icast / TRUST Collaboration Year 2 - Kickoff Meeting

Similar documents
Seeking Visibility Into Network Activity for Security Analysis

Distributed Cooperative Security Monitoring

The Bro Cluster The Bro Cluster

The Bro Network Intrusion Detection System

CSE 565 Computer Security Fall 2018

Network Intrusion Detection Systems. Beyond packet filtering

Introduction to Bro-IDS. Seth Hall The Ohio State University

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Operational Experiences With High-Volume Network Intrusion Detection

Exploiting Multi-Core Processors For Parallelizing Network Intrusion Prevention

Network Wide Policy Enforcement. Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta)

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

Unified Networks Administration & Monitoring System Specifications : YM - IT. YM Unified Networks Administration & Monitoring System

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

Intrusion Detection System

Novetta Cyber Analytics

Network Security Today: Finding Complex Attacks at 100Gb/s

Managing an Active Incident Response Case. Paul Underwood, COO

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

F5 DDoS Hybrid Defender : Setup. Version

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

securing your network perimeter with SIEM

Switched environments security... A fairy tale.

Network Intrusion Detection: Capabilities & Limitations

Introduction Challenges with using ML Guidelines for using ML Conclusions

Implementing Cisco Cybersecurity Operations

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Scrutinizer Flow Analytics

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9. Firewalls

Configuring attack detection and prevention 1

Introduction to Network Discovery and Identity

Master Course Computer Networks IN2097

Security for SIP-based VoIP Communications Solutions

Understanding Cisco Cybersecurity Fundamentals

Symantec Ransomware Protection

Intruder Alert!: Visual Analysis of Network Intrusion Data. CS 533C Course Project Dustin Lang March 19, 2003

Introduction to Network Discovery and Identity

Why Next-Generation Voice Services Need Next-Generation KPIs

Digital forensics Technical Fundamentals. Saurabh Singh

A Study on Intrusion Detection Techniques in a TCP/IP Environment

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

THE ACCENTURE CYBER DEFENSE SOLUTION

Master Course Computer Networks IN2097

RSA NetWitness Suite Respond in Minutes, Not Months

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Configuring attack detection and prevention 1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Behavioral Detection of Stealthy Intruders

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

The Need for Collaboration between ISPs and P2P

The Need for Collaboration between ISPs and P2P

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

NetDefend Firewall UTM Services

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Popular SIEM vs aisiem

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Robust TCP Stream Reassembly In the Presence of Adversaries

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

SentinelOne Technical Brief

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

McAfee epolicy Orchestrator

Implementing Cisco Network Security (IINS) 3.0

CSE Computer Security (Fall 2006)

GARNET. Graphical Attack graph and Reachability Network Evaluation Tool* Leevar Williams, Richard Lippmann, Kyle Ingols. MIT Lincoln Laboratory

Denial of Service, Traceback and Anonymity

Understanding the Internet

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

Network Security Platform Overview

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

IETF88 Vancouver. Congestion control for video and priority drops. Background for draft-lai-tsvwg-normalizer-02.txt LTR

CyberArk Privileged Threat Analytics

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Healthcare IT A Monitoring Primer

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

SIEM FOR BEGINNERS Everything You Wanted to Know About

OSSIM data flow. (

Robust Firewalls with OpenBSD and PF

Mapping Internet Sensors with Probe Response Attacks

EC-Council V9 Exam

For packet analysers to work, a packet capture mechanism is also required for intercepting and

Qlear THE QLEAR EXPERIENCE INSIGHTS AFTER QLEAR PROBE INSTALLATION

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

CSC 574 Computer and Network Security. Firewalls and IDS

A Prevention Model for Algorithmic Complexity Attacks

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

As for the requirement of having a USB 3.0 port, you will come to know the reason in the next section.

On the Difficulty of Scalably Detecting Network Attacks

Concept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Observer Probe Family

Rethinking Security: The Need For A Security Delivery Platform

Transcription:

icast / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science Institute robin@icsi.berkeley.edu http://www.icir.org

Projects Overview Project 1 NIDS Evasion Testing in a Live Context Project 2 Efficient Archival & Retrieval of Network Activity 2

NIDS Evasion Testing in a Live Context 3

Network Intrusion Detection Network Intrusion Detection Systems (NIDS) monitor traffic passively for security violations Internet Tap Internal Network NIDS NIDS reconstructs activity from network packets Needs to track the state of endpoints closely May miss attacks if it gets desynchronized from endpoints However, there are fundamental limitations 4

Evasion Opportunities NIDS may interpret data differently than endpoints Protocol implementations often differ for corner-case semantics RFCs hardly define how to respond to non-conforming traffic ( Be liberal in what you accept, and conservative in what you send. ) Endpoints may actually see different data than NIDS Packets may, e.g., be dropped before they reach their destination Even benign traffic contains tons of crud Attacker can craft traffic to exploit such ambiguities 5

Building an Evasion Test-suite Handling of ambiguities crucial for accuracy No perfect solution but many cases can be mitigated or at least detected To the user, a NIDS is often just a black-box Hard to understand & validate the internal operation Typically its unclear how the NIDS handles ambiguities We built a framework to test NIDS for their evasion resilience in our year one effort. While commercial labs perform such tests, no open platform existed so far 6

The idsprobe Framework idsprobe is as a modular & extensible framework to 1. Systematically generate test-cases 2. Evaluate a NIDS Input Trace Test Case Generation Test Traces NIDS Output Analysis Evasion Module Evasion Module Evasion Modules Expected Output Works well, but is restricted to offline analysis. 7

Year 2: Testing in a Live Context Goal of Year 2: Extend idsprobe to incorporate live traffic Not everything can be evaluated offline on traces: 1. Attacks which depend on live conditions Especially overload attack seeking to exhaust CPU or memory resources 2. Active evasion counter-measures Active Mapping, Normalization, Hybrid IDS 8

Example: Resource Exhaustion Algorithmic Complexity Attacks force worst-case behavior Crosby & Wallach presented hash collision attack Usenix Security 2003 Attack weak hash functions by generate lots of collisions with low-volume input Attacked Perl, Squid, and the Bro NIDS Bro could be overloaded with the bandwidth of a modem More generally, packet floods can exhaust CPU budget Only detectable when running the NIDS live 9

Extending idsprobe Goal for Year 2: Extending idsprobe to handle live traffic This involves Setting up a test-lab network (including live victims ) Replaying traffic into the network Ensuring consistency between runs of the test-suite Automating the process Result will be a comprehensive online/offline framework 10

Efficient Archival & Retrieval of Network Activity 11

Motivation Network operators need to understand network s activity For, e.g., troubleshooting and tracking security breaches Typical information sources are firewalls, IDS, NetFlow, logging daemons, etc. Requires analysis in both time and space Temporal:! Understanding past & future activity Spatial:!! Incorporating heterogeneous sources Today, this is essentially a manual process Goal: Build a Time Machine which unifies these analyses Integrates a multitude of different sources in a coherent way Provides an interactive query interface for past & future activity Operates in a policy-neutral fashion Can coalesce, age, sanitize, and also reliably delete data 12

Application Scenario Server IDS Router Desktop "Who accessed system X and also fetched URL Y?" Time-Machine Analyst 13

Time Machine for Network Traffic We have already built a Time Machine for network packets Efficient packet bulk-recorder for high-volume network streams Taps into a network link and records packets in their entirety Provides efficient query interface to retrieve past traffic Proven to be extremely valuable for network forensics in operational use at LBL Heuristics for volume reduction Cut-off:! Expiration:! For each connection, TM stores only the first few KB Once available space is exhausted, TM expires oldest packets Simple yet very effective scheme Even in large networks we can go back in time for several days 14

Generalizing the Time Machine We now aim to build a generalized Time Machine Incorporates arbitrary network activity rather than just packets Allows live queries for future activity The packet-based TM relies on three concepts 1. A high-volume stream of input that we want to archive & query 2. A rule how to separate more important input from less important input 3. An aging mechanism to expire old information when storage fills up These concepts are independent of packets Need to find a suitable data model to network activity 15

Event Model Events are well-suited to represent network activity Our Bro NIDS already relies on an event model Abstracts network packets into high-level events, e.g., connection_attempt, http_request, ssh_login Security policies are specified on top of these event Events are policy-neutral (no notion good or bad ) Network can be instrumented to provide events Network components can provide activity in form of event streams We have already done that in the Bro context for, e.g., syslog, Apache, OpenSSH Machinery for instrumentation exists (libbroccoli) Time Machine archives events instead of packets Event archive provides a picture of the network s activity 16

Event Model (2) Aggregation gives a powerful aging scheme Instead of deleting old data, we can aggregate From low-level & high-volume to high-level & low-volume E.g., from NetFlow records to traffic matrices Aggregation schemes are event-specific Time Machine will provide extensive hooks for flexibility Events also allow sanitizing data for archival E.g., anonymization before storage 17

Time Machine Architecture Event Stream Dispatcher Event Archive Event Indices Stream Query Engine Query Manager Operator 18

Project Tasks Instrumenting network components Developing event specifications and aggregation schemes Leveraging existing technology for implementation Extending tools where necessary (e.g., scripting language interfaces) Building the Time Machine platform Designing the user interface Devising example queries to understand applications Designing the storage backend for efficient archival & retrieval Evaluating existing database backends Designing the live query engine Evaluating existing stream databases 19

Year 2 Projects Project 1 NIDS Evasion Testing in a Live Context Project 2 Efficient Archival & Retrieval of Network Activity 20

Any questions...? Robin Sommer International Computer Science Institute robin@icsi.berkeley.edu http://www.icir.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback