Abstract. Keywords: Virus, inetmon Engine, Virus Parser, Virus Matching Engine. 1. Introduction

Similar documents
CSE 565 Computer Security Fall 2018

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

NETWORK THREATS DEMAN

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

CLASSIFICATION OF ARTIFICIAL INTELLIGENCE IDS FOR SMURF ATTACK

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

UTM 5000 WannaCry Technote

A Firewall Architecture to Enhance Performance of Enterprise Network

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Management Information Systems (MMBA 6110-SP) Research Paper: Internet Security. Michael S. Pallos April 3, 2002

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

CISNTWK-440. Chapter 5 Network Defenses

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

IDS: Signature Detection

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Managing SonicWall Gateway Anti Virus Service

Proactive Protection Against New and Emerging Threats. Solution Brief

Scrutinizer Flow Analytics

system to cover their tracks, the HIDS can provide an independent audit trail of the attack.

Internet Security: Firewall

Symantec Client Security. Integrated protection for network and remote clients.

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

International Journal of Research (IJR) Vol-1, Issue-10 November 2014 ISSN Network Security

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

2. Firewall Management Tools used to monitor and control the Firewall Environment.

Zillya Internet Security User Guide

Identifying Stepping Stone Attack using Trace Back Based Detection Approach

Securing Today s Mobile Workforce

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Technology in Action

How to Test Outbreak Commander

Kaspersky Open Space Security

CIRT: Requirements and implementation

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

Transport and Application Protocol Scrubbing

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

A Graphical User Interface Framework for Detecting Intrusions using Bro IDS

intelop Stealth IPS false Positive

Efficient Network Intrusion Detection System Navaneethakrishnan.P a*,theivanathan.g b

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Chapter 9. Firewalls

WHITE PAPER. Fail-Safe IPS Integration with Bypass Technology

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

Security Gateway System Team

Venusense UTM Introduction

A Distributed Intrusion Alert System

TRAPS ADVANCED ENDPOINT PROTECTION

Internet Security Mail Anti-Virus

Building Resilience in a Digital Enterprise

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Cracked BitDefender Security for File Servers 2 Years 55 PCs pc repair software for free ]

COMPUTER NETWORK SECURITY

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

CounterACT Check Point Threat Prevention Module

Detecting MAC Spoofing Using ForeScout CounterACT

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

DNA Intrusion Detection Methodology. James T. Dollens, Ph.D Cox Road Roswell, GA (678)

Study on Computer Network Technology of Digital Library

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort

BUFFERZONE Advanced Endpoint Security

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Introduction and Statement of the Problem

Small Office Security 2. Mail Anti-Virus

Potential Threats to Mobile Network Security

DNS Query Access and Backscattering SMTP Distributed Denial-of-Service Attack

SmartSiren: Virus Detection and Alert for Smartphones. Jerry Cheung, Starsky Wong, Hao Yang and Songwu Lu MOBISYS 2007

Introduction to Security. Computer Networks Term A15

COMPUTER NETWORK SECURITY

INFORMATION ASSURANCE DIRECTORATE

Network Fundamentals. Chapter 7: Networking and Security 4. Network Fundamentals. Network Architecture

Intrusion Detection System using AI and Machine Learning Algorithm

FRISK Software International F-Prot AVES Managed Security Service

Cisco IOS Inline Intrusion Prevention System (IPS)

Unit 4: Firewalls (I)

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Lecture 12. Application Layer. Application Layer 1

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

Cybersecurity: Incident Response Short

Kaspersky PURE 2.0. Mail Anti-Virus: security levels

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Firewalls 1. Firewalls. Alexander Khodenko

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Application Firewalls

Activating Intrusion Prevention Service

BUFFERZONE Advanced Endpoint Security

CE Advanced Network Security

Anti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:

CyberP3i Course Module Series

CompTIA E2C Security+ (2008 Edition) Exam Exam.

