CSE543 - Computer and Network Security Module: Intrusion Detection

Similar documents
CSE543 - Computer and Network Security Module: Intrusion Detection

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Intrusion Detection Systems

Introduction Challenges with using ML Guidelines for using ML Conclusions

Intrusion Detection Systems (IDS)

CSE 544 Advanced Systems Security

CS Review. Prof. Clarkson Spring 2017

Intrusion Detection Systems (IDS)

CSC 574 Computer and Network Security. Firewalls and IDS

Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes

ROC in Assessing IDS Quality

Big Data Analytics for Host Misbehavior Detection

Basic Concepts in Intrusion Detection

Measuring Intrusion Detection Capability: An Information- Theoretic Approach

CSE 565 Computer Security Fall 2018

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

2. INTRUDER DETECTION SYSTEMS

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

"GET /cgi-bin/purchase?itemid=109agfe111;ypcat%20passwd mail 200

UMSSIA INTRUSION DETECTION

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

The Evolution of System-call Monitoring

A Sense of Self for Unix Processes

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

0x1A Great Papers in Computer Security

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Data Mining Classification: Alternative Techniques. Imbalanced Class Problem

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Static Analysis. Systems and Internet Infrastructure Security

Forensic Network Analysis in the Time of APTs

Overview Intrusion Detection Systems and Practices

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Casting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou,

Advanced Systems Security: Ordinary Operating Systems

Statistical Anomaly Intrusion Detection System

Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations

NetDetector The Most Advanced Network Security and Forensics Analysis System

Configuring attack detection and prevention 1

Firewalls, Tunnels, and Network Intrusion Detection

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

SSL Automated Signatures

Intrusion Detection and Malware Analysis

CSE 565 Computer Security Fall 2018

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

CE Advanced Network Security

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Static Analysis of C++ Projects with CodeSonar

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Polymorphic Blending Attacks. Slides by Jelena Mirkovic

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Handling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection

CSCI 680: Computer & Network Security

Anomaly Detection in Communication Networks

Raj Jain. Washington University in St. Louis

Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21

Diverse network environments Dynamic attack landscape Adversarial environment IDS performance strongly depends on chosen classifier

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

CSE Computer Security (Fall 2007)

Multivariate Correlation Analysis based detection of DOS with Tracebacking

Configuring attack detection and prevention 1

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

CS 161 Computer Security

McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications

An Intrusion Detection System for Critical Information Infrastructures Using Wireless Sensor Network Technologies

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Secure Development Processes

Effective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System

Using Game Theory To Solve Network Security. A brief survey by Willie Cohen

OSSIM Fast Guide

Evaluating Machine Learning Methods: Part 1

EVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

Weka ( )

Check Point DDoS Protector Simple and Easy Mitigation

Introduction to Security

Intrusion Detection Using Data Mining Technique (Classification)

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Intrusion Detection Issues and Technologies

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

PREEMPTIVE PREventivE Methodology and Tools to protect utilities

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

intelop Stealth IPS false Positive

Data Mining and Knowledge Discovery: Practice Notes

Self-Learning Systems for Network Intrusion Detection

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

Activating Intrusion Prevention Service

CSC 574 Computer and Network Security. TCP/IP Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Machine Learning Techniques for Data Mining

Transcription:

CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger CMPSC443 - Introduction to Computer and Network Security 1

2 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus a successful attack. Authentication and Access Control Are No Help!

3 Example Intrusions Network Malformed (and unauthenticated) packet Let through the firewall Reaches the network-facing daemon Can we detect intrusions from packet contents? Host Input to daemon Exploits a vulnerability (buffer overflow) Injects attacker code Performs malicious action Can we detect intrusions from process behavior?

Intrusion Detection (def. by Forrest) An IDS system find anomalies The IDS approach to security is based on the assumption that a system will not be secure, but that violations of security policy (intrusions) can be detected by monitoring and analyzing system behavior. [Forrest 98] However you do it, it requires Training the IDS (training) Looking for anomalies (detection) This is active area of computer security, that has led to lots of new tools, applications, and an entire industry CMPSC443 - Introduction to Computer and Network Security 4

5 Intrusion Detection Systems IDS s claim to detect adversary when they are in the act of attack Monitor operation Trigger mitigation technique on detection Monitor: Network or Host (Application) events A tool that discovers intrusions after the fact are called forensic analysis tools E.g., from system logfiles IDS s really refer to two kinds of detection technologies Anomaly Detection Misuse Detection

Anomaly Detection Compares profile of normal systems operation to monitored state Hypothesis: any attack causes enough deviation from profile (generally true?) Q: How do you derive normal operation? AI: learn operational behavior from training data Expert: construct profile from domain knowledge Black-box analysis (vs. white or grey?) Q: Is normal the same for all environments? Pitfall: false learning CMPSC443 - Introduction to Computer and Network Security 6

7 Misuse Detection Profile signatures of known attacks Monitor operational state for signature Hypothesis: attacks of the same kind has enough similarity to distinguish from normal behavior This is largely pattern matching Q: Where do these signatures come from? Record: recorded progression of known attacks Expert: domain knowledge AI: Learn by negative and positive feedback

8 The confusion matrix What constitutes a intrusion/anomaly is really just a matter of definition A system can exhibit all sorts of behavior Legal Normal Abnormal Reality T F Detection Result T F True False Positive Negative False True Positive Negative Quality determined by consistency with a given definition context sensitive

9 Sequences of System Calls Forrest et al. in early-mid 90s, attempt to understand the characteristics of an intrusion Event Steam OPEN READ WRITE MMAP CLOSE System Profile READ WRITE MMAP Idea: match sequence of system calls with profiles n-grams of system call sequences (learned) Match sliding windows of sequences Record the number of mismatches Use n-grams of length 5, 6, 11. If found, then it is normal (w.r.t. learned sequences)

10 Evaluating Forrest et al. The qualitative measure of detection is the departure of the trace from the database of n-grams They measure how far a particular n-gram i departs by computing the minimum Hamming distance of the sample from the database (really pairwise mismatches) d min = min( d(i,j) for all normal j in n-gram database) this is called the anomaly signal. Result: on lpr, sendmail, etc. About.05-.07% false positive rates And S A = maximum dmin =~.04 Is this good?

11 "gedanken experiment Assume a very good anomaly detector (99%) And a pretty constant attack rate, where you can observe 1 out of 10000 events are malicious Are you going to detect the adversary well?

12 Bayes Rule Pr(x) function, probability of event x Pr(sunny) =.8 (80% of sunny day) Pr(x y), probability of x given y Conditional probability Pr(cavity toothache) =.6 60% chance of cavity given you have a toothache Bayes Rule (of conditional probability) Pr(B A) = Pr(A B) Pr(B) Pr(A)

13 The (base-rate) Bayesian Fallacy Setup Pr(T) is attack probability, 1/10,000 Pr(T) =.0001 Pr(F) is probability of event flagging, unknown Pr(F T) is 99% accurate (higher than most techniques) Pr(F T) =.99, Pr(!F T) =.01, Pr(F!T) =.01, Pr(!F!T) =.99 Deriving Pr(F) Pr(F) = Pr(F T)*Pr(T) + Pr(F!T)*Pr(!T) Pr(F) = (.99)(.0001) + (.01)(.9999) =.010098 Now, what s Pr(T F)?

14 The Bayesian Fallacy Now plug it in to Bayes Rule So, a 99% accurate detector leads to 1% accurate detection. With 99 false positives per true positive This is a central problem with IDS Suppression of false positives real issue Open question, makes some systems unusable

15 Where is Anomaly Detection Useful? System Attack Density P(T) Detector Flagging Pr(F) Detector Accuracy Pr(F T) True Positives P(T F) A 0.1 0.65 B 0.001 0.99 C 0.1 0.99 D 0.00001 0.99999 Pr(B A) = Pr(A B) Pr(B) Pr(A)

16 Where is Anomaly Detection Useful? System Attack Density P(T) Detector Flagging Pr(F) Detector Accuracy Pr(F T) True Positives P(T F) A 0.1 0.38 0.65 0.171 B 0.001 0.01098 0.99 0.090164 C 0.1 0.108 0.99 0.911667 D 0.00001 0.00002 0.99999 0.5 Pr(B A) = Pr(A B) Pr(B) Pr(A)

17 The ROC curve Receiver operating characteristic Curve that shows that detection/false positive ratio Ideal Axelsson talks about the real problem with some authority and shows how this is not unique to CS Medical, criminology (think super-bowl), financial

18 Example ROC Curve You are told to design an intrusion detection algorithm that identifies vulnerabilities by solely looking at transaction length, i.e., the algorithm uses a packet length threshold T that determines when a packet is marked as an attack. More formally, the algorithm is defined: where k is the packet length of a suspect packet in bytes, T is the length threshold, and (0,1) indicate that packet should or should not be marked as an attack, respectively. You are given the following data to use to design the algorithm. attack packet lengths: 1, 1, 2, 3, 5, 8 non-attack packet lengths: 2, 2, 4, 6, 6, 7, 8, 9 Draw the ROC curve. D(k,T) [0, 1]

Solution 1 0.8 True Positive Rate 0.6 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 False Positive Rate T 0 1 2 3 4 5 6 7 8 9 TP 0 2 3 4 4 5 5 5 6 6 TP% 0.00 33.33 50.00 66.67 66.67 83.33 83.33 83.33 100.00 100.00 FP 0 0 2 2 3 3 5 6 7 8 FP% 0.00 0.00 25.00 25.00 37.50 37.50 62.50 75.00 87.50 100.00 CMPSC443 - Introduction to Computer and Network Security 19

The reality Intrusion detections systems are good at catching demonstrably bad behavior (and some subtle) Alarms are the problem How do you suppress them? and not suppress the true positives? This is a limitation of probabilistic pattern matching, and nothing to do with bad science Beware: the fact that an IDS is not alarming does not mean the network is safe All too often: used as a tool to demonstrate all safe, but is not really appropriate for that. CMPSC443 - Introduction to Computer and Network Security 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback