collaborative incident handling based on the blackboard
play

Collaborative Incident Handling Based on the Blackboard-Pattern - PowerPoint PPT Presentation

Oct 07, 2022 •154 likes •422 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Contents Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 2

  3. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 3

  4. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation • Amount and variants of attacks on networks is growing • Defending networks manually is impossible • Automated incident handling is highly beneficial • Continuously defend the network • Respond quickly • Less error-prone • Systematical incident response • We focus on intrusion handling Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 4

  5. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Background: Typical Intrusion Handling Steps • Network Monitoring (NMS) and Intrusion Detection Systems (IDS) collect information about the network and its healthiness • NMS: collect infrastructure information • IDS: raise alerts when an intrusion is detected • Alert Processing Systems (APS) aggregate, correlate and priori- tize alerts • Gain more insights into the intrusion by analyzing the situation • Intrusion Response Systems (IRS) counteract automatically • Identify suitable responses • Execute reponses on the target network, e.g., block a rogue host Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 5

  6. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 6

  7. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Execution Model: Pipelined Intrusion Handling NMS I n f o Correlated or Aggregated Alerts Response Alert NIDS APS IRS t r e l A HIDS Amount of Information Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 7

  8. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Other Execution Models • Pipelined intrusion handling - Information loss from step to step - Limited information sharing capabilities • Intrusion handling using Complex Event Processing (CEP) - Window size difficult to determine (too large → low performance; too small → information loss) - Limited information sharing capabilities • Agent-based systems for intrusion handling - Central intelligent master component needed to dispatch informa- tion to agents Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 8

  9. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 9

  10. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Problem Statement • Significant effort has been made to improve each intrusion step individually • No solution exists that interleaves steps and creates a compre- hensive view on the target network • Information already collected/computed in previous steps is lost for being used by subsequent steps • Information and intermediate results cannot be shared efficiently between single steps • Post-incident forensics of intrusion handling activities difficult Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 10

  11. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 11

  12. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Introducing the Blackboard Pattern • The blackboard pattern is applicable to problems that can be de- composed into smaller sub-problems / sub-tasks • Example: (distributed) incident handling / intrusion handling • Sub-tasks solve their sub-problem and share their intermediate results with other sub-tasks • Original information remains untouched • Original information + intermediate results can be reused by sub- tasks to further tackle the problem • Blackboard needs an Information Model specifically designed for the problem domain Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 12

  13. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Blackboard-based Intrusion Handling Alert NMS Alerts Processing I n f o Intermediate Results (Aggregated or Corre- lated Alerts) Alert NIDS Blackboard Original, Aggregated or Correlated Alerts and Info Alert Information Model HIDS IRS Response Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 13

  14. Chair of Network Architectures and Services Department of Informatics Technical University of Munich System Overview NMS NIDS HIDS . . . Interface 1 Interface N Target System Aggregation Priorisation Correlation Insert Response Response Response Response Evaluation Execution Selection Identification Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 14

  15. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Requirements on an Information Model ... suitable for intrusion handling • R1: Separation – Segmentation of information enables updating/ad- ding of information by different modules • R2: Completeness – Information for all steps of Incident Handling needs to be present • R3: Compatibility to the IDMEF standard 1 used by many IDSes 1 Intrusion Detection Message Exchange Format, RFC 4765 Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 15

  16. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Information Model for Intrusion Response - Overview Alert Processing Intrusion Response Infrastructure Information Conse- Alert Response quences Network- Network Based L3- L2- Host- Network Network Based Attack Active Service- IP- Interface Based Address Target Passive User- MAC- Based Port Address Source Service Device Metric User Alert Response Imple- Priority Context Bundle mentation Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 16

  17. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Infrastructure Information Model – Examples Infrastructure Information Network • NMSes send their scanning results to L3- L2- specific interfaces which add the info Network Network to the Blackboard IP- • A Service runs at a Port opened on a Interface Address NIC with an IP-Address belonging to a L3-Network MAC- Port Address • A Device has a NIC with MAC-Address and assigned IP-Address Service Device • A User is logged into Device User • A User uses Service Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 17

  18. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Alert Information Model – Examples Alert Processing Conse- Alert quences • IDSes send IDMEF messages con- taining alerts to specific Blackboard Interfaces Attack • IDMEF alerts are normalized and Target combined into an Alert Context • Source (of attack) Source • Target (of attack) • Attack (type) • Alert and Alert Context nodes have Alert Priority a Priority Context Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 18

  19. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Implementation • Python 3 • Object oriented implementation of Information Model • Automatic translation of class structures to suitable database de- sign • Two different databases/database types used: • Relational: postgreSQL • Graph-based: OrientDB Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin November 25, 2016 Chair of Network

268 views • 25 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
Page 1 Wait for your new recording to automatically appear in Blackboard once generated.

Page 1 Wait for your new recording to automatically appear in Blackboard once generated.

Recording a PowerPoint Presentation using Blackboard Collaborate Blackboard Quick Guide If you would like to record a number of mini-lectures capturing topics of particular importance to your students, Blackboard Collaborate Ultra offers an easy

515 views • 5 slides
Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

EGI Community Forum 2014 Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel NIKHEF All the hard work: Heiko Reese KIT-CERT ( ) Sven Gabriel? 20042007: FZK Karlsruhe, T-1 GridKa Site Admin

1.19k views • 38 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard

Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard

Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard Collaborate web conferencing sessions and view recorded archives Blackboard Collaborate Training Overview Learning Objectives -Demonstrate that you can

975 views • 18 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb 17, 2008 1 Message Forms Various forms were used by different agencies & operators Incident Command System requires us to use ICS-213

535 views • 11 slides
Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1 EE/CS Network Infrastructure Three buildings with one

349 views • 34 slides
FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling

FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling

FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling Communication Crises in Healthcare July 27, 2017 WELCOME! Team Introductions Allison Sandera Project Manager and PFE LC Lead FHA allisons@fha.org

482 views • 44 slides
Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard

Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard

Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard Collaborate Ultra Tool. This could be titled Blackboard Collaborate Ultra or your instructor may have designated it something else: Presentations,

318 views • 3 slides
extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005 IETF 64, Vancouver, Canada URL: http://www.cert.org/ietf/inch/ http://www.cert.org/ietf/inch/ietf64/ slides:

254 views • 6 slides
Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through designing for teaching Learn with others 1. Black Swan Conferences Hear The bigger picture Higher Education Blackboard UWA Experience

478 views • 16 slides
5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard Architecture for Problem 5.1 Recursion-Based Search Solving 5.2 Pattern-directed Search 5.5 Epilogue and 5.3 Production Systems References 5.6

593 views • 28 slides
Architectural Patterns The fundamental problem to be solved with a large system Architectural

Architectural Patterns The fundamental problem to be solved with a large system Architectural

Architectural Patterns The fundamental problem to be solved with a large system Architectural Patterns is how to break it into chunks manageable for human programmers to understand, implement, and maintain. Dr. James A. Bednar Large-scale

354 views • 12 slides
Gerth Stlting Brodal MY INSTITUTION INSTITUT FOR DATALOGI Blackboard Introduction for TAs @ CS

Gerth Stlting Brodal MY INSTITUTION INSTITUT FOR DATALOGI Blackboard Introduction for TAs @ CS

Gerth Stlting Brodal MY INSTITUTION INSTITUT FOR DATALOGI Blackboard Introduction for TAs @ CS August 19, 2015 1 Gerth Stlting Brodal MY INSTITUTION INSTITUT FOR DATALOGI Blackboard Introduction for TAs @ CS August 19, 2015 Background

737 views • 20 slides
Foliotek Electronic Assessment System Quick Guide and Information Setup Faculty/Student Click

Foliotek Electronic Assessment System Quick Guide and Information Setup Faculty/Student Click

Foliotek Electronic Assessment System Quick Guide and Information Setup Faculty/Student Click on SSO Link Blackboard Integration Faculty Creates a Foliotek SSO Link Foliotek Students see all the courses and their Faculty see their current

199 views • 15 slides
VALIDATION The goal of validation is to judge the quality of the soft- ware from the users

VALIDATION The goal of validation is to judge the quality of the soft- ware from the users

VALIDATION The goal of validation is to judge the quality of the soft- ware from the users point of view; e.g., reliability. The goal of all validation techniques is: to reveal failures, to localize the faults that caused the

281 views • 14 slides
7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there! Here are seven hacks I use to preserve my time and sanity when coordinating large courses. Most are work-arounds that I dream will one day be

342 views • 23 slides
Edition, Wiley, 2018. ISBN 978-1-119-29967-7 Textbook Web Site: text book web site

Edition, Wiley, 2018. ISBN 978-1-119-29967-7 Textbook Web Site: text book web site

CMP 426 (section A01C) CMP 697 (section A01C): Operating Systems Syllabus Department of Computer Science Lehman College, City University of New York Summer 2020 Instructor: Steven Fulakeza Email: steven.fulakeza@lehman.cuny.edu Lecture Schedule:

504 views • 4 slides
UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic

UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic

UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic http://sharpic.github.io/COMP33511/ Ask Questions / Contribute as we go! This is a test to see if it is worth using! No silly comments - Ive seen them all before

514 views • 24 slides
State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy

State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy

Composition of Services that Share an In ! nite- State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy IIWEB09 - IJCAI09 Workshop on Information Integration on the Web Pasadena, California, July 11,

236 views • 21 slides

More recommend