ForeScout Extended Module for Symantec Endpoint Protection

QUICK START GUIDE. Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server Click here to download the most recent version of this document

Transcription:

Real-Time Detection System Using inetmon Engine Sureswaran Ramadass, Azlan Bin Osman, Rahmat Budiarto, N. Sathiananthan, Ng Chin Keong, Choi Sy Jong Network Research Group, School Of Computer Science, University Science Malaysia sathia@nrg.cs.usm.my Abstract The fundamental problem with any network administration systems today is its ability to cope with the rising amount of virus intrusions. Currently available systems are only able to detect a virus after the network has been infected, therefore its non-real time. Depending on the malicious activities of the viruses, the detection will be carried out. Herewith, we are proposing a Real-Time Detection system, which detects the arrival of virus intruders at the network layer rather than at the application layer. In this paper, we present an overview of the system design, which uses the inetmon engine, parser, Matching Engine and alert mechanisms. Using the inetmon engine, all packets traversing through the network nodes are captured; these packets are decoded and sent to Matching Engine. Meanwhile, parser will load the entire virus signature to memory. At the Matching Engine, captured packet will be formatted to enhance matching speed. Then the formatted packet content will be scanned for virus information. Once the packet is known to contain virus or worm information, alert mechanism will alert the network administrator. Upon receiving this alert message, the administrator can now take necessary actions before the packet arrives at the destination. Keywords:, inetmon Engine, Parser, Matching Engine 1. Introduction Each computer that forms part of the network can connect to all other networked machines and send data from one to the other. If any of this data is infected at the time of sending, the receiving computer will automatically be infected, thereby making it possible to infect entire networks in a very short space of time. es can also traverse from host to another in a network using shared resources, such as shared folders, printer and etc. es that traverse through the network packets, leaves certain signatures on the packet itself. These signatures are part of the packet payload. Signatures here could be file attachment names, file extensions, email subjects, email content and key words. Each packet s payload is then matched against available signature. Example of payload available:-

File Attachment: - NAVIDAD.EXE, Possible NAVIDAD Worm File Attachment: - myromeo.exe, Possible MyRomeo Worm Email Subject: - my picture from shake-beer, Possible MyRomeo Worm File Extensions: - \\CoolProgs\\, Possible PrettyPark Trojan inetmon Engine passively listens to incoming packets from the network. Besides that, it is able to monitor all packets of a particular network node. Keeping this capability in mind, inetmon Engine is used to get all packets that traverse through the network. Since inetmon Engine is a passive monitoring tool, it able to capture network packets while preserving network resources. The section 2 of this paper would focus on other related works done in this area. Section 3, describes on the proposed architecture. Then we conclude the paper in section 4, where we would be discussing on contribution and future work. 2. Related Works As society grows increasingly dependent on the Internet for commerce, banking and mission critical application, the ability to detect virus intrusion on networks is becoming vitally important. Security administrators use firewall as a tool to avoid virus attacks [1] at Demilitarized Zone. However, this system is not efficient when the virus attacks originate within the network perimeter. Besides that, having firewalls to run antivirus scans on packets will decrease the firewall performance [2]. Larger corporation has antivirus checking taking place at two sides, which are the client and server side. At the server side, proxy servers and email server would run their antivirus scanning, whereas at the client side, standalone antivirus software is used. These systems could take up network resources and there are a lot of redundant activities. Organizations also rely on network intrusion detection systems (NID systems) as a tool for detecting virus attacks and misuse in real-time [3]. Network-based intrusion detection systems identify these attacks using passive monitoring techniques to recognize patterns of virus as they occur. NID systems are used to identify misuse within the protocol streams that pass through the firewall as well as those that originate within the network s perimeter. As such, they have become the second line of defense within an organization after firewall. However, as this attacks becomes increasingly sophisticated it is becoming difficult to determine when an internal network has been compromised [4]. There are two serious problems with network-based intrusion detection systems. The first problem is the virus attacks can use ambiguities in network protocol implementation to deceive NID systems, bypassing their watchful eyes. The second problem is that NID systems are passive mechanism by design [5][6][7][8]. As passive entities they can only notify administrators or active mechanisms whenever intrusions are detected. However, the response to this notification may not be timely enough to withstand some types of attacks such as attacks on network resources where only immediate intervention can sustain the network s operation. This paper presents the architectural design of Real-Time

Detection System that specifically tackles the issue of virus detection using passive monitoring tools 3. Proposed RVDS Architecture Real-Time Detection System (RVDS) acts as a transparent entity to the inetmon Engine. In which, it uses the passive monitoring capability of inetmon [9] and packet capture mechanisms of inetmon. RVDS addresses the adversities of firewall systems by scanning packets, which are within the network perimeter, and provides options for counter measures. RVDS is able to detect virus contaminated packets while they travel through the network node. This capability is contrary to what we have mentioned earlier about larger corporation having virus scanners residing in server and client side. Since RVDS focuses on capturing packets on the wire, it is not susceptible to deceiving activities of the virus, unlike the NID. Moreover, RVDS specifically focuses on Detection, unlike NIDs, which spread their scope to other intrusions. Hence, it uses less CPU resources and provides faster detection rate. inetmon Engine Parser Matching Signature SMS, Email, XML, HTML Output Alert As mentioned earlier, virus signatures that we use are actually virus payload signatures. These signatures are maintained in a repository system. Parser will then load these signatures into memory. Every packet that comes through inetmon Engine will be sent to Matching module. inetmon Engine will send the formatted payload of the packet. matching module will receive this payload and match them against the virus signatures that were previously loaded into memory. According to the matching

result output alert mechanism will be executed. In the following subsections we would be discussing on the architectural aspect of each RVDS components: inetmon Engine The inetmon Engine provides RVDS packet capturing mechanism. This provides RVDS the real-time capability in capturing packets and later detecting virus attacks. All packets are captured and decoded by inetmon Engine into readable format. Next this output will be forwarded to Matching Engine, to detect virus attacks on it. Parser All virus signatures in the database are parsed into memory. signatures are loaded into appropriate data structure for matching purposes. Parser is executed first during the start-up of inetmon. Matching After formatting the packet into readable form, the content is sent to Matching Engine. Here, the packet would be matched against virus signatures that are loaded into memory by Parser. This matching methodology is significantly faster compared to matching virus pattern directly from the virus signature database. In order to accommodate the speed of incoming packet, this component would be implemented using threads or multiple processes, which can utilize Symmetric Multiprocessing (SMP) system. This will further improve the available Real-Time capability of RVDS. Output Alert Once any kinds of virus attacks are found the output alert mechanism will be triggered. 4. Conclusion and Future Work This paper presents the design of a Real-Time Detection system. The key contributions of this work are: the identification of the need for a real-time virus detection system that enables prompt detection over virus attacks; the design of a high-performance Real-Time Detection System (RVDS). Currently, RVDS is going through implementation phase at NRG, USM. We are also looking at incorporating a learning algorithm that can detect evolving viruses.

5. References [1] D.Brent Chapman and Elizabeth D.Zwicky. Building Internet Firewalls. O Reily and Associates, Inc., 1995. [2] Trusted Information Systems. TIS Firewall Toolkit. ftp://ftp.tis.com/pub/firewalls/toolkit. [3] Biswanath Mukherjee, L.Todd Heberlein and Karl N. Levitt. Network Intrusion Detection. IEEE Network, 8(3): 26-41, May and June 1994. [4] Thomas H. Ptacek and Timothy N. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Originally Secure Network, Inc., now available as a white paper at Network Associate Inc. homepage at http://www.nai.com/, January 1998. [5] Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7 th USENIX Security Symposium, San Antonio, Texas, January 1998. [6] Marcus J.Ranum, Kent Landfield, Mike Stolarchuk, Mark Sienkiewicz, Andrew Lambeth, and Eric Wall. Implementing a Generalized Tool for Network Monitoring. In Proceedings of the Eleventh Systems Administration Conference (LISA 97), San Diego, CA, October 1997 [7] Internet Security Services. RealSecure. http://www.iss.net/prod/rs.html [8] Gregory B.White, Eric A. Fisch, and Udo W.Pooch. Cooperating Security Managers: A Peer-Based Intrusion Detection System. IEEE Network, 10(1):20-23, January and February 1996. [9] Sureswaran, R, (2001), Network Monitor, In Proceedings of Asia Pacific Advanced Network Conference, 2001, pp 40-44.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback