is profitable! Breaches and Malware are Projected to Cost $491
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Intruders significant issue hostile/unwanted
More informationPolymorphic Blending Attacks
Polymorphic Blending Attacks Prahlad Fogla Monirul Sharif Roberto Perdisci Oleg Kolesnikov Wenke Lee College of Computing, Georgia Institute of Technology 801 Atlantic Drive, Atlanta, Georgia 30332 {prahlad,
More informationRaj Jain. Washington University in St. Louis
Intrusion Detection Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of
More informationBeyond Patch and Pray: Security by Design
Beyond Patch and Pray: Security by Design Adam Shostack Presented to the Security Leadership Conference Series Arlington, TX Oct 19 2004 Goal Much of today!s security seems to cycle through: " Penetrate
More informationIntroduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.
IDS & IPD CSH6 Chapter 27 Intrusion Detection & Intrusion Prevention Devices Rebecca Gurley Bace Topics Security Behind the Firewall Main Concepts Intrusion Prevention Information Sources Analysis Schemes
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationImproving Signature Testing Through Dynamic Data Flow Analysis
Improving Signature Testing Through Dynamic Data Flow Analysis Christopher Kruegel Technical University Vienna chris@auto.tuwien.ac.at Davide Balzarotti, William Robertson, Giovanni Vigna University of
More informationCyber Security. Our part of the journey
Cyber Security Our part of the journey The Journey Evolved Built on the past Will be continued Not always perfect Small Steps moving forward The Privileged How to make enemies quickly Ask before acting
More informationA Rule-Based Intrusion Alert Correlation System for Integrated Security Management *
A Rule-Based Intrusion Correlation System for Integrated Security Management * Seong-Ho Lee 1, Hyung-Hyo Lee 2, and Bong-Nam Noh 1 1 Department of Computer Science, Chonnam National University, Gwangju,
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 8 Arbitrary Code Execution: Threats & Countermeasures
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationDNA Intrusion Detection Methodology. James T. Dollens, Ph.D Cox Road Roswell, GA (678)
DNA Intrusion Detection Methodology by James T. Dollens, Ph.D. 1675 Cox Road Roswell, GA 30075 JTDDGC@aol.com (678) 576-3759 Copyright 2001, 2004 James T. Dollens Page 1 of 1 Introduction Computer viruses,
More informationAchieving High Survivability in Distributed Systems through Automated Response
Achieving High Survivability in Distributed Systems through Automated Response Saurabh Bagchi, Guy Lebanon, Gene Spafford Gaspar Howard, YuSung Wu, Bingrui Foo The Center for Education and Research in
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More informationI R TECHNICAL RESEARCH REPORT. Detection and Classification of Network Intrusions using Hidden Markov Models. by Svetlana Radosavac, John S.
TECHNICAL RESEARCH REPORT Detection and Classification of Network Intrusions using Hidden Markov Models by Svetlana Radosavac, John S. Baras TR 2003-6 I R INSTITUTE FOR SYSTEMS RESEARCH ISR develops, applies
More informationOperating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm
Operating Systems Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) armahmood786@yahoo.com alphasecure@gmail.com alphapeeler.sf.net/pubkeys/pkey.htm http://alphapeeler.sourceforge.net pk.linkedin.com/in/armahmood
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationAUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID
AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID Sherif Abdelwahed Department of Electrical and Computer Engineering Mississippi State University Autonomic Security Management Modern
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationThe Evolving Threat of Internet Worms
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks Why Worm Based Intrusions Relative ease Write once, run everywhere promise can come true Penetration Right past firewalls
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationVerify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis Jingmin Zhou, Adam J. Carlson, Matt Bishop Computer Security Laboratory University of California, Davis {zhouji, carlsona,
More informationSHADOW WALKER Raising The Bar For Rootkit Detection. By Sherri Sparks Jamie Butler
SHADOW WALKER Raising The Bar For Rootkit Detection By Sherri Sparks ssparks@longwood.cs.ucf.edu Jamie Butler james.butler@hbgary.com What Is A Rootkit? Defining characteristic is stealth. Viruses reproduce,
More informationA Trace Abstraction Approach for Host-based Anomaly Detection
A Trace Abstraction Approach for Host-based Anomaly Detection 1 Syed Shariyar Murtaza, 1 Wael Khreich, 1 Abdelwahab Hamou-Lhadj, 2 Stephane Gagnon 1 Software Behaviour Analysis (SBA) Research Lab, Department
More information