blue sensors sensor correlation and alert fusion
play

Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes - PowerPoint PPT Presentation

Feb 01, 2024 •678 likes •842 views

Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes 10/4/00 Event Processing, Monitoring, and Correlation Note: Event counts Represent 6 weeks of Meta Alerts Meta Alert CSL Data (500) Fusion Other Monitors Alerts (1.5K)

  1. Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes 10/4/00

  2. Event Processing, Monitoring, and Correlation Note: Event counts Represent 6 weeks of Meta Alerts Meta Alert CSL Data (500) Fusion Other Monitors Alerts (1.5K) eBayes-TCP eBayes-Host Sessions (200K) TCP Connections (2M)

  3. Functions of Correlation • Consolidate a large number of raw events into a single attack – Emerald Alert Thread mechanism achieves this – Example: Syn flood may be thousands of events, reported as a single alert to the GUI • Use the state of one monitor to adjust another (for false alarm suppression or to enhance sensitivity) • Fuse alerts (possibly from heterogeneous sensors) into one message

  4. Bayes Approach Succinctly • Start with a PRIOR expectation of the world • Observe EVIDENCE • Mathematically obtain an update belief in the state of the world, based on – Prior – Observed Evidence • For long-running processes, the updated belief becomes your new prior expectation • Would like to utilize external information to adjust prior

  5. “Blue Sensor”: Service Availability Monitoring • Adaptively learns which services (ports) are valid on which hosts • Based on Bayes analysis of traffic bursts, continuously maintains state for each such service • Coupled with TCP session monitor: – Effect on prior expectation of some feature values (e. g., successful 3- way handshake) mathematically reasonable – Attempts to connect to invalid services raise sensitivity: Stealth port scans in LL 99 data detected – Attempts by legitimate clients to connect to “down” services are now modeled with a different prior expectation: Effective false alarm suppression

  6. Meta Alert Fusion • First, decide if the new alert matches an existing one • Alerts contain a number of features – Source(s) – Target(s) – Target port(s) – Type of attack • Approach here is to compare an alert to existing META ALERTS • For each feature: – Does it match? - Feature-specific similarity – Do we expect it to match? - Like a Bayes prior • We then compose an overall match. If it is good enough, we fuse the new alert with the existing one.

  7. So What is Similarity • Want a number between 0 and 1 (to manipulate like a probability) • A Bayes belief fits the bill for some features • For list features, how much do they overlap and how much could they overlap – Example, eBayes-TCP does not see UDP ports. – If eBayes-TCP reports a portsweep, and – Another monitor reports a TCP and UDP portsweep, and – The TCP ports match, then the two lists overlap as much as they can

  8. What is Similarity (2) • Another notion for lists: “Is contained in…” • Specific to IP: “Is in the same subnet…” • For attack type, sequencing information is more important: – If we saw a probe, then our prior expectation of a subsequent DOS to a target of the probe goes up – In the case of a DOS, we expect source IP to be spoofed, so expectation of match for this feature is low. • So we would like to call a probe followed by a DOS to a target of the probe similar even if the source does not match – Target of new alert “is contained in” target of meta alert – Expectation of similarity for source IP in a DOS is low – Expectation of DOS attack after a probe is moderate

  9. Similarity and Anomaly Detection • For each session, maintain list of ports accessed • Compare to a database of lists • If find a match, fuse the lists (new list is a superset of the two, with features for trimming rare entries) • Otherwise, the new list is added to the database • Return a database match (= anomaly) score. Flag very rare lists • Result: nearly double the eBayes detections on the Lincoln data, with no false alerts • On live traffic, anomalies are nearly half the alerts, but some appear to be good hits (example, stealthy scans to suspicious port patterns, NAPSTER, {80, 1080, 3128},...) • Training interval is self-determined and much shorter than eStat in practice (minutes to hours vs. one month)

  10. So Does It Work? • 5 Days of live eBayes with the meta alert capability monitoring the CSL gateway (08/09 - 08/14/00) • 131 alerts - 62 from anomaly detection • Meta-alert capability reduces this to 68 at SIM > 0.6 • Subjectively, fused alerts make sense

  11. Example of Fused Alert • Saw numerous sweeps similar to: Thread ID 4860 Class= portsweep BEL (class) = 0.994 BEL(attack)= 1.000 2000-08-10 06:50:28 from 193.230.37.2 ports 1268 to 32434 duration= 0.321 30 dest IPs: 130.107.1.1 130.107.3.1 130.107.4.1 130.107.5.1 130.107.6.1 130.107.7.1 130.107.8.1 130.107.9.1 130.107.10.1 130.107.11.1 130.107.12.1 130.107.13.1 130.107.14.1 130.107.15.1 130.107.16.1 130.107.17.1 130.107.18.1 130.107.19.1 130.107.20.1 130.107.21.1 130.107.22.1 130.107.23.1 130.107.24.1 130.107.25.1 130.107.26.1 130.107.27.1 130.107.28.1 130.107.29.1 130.107.30.1 130.107.31.1 6 dest ports: 635{30} 110{29} 143{29} 53{27} 21{27} 109{22} count 164 max age count 0.16 code 3 svc 1 max-err 3.83 -opn 0 -o i p 0 -oport 0 BEL 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.994 0.004 0.002 0.000 PCODE 0.000 0.000 0.000 1.000 0.000 0.000 0.0 0 0 SVC DIST 0.417 0.000 0.194 0.000 0.389 0.000 Non-sys alloc ports 6 port_anom 0.989744 code_anom 0.987017 Invalid hosts 30 Invalid ports 6 Neval 2 4 eval_count 0 LL-LIST 2000-08-10 06:50:28 130.107.1.1 to 130.107.31.1 portsweep 1.000

  12. These Were Fused into the Following Meta Alert Meta Alert Thread 15 Source IPs 193.230.37.2 Target IPs 130.107.1.1 130.107.3.1 130.107.4.1 130.107.5.1 130.107.6.1 130.107.7.1 130.107.8.1 130.107.9.1 130.107.10.1 130.107.11.1 130.107.12.1 130.107.13.1 130.107.14.1 130.107.15.1 130.107.16.1 130.107.17.1 130.107.18.1 130.107.19.1 130.107.20.1 130.107.21.1 130.107.22.1 130.107.23.1 130.107.24.1 130.107.25.1 130.107.26.1 130.107.27.1 130.107.28.1 130.107.29.1 130.107.30.1 130.107.31.1 130.107.1.2 130.107.3.2 130.107.4.2 130.107.5.2 130.107.6.2 130.107.7.2 130.107.8.2 130.107.9.2 130.107.10.2 130.107.11.2 130.107.12.2 130.107.13.2 130.107.14.2 130.107.15.2 130.107.16.2 130.107.17.2 130.107.18.2 130.107.19.2 130.107.20.2 130.107.21.2 130.107.22.2 130.107.23.2 130.107.24.2 130.107.25.2 130.107.26.2 130.107.27.2 130.107.28.2 130.107.29.2 130.107.30.2 130.107.31.2 130.107.1.3 130.107.3.3 130.107.4.3 130.107.5.3 130.107.6.3 130.107.7.3 130.107.8.3 130.107.9.3 130.107.10.3 130.107.11.3 130.107.12.3 130.107.13.3 130.107.14.3 130.107.15.3 130.107.16.3 130.107.17.3 130.107.18.3 130.107.19.3 130.107.20.3 130.107.21.3 130.107.22.3 130.107.23.3 130.107.24.3 130.107.25.3 130.107.26.3 130.107.27.3 130.107.28.3 130.107.29.3 130.107.30.3 130.107.31.3 130.107.1.4 130.107.3.4 130.107.4.4 130.107.5.4 130.107.6.4 130.107.7.4 130.107.8.4 130.107.9.4 130.107.10.4 130.107.11.4 From 2000-08-10 06:50:28 to 2000-08-14 01:47:18 Ports Sum Hits 522.999 dot product 0.166816 Index 635 Prob 0.172815 Index 110 Prob 0.17024 Index 143 Prob 0.168917 Index 53 Prob 0.166216 Index 21 Prob 0.164595 Index 109 Prob 0.157217 Number of threads 26 Threads :4860 5564 6314 6980 7650 8223 8767 9287 9778 10350 10964 11577 12188 12634 13033 13802 14166 14525 17584 17907 18238 18558 18861 19185 19607 19980 Number of steps 1 Attack steps :portsweep

  13. Meta Alert Content • IP Target list is superset of affected IP’s • Port list is similarly fused (note we get probability distribution over the ports) • The date range is multiple days • We retain the thread ID’s of the component alerts – Detailed drill-down capability – HTML Links in browse-able alert text file

