collaborative incident handling based on the blackboard
play

Collaborative Incident Handling Based on the Blackboard-Pattern - PowerPoint PPT Presentation

Aug 22, 2023 •18 likes •268 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin November 25, 2016 Chair of Network

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin November 25, 2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Foreword • Presentation based on slides from 3rd Workshop on Information Sharing and Collaborative Security (WISCS 2016) held in conjunc- tion with 23rd ACM Conference on Computer and Communica- tions Security (CCS) • Added for today: Future work on security and privacy aspects of the blackboard Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 2

  3. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work and Problem Statement System Design and Implementation Evaluation Future Work: Security and Privacy Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 3

  4. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work and Problem Statement System Design and Implementation Evaluation Future Work: Security and Privacy Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 4

  5. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation • Amount and variants of attacks on networks is growing • Defending networks manually is impossible • Automated incident handling is highly beneficial • Continuously defend the network • Respond quickly • Less error-prone • Systematical incident response Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 5

  6. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Background: Typical Intrusion Handling Steps • Network Monitoring (NMS) and Intrusion Detection Systems (IDS) collect information about the network and its healthiness • NMS: collect infrastructure information • IDS: raise alerts when an intrusion is detected • Alert Processing Systems (APS) aggregate, correlate and priori- tize alerts • Gain more insights into the intrusion by analyzing the situation • Intrusion Response Systems (IRS) counteract automatically • Identify suitable responses • Execute reponses on the target network, e.g., block a rogue host Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 6

  7. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work and Problem Statement System Design and Implementation Evaluation Future Work: Security and Privacy Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 7

  8. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Execution Model: Pipelined Intrusion Handling NMS I n f o Correlated or Aggregated Alerts Response Alert NIDS APS IRS t r e l A HIDS Amount of Information Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 8

  9. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Problem Statement • Significant effort has been made to improve each intrusion step individually • No solution exists that interleaves steps and creates a compre- hensive view on the target network • Information already collected/computed in previous steps is lost for being used by subsequent steps • Information and intermediate results cannot be shared efficiently between single steps Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 9

  10. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work and Problem Statement System Design and Implementation Evaluation Future Work: Security and Privacy Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 10

  11. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Introducing the Blackboard Pattern • The blackboard pattern is applicable to problems that can be de- composed into smaller sub-problems / sub-tasks • Example: (distributed) incident handling / intrusion handling • Sub-tasks solve their sub-problem and share their intermediate results with other sub-tasks • Original information remains untouched • Original information + intermediate results can be reused by sub- tasks to further tackle the problem • Blackboard needs an Information Model specifically designed for the problem domain Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 11

  12. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Blackboard-based Intrusion Handling Alert NMS Alerts Processing I n f o Intermediate Results (Aggregated or Corre- lated Alerts) Alert NIDS Blackboard Original, Aggregated or Correlated Alerts and Info Alert Information Model HIDS IRS Response Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 12

  13. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Information Model for Intrusion Response - Overview Alert Processing Intrusion Response Infrastructure Information Conse- Alert Response quences Network- Network Based L3- L2- Host- Network Network Based Attack Active Service- IP- Interface Based Address Target Passive User- MAC- Based Port Address Source Service Device Metric User Alert Response Imple- Priority Context Bundle mentation Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 13

  14. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Infrastructure Information Model – Examples Infrastructure Information Network • NMSes send their scanning results to L3- L2- specific interfaces which add the info Network Network to the Blackboard IP- • A Service runs at a Port opened on a Interface Address NIC with an IP-Address belonging to a L3-Network MAC- Port Address • A Device has a NIC with MAC-Address and assigned IP-Address Service Device • A User is logged into Device User • A User uses Service Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 14

  15. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Implementation • Python 3 • Object oriented implementation of Information Model • Automatic translation of class structures to suitable database de- sign • Two different databases/database types used: • Relational: postgreSQL • Graph-based: OrientDB Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 15

  16. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work and Problem Statement System Design and Implementation Evaluation Future Work: Security and Privacy Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 16

  17. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation – Test Data Sets and Test Cases → Measure the prototype’s performance under varying conditions • Test data sets simulate different attacks: DDoS DDoS: many sources attack a small number of targets AP Attack path: an attack spreads in the network F Flooding: Mulitple IDSes raise the same alert • Test data set size: from 1000 to 5000 alerts • Test cases simulate typical tasks of the intrusion handling system ins Node Insertion – Adding of Alert and Alert Context nodes prio Node Prioritization – Updates Priority attribute of Alert and Alert Context nodes with random number comb Node Combination – Combining related Alerts Context nodes • Test cases are cumulative, e.g., t3 contains t1 and t2 Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 17

  18. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measurement Results: Alerts per Second Exp. pSQL min pSQL max pSQL avg Orient min Orient max Orient avg DDoS ins 287.09 354.72 320.75 11.4 19.72 14.73 DDoS prio 228.61 307.27 257.8 8.4 16.24 11.55 64.97 125.44 86.15 1.37 6.75 3.12 DDoS comb 299.4 355.76 324.76 12.5 19.35 15.13 AP ins 230.36 287.86 250.71 8.91 16.23 11.62 AP prio 30.80 85.12 49.59 0.51 3.01 1.1 AP comb 370.32 396.63 384.58 37.88 50.87 44.77 F ins 318.1 330.31 325.04 15.4 35.29 23.38 F prio 281.78 293.31 287.73 14.13 18.00 16.97 F comb Table contains min, max and average rates of all test data set sizes Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of

422 views • 26 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
Page 1 Wait for your new recording to automatically appear in Blackboard once generated.

Page 1 Wait for your new recording to automatically appear in Blackboard once generated.

Recording a PowerPoint Presentation using Blackboard Collaborate Blackboard Quick Guide If you would like to record a number of mini-lectures capturing topics of particular importance to your students, Blackboard Collaborate Ultra offers an easy

515 views • 5 slides
Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

EGI Community Forum 2014 Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel NIKHEF All the hard work: Heiko Reese KIT-CERT ( ) Sven Gabriel? 20042007: FZK Karlsruhe, T-1 GridKa Site Admin

1.19k views • 38 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard

Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard

Blackboard Collaborate Ultra Academic Computing Services Schedule and join Blackboard Collaborate web conferencing sessions and view recorded archives Blackboard Collaborate Training Overview Learning Objectives -Demonstrate that you can

975 views • 18 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb 17, 2008 1 Message Forms Various forms were used by different agencies & operators Incident Command System requires us to use ICS-213

535 views • 11 slides
Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1 EE/CS Network Infrastructure Three buildings with one

349 views • 34 slides
FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling

FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling

FHA PFE Learning Collaborative Stay Calm and Have a Plan: Practical Tips for Handling Communication Crises in Healthcare July 27, 2017 WELCOME! Team Introductions Allison Sandera Project Manager and PFE LC Lead FHA allisons@fha.org

482 views • 44 slides
Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard

Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard

Recording Your Presentation in Blackboard Collaborate Ultra 1. Navigate to the Blackboard Collaborate Ultra Tool. This could be titled Blackboard Collaborate Ultra or your instructor may have designated it something else: Presentations,

318 views • 3 slides
extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005 IETF 64, Vancouver, Canada URL: http://www.cert.org/ietf/inch/ http://www.cert.org/ietf/inch/ietf64/ slides:

254 views • 6 slides
Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through designing for teaching Learn with others 1. Black Swan Conferences Hear The bigger picture Higher Education Blackboard UWA Experience

478 views • 16 slides
5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard

5 Control and Implementation of State Space Search 5.0 Introduction 5.4 The Blackboard Architecture for Problem 5.1 Recursion-Based Search Solving 5.2 Pattern-directed Search 5.5 Epilogue and 5.3 Production Systems References 5.6

593 views • 28 slides
Edition, Wiley, 2018. ISBN 978-1-119-29967-7 Textbook Web Site: text book web site

Edition, Wiley, 2018. ISBN 978-1-119-29967-7 Textbook Web Site: text book web site

CMP 426 (section A01C) CMP 697 (section A01C): Operating Systems Syllabus Department of Computer Science Lehman College, City University of New York Summer 2020 Instructor: Steven Fulakeza Email: steven.fulakeza@lehman.cuny.edu Lecture Schedule:

504 views • 4 slides
7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there! Here are seven hacks I use to preserve my time and sanity when coordinating large courses. Most are work-arounds that I dream will one day be

342 views • 23 slides
Architectural Patterns The fundamental problem to be solved with a large system Architectural

Architectural Patterns The fundamental problem to be solved with a large system Architectural

Architectural Patterns The fundamental problem to be solved with a large system Architectural Patterns is how to break it into chunks manageable for human programmers to understand, implement, and maintain. Dr. James A. Bednar Large-scale

354 views • 12 slides
UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic

UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic

UX from 30,000ft: Preamble / Logistics Lecture 00 (50 minutes) @sharpic http://sharpic.github.io/COMP33511/ Ask Questions / Contribute as we go! This is a test to see if it is worth using! No silly comments - Ive seen them all before

514 views • 24 slides
State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy

State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy

Composition of Services that Share an In ! nite- State Blackboard Fabio Patrizi & Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy IIWEB09 - IJCAI09 Workshop on Information Integration on the Web Pasadena, California, July 11,

236 views • 21 slides
By the architecture of a system, I mean the complete and detailed specification of the user

By the architecture of a system, I mean the complete and detailed specification of the user

By the architecture of a system, I mean the complete and detailed specification of the user interface. For a computer this is the programming manual. For a compiler it is the language manual. For a control program it is the manuals for the

259 views • 8 slides
CPSC 875 CPSC 875 John D McGregor John D. McGregor C9 Tactics

CPSC 875 CPSC 875 John D McGregor John D. McGregor C9 Tactics

CPSC 875 CPSC 875 John D McGregor John D. McGregor C9 Tactics http://www.cs.cmu.edu/~ModProb/MRsol4. Query optimization Query optimization html eLearning Planning l i Doi: 10.1.1.4.9627 Doi: 10.1.1.4.9627 Google search engine

828 views • 35 slides
Knowledge Representation COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk

Knowledge Representation COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk

Knowledge Representation COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk http://cs.man.ac.uk/~sbrandt http://studentnet.cs.manchester.ac.uk/syllabus/? code=COMP34512&year=2013 Slides: Bijan Parsia, Bijan Parsia

176 views • 15 slides

More recommend