  14. Potential Usefulness • Correlating attacks that take place over extended time period (demonstrated) • Potential to increase sensitivity – Suspicious events below reporting threshold are nonetheless eligible for meta alert fusion – Over a sufficiently long time, collective suspiciousness rating rises to the reportable level • Scenario reconstruction

  15. Summary • Presented a 3-tier View of Alert Correlation: – Threads for event aggregation – Modification of sensor state based on state of another sensor, or other external information – Alert fusion based on similarity measures • Introduced EMERALD System Availability Monitor (Blue Sensor) – It state modifies session monitor, increasing sensitivity and suppressing false alarms • Defined Alert Fusion approach – Based on appropriate similarity measures (some of which may be Bayes) – Couple this with expectation of similarity for each feature – Combine over features in common to determine if an alert matches an existing meta-alert thread • This has now been demonstrated in a meaningful sense on real data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sensor Fusion using Proprioceptive and Exteroceptive Sensors Thomas Schn Division of Automatic

Sensor Fusion using Proprioceptive and Exteroceptive Sensors Thomas Schn Division of Automatic

Sensor Fusion using Proprioceptive and Exteroceptive Sensors Thomas Schn Division of Automatic Control Linkping University Sweden www.control.isy.liu.se/~schon Joint work with: Tobias Andersson ( Autoliv ), Jonas Callmer ( LiU ), Andreas

348 views • 34 slides
Resource-Efficient Encoding Communication and Fusion in Wireless Networks of Sensors and

Resource-Efficient Encoding Communication and Fusion in Wireless Networks of Sensors and

Resource-Efficient Encoding Communication and Fusion in Wireless Networks of Sensors and Actuators Haralabos Papadopoulos Electrical and Computer Engineering University of Maryland, College Park Wireless Sensor Networks Sensor networks for

492 views • 17 slides
Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer

Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer

Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer Science Department Stony Brook University Papers Papers [Xiao04] Lin Xiao, Stephen Boyd, Fast Linear Iterations for Distributed Averaging ,

659 views • 50 slides
Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data Fusion? Motivation, general context Discussion of examples Today: Steep climb to a first algorithm. oral examination: 6 credit points

1.02k views • 56 slides
Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data Fusion? Motivation, general context Discussion of examples Today: Steep climb to a first algorithm. oral examination: 6 credit points

995 views • 42 slides
A method of personal positioning based on sensor data fusion of wearable camera and

A method of personal positioning based on sensor data fusion of wearable camera and

A method of personal positioning based on sensor data fusion of wearable camera and self-contained sensors. *1 *2 *1 Makasakatsu Kourogi and Takeshi Kurata *1 National Institute of Advanced Industrial Science and Technology (AIST) *2 HIT

483 views • 24 slides
a SENSOR OVERVIEW I Sensors: Convert a Signal or Stimulus (Representing a Physical Property)

a SENSOR OVERVIEW I Sensors: Convert a Signal or Stimulus (Representing a Physical Property)

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING I 1 Introduction 2 Bridge Circuits 3 Amplifiers for Signal Conditioning 4 Strain, Force, Pressure, and Flow Measurements 5 High Impedance Sensors 6 Position and Motion Sensors 7

356 views • 7 slides
S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services

S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services

S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services Final SANY Event, Linz, 19 November 2009 Stuart E. Middleton IT Innovation Centre, University of Southampton What is the value of data fusion?

450 views • 11 slides
CS378 - Mobile Computing Sensing and Sensors Part 2 Using Sensors Recall basics for using a

CS378 - Mobile Computing Sensing and Sensors Part 2 Using Sensors Recall basics for using a

CS378 - Mobile Computing Sensing and Sensors Part 2 Using Sensors Recall basics for using a Sensor: Obtain the SensorManager object create a SensorEventListener for SensorEvents logic that responds to sensor event Register

708 views • 23 slides
Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors: Tipping Bucket Above Water - Radar, Ultrasonic Soil Moisture Sensor Measures Accumulation and Rainfall Rate Submersible

536 views • 7 slides
Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android

Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android

Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android sensors as separated into one of three broad categories: Motion sensors measure force and rotation Environmental sensors measure

274 views • 26 slides
Data for Official Statistics Marco Puts, Piet Daas, Martijn Tennekes Road sensors Road sensor

Data for Official Statistics Marco Puts, Piet Daas, Martijn Tennekes Road sensors Road sensor

High Frequency Road Sensor Data for Official Statistics Marco Puts, Piet Daas, Martijn Tennekes Road sensors Road sensor data Passing vehicle counts for each minute (24/7) at about 60.000 sensors in the Netherlands Types of sensors:

311 views • 16 slides
Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J.

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J.

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J. Garcia, F . Autrel, J. Borrell, S. Castillo, F . Cuppens, G. Navarro { jgarcia,jborrell,scastillo,gnavarro } @ccd.uab.es, {

291 views • 17 slides
About BD Entertainment Its Fusion Theatre with Dancing Sound The Blue Devils, a

About BD Entertainment Its Fusion Theatre with Dancing Sound The Blue Devils, a

About BD Entertainment Its Fusion Theatre with Dancing Sound The Blue Devils, a world-renowned performing arts organization, is the backbone behind this fresh, professional entertainment company. The Blue Devils are eleven time World

328 views • 5 slides
S80 Intelligent Sensors The ECD Six Point Advantage E LECTRO- C HEMICAL D EVICES What are the

S80 Intelligent Sensors The ECD Six Point Advantage E LECTRO- C HEMICAL D EVICES What are the

S80 Intelligent Sensors The ECD Six Point Advantage E LECTRO- C HEMICAL D EVICES What are the S80 Sensors? Intelligent Sensor Design that includes: Digital Communication Stored Calibration Data Temperature Sensor Durable

634 views • 14 slides
Motion Interpolation & Sensor Fusion Final presentation Lennart Bastian Antoine Keller Sofia

Motion Interpolation & Sensor Fusion Final presentation Lennart Bastian Antoine Keller Sofia

Introduction Background Interpolation and Approximation Interpolation and Approximation Optimization Sensor Fusion Motion Interpolation & Sensor Fusion Final presentation Lennart Bastian Antoine Keller Sofia Morales Santiago TUM

821 views • 44 slides
Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the

Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the

14th Summer Institute on Migration and Global Health, July 2019 Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the Health of Refugees and Migrants in the WHO European Region Dr. Santino Severoni,

563 views • 20 slides
Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of migrants rather than empirical data When Mexico sends its people, theyre not sending their best. Theyre not sending you. Theyre not sending

472 views • 20 slides
129 million people across the world are affected by the current humanitarian crisis

129 million people across the world are affected by the current humanitarian crisis

Making #RefugeesWelcome 129 million people across the world are affected by the current humanitarian crisis According to local Red Cross workers, it is not possible to calculate the number of refugees or asylum seekers there are

148 views • 12 slides
Whistleblower Program Update Review of Activities and Initiatives Presentation to Citizens

Whistleblower Program Update Review of Activities and Initiatives Presentation to Citizens

City & County of San Francisco Office of the Controller Whistleblower Program Update Review of Activities and Initiatives Presentation to Citizens General Obligation Bond Oversight Committee May 25, 2017 Whistleblower Program Authority

739 views • 14 slides
@aaronrinehart @verica_io #chaosengineering @aaronrinehart @verica_io #chaosengineering

@aaronrinehart @verica_io #chaosengineering @aaronrinehart @verica_io #chaosengineering

@aaronrinehart @verica_io #chaosengineering @aaronrinehart @verica_io #chaosengineering CONFIDENTIAL Security Precognition @aaronrinehart @verica_io #chaosengineering Resilience is the story of the outage that never happened. - John

750 views • 71 slides
Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast

Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast

01/10/2018 Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast Docks 1 01/10/2018 Belfast Port Health 70% of NIs seaborne trade 20% the island of Irelands trade 125,000 containers

436 views • 8 slides
Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing

Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing

4/15/2014 A WHOLE NEW BALLGAME Indian Leasing Under the HEARTH Act Bryan Newland Fletcher, PLLC bnewland@fletcherlawpllc.com Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing Regulations revised in 2012

380 views • 8 slides
!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1

!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1

!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1 !"#$#%&#'()*+((,-")-"-(.//01-%$ 2")-%(3-%'(4%$&5&6&# 7-*(89:(;<8= A Place of Possibility !"#$%&'()*%&+",+ Population Growth

586 views • 14 slides

More recommend