massively distributed intrusions detection goals
play

Massively distributed intrusions detection : goals, challenges and - PowerPoint PPT Presentation

Feb 20, 2023 •230 likes •643 views

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michal Hauspie CRIStAL, CNRS UMR 9189 quipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  1. Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michaël Hauspie CRIStAL, CNRS UMR 9189 – Équipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 1 / 31

  2. Plan Context 1 Collaborative IDS 2 DISCUS 3 Conclusion 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 2 / 31

  3. Plan Context 1 Collaborative IDS 2 DISCUS 3 Conclusion 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 3 / 31

  4. Intrusion detection is hard in a cloud context Cloud specific issues Complex and dynamic network architectures Sensible data Attacks can avoid standard security solutions by trying to lead the attack from inside the network [1] by spliting the attack using several hosts, network routes [4] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 4 / 31

  5. Bandwith and computing power is cheap to rent : Cloud As A Weapon [1] D. Bryan and M. Anderson. Cloud computing, a weapon of mass destruction, DEFCON 2010 Thunderclap Less than a few dollars to put a host down Instead of infecting host to create a botnet, just rent them ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 5 / 31

  6. Usual security solutions tends be located at the edge of the network Firewalls usually located at the connection between data center and ISP filters network packet based on security rules Intrusion Detection Systems (IDS) monitors the network (NIDS) or the operating system (HIDS) passive system : its goal is to raise alerts pattern matching or behavior analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 6 / 31

  7. Attacks can come from outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 7 / 31

  8. Attacks can be performed from inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 8 / 31

  9. Attacks can stay inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 9 / 31

  10. Plan Context 1 Collaborative IDS 2 DISCUS 3 Conclusion 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 10 / 31

  11. One solution may be distributed, collaborative IDS Push IDS inside the infrastructure More probes means more information More information means better detection (or at least, may lead to) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 11 / 31

  12. One solution may be distributed, collaborative IDS Push IDS inside the infrastructure More probes means more information More information means better detection (or at least, may lead to) Why not almost everywhere ? Firewalls Switches Network cards/link Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 11 / 31

  13. Plan Context 1 Collaborative IDS 2 DISCUS 3 General presentation Syntax overview Table mechanism Example Conclusion 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 12 / 31

  14. DISCUS is our proposal to deploy IDS everywhere [3] Main ideas Put IDS probes as close to monitoring targets as possible Probes can be software or hardware ▶ Embedded : cheap , but not very powerful, and hard to program ▶ FPGA : very good power/cost ratio , but hard to create ▶ Kernel or userspace software (snort, standalone software, kernel module) : can achieve high performance but need powerful hardware (high cost) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 13 / 31

  15. Let’s put probes everywhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 14 / 31

  16. Creating software for the probes is not that easy Issues Heterogeneous targets → lots of expertise Collaboration is hard Deployment is hard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 15 / 31

  17. Creating software for the probes is not that easy Issues Heterogeneous targets → lots of expertise Collaboration is hard Deployment is hard Use of a Domain Specific Language (DSL) Focus on detection logic, not implementation details Use compile tools to handle heterogeneity and deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 15 / 31

  18. DSL focus on specific logic Not as expressive as generic purpose languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 16 / 31

  19. DSL focus on specific logic Not as expressive as generic purpose languages ▶ Limit development errors ▶ Ensure strong properties on generated software ▶ Allow better automatic optimisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 16 / 31

  20. Event syntax on my_event_name (args_list) [where condition] [...] action_list [...] ; Actions Raise another event (now or later) Raise an alert Handle tables’ structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 17 / 31

  21. Filtering HTTP packets on tcp_packet (... , int16 dst_port , ...) where dst_port == 80 raise http_packet (...) ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 18 / 31

  22. Tables : a structure to share data Distributed database of contextual data Table entries are aggregates of primary types Provides a way to collaborate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 19 / 31

  23. Declaration of a table table tcp_connection { ipaddr src ,dst ; int16 p_src ,p_dst ; enum tcp_connection_state state ; time last_pkt ; (...) } ; Removing entries and purging tables remove entry from tcp_connection when entry.state == TCP_CLOSED ; on purge tcp_connection select entry where entry.last_pkt + 3600 < now ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 20 / 31

  24. Using tables in events : updating last packet timestamp on tcp_packet(ipaddr src , ipaddr dst , ...) update entry.last_pkt = now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

  25. Using tables in events : updating last packet timestamp on tcp_packet(ipaddr src , ipaddr dst , ...) for first entry in tcp_connection with entry.src == src and entry.dst == dst and (...) update entry.last_pkt = now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

  26. Using tables in events : updating last packet timestamp on tcp_packet(ipaddr src , ipaddr dst , ...) for first entry in tcp_connection with entry.src == src and entry.dst == dst and (...) update entry.last_pkt = now ifnone insert into tcp_connection { src = src ; dst = dst ; state = TCP_INIT ; last_pkt = now ; (...) } ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

  27. Use case : detecting SYN Flood attacks A basic DoS attack : SYN Flood [2] Opening a lot of TCP connections Initiating the handshake but not finishing it Memory congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michaël Hauspie SEC2 2015 30 juin 2015 22 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
e n o t s y e K OpenStack in the context of Fog/Edge Massively Distributed Clouds

e n o t s y e K OpenStack in the context of Fog/Edge Massively Distributed Clouds

e n o t s y e K OpenStack in the context of Fog/Edge Massively Distributed Clouds Fog/Edge/Massively Distributed Clouds (FEMDC) SIG Beyond the clouds - The Discovery initiative 1 Who are We? Marie Delavergne Adrien Lebre

563 views • 42 slides
Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai

Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai

Recovering from intrusions in distributed systems with Dare Taesoo Kim Ramesh Chandra, Nickolai Zeldovich MIT CSAIL Attackers routinely compromise distributed systems Recovery is manual and time-consuming Example: SourceForge.net attack

426 views • 27 slides
Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Ph.D. Thesis Defense December 17th, 2019 1 HP Labs (ronny.chevalier@hp.com) 2 CIDRE Team, CentraleSuplec/Inria/CNRS/IRISA

1.66k views • 140 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer International Computer Science Institute, &amp; Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org Advanced Topics in Computer

1.35k views • 99 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals &amp; Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
DEFECT DETECTION IN A DEFECT DETECTION IN A DISTRIBUTED SOFTWARE DISTRIBUTED SOFTWARE

DEFECT DETECTION IN A DEFECT DETECTION IN A DISTRIBUTED SOFTWARE DISTRIBUTED SOFTWARE

DEFECT DETECTION IN A DEFECT DETECTION IN A DISTRIBUTED SOFTWARE DISTRIBUTED SOFTWARE MAINTENANCE PROJECT MAINTENANCE PROJECT Alessandro Bianchi, Danilo Caivano, Filippo Lanubile, Giuseppe Visaggio SER_Lab - Department of Informatics -

134 views • 12 slides
Mutation detection in massively parallel sequencing 2012 Winter School in Mathematical and

Mutation detection in massively parallel sequencing 2012 Winter School in Mathematical and

Mutation detection in massively parallel sequencing 2012 Winter School in Mathematical and Computational Biology Ann-Marie Patch Sequencing literature From medicine to evolution - large scale sequencing data is impacting all of our research

468 views • 44 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M.

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M.

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle Gothenburg, Sweden DIMVA 2019 - 16th Conference on Detection of Intrusions and

837 views • 15 slides
Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki

Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki

Channel Aware Distributed Detection in Wireless Network with Correlated Observations Nahal Maleki Department of Electrical and Computer Engineering, University of Rochester Centralized versus Distributed Detection x 5 Fusion Center x 6 x 1 x 3 y

611 views • 47 slides
Advanced Architectures Goals of Distributed Computing better services 15A. Distributed

Advanced Architectures Goals of Distributed Computing better services 15A. Distributed

6/7/2018 Advanced Architectures Goals of Distributed Computing better services 15A. Distributed Computing scalability 15B. Multi-Processor Systems apps too big to run on a single computer 15C. Tightly Coupled Distributed Systems

347 views • 9 slides
A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic

A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic

A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic Topic area: Computer and Network Intrusion Detection Subject: A technique for stochastic modeling of goal-directed computer network intruders

433 views • 31 slides
Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 | info@detection-technologies.com | www.detection-technologies.com Mikro Tek Key Advantages One analyzer - up to 300m detection range! A single Mikro Tek

874 views • 6 slides
CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS &amp; firewall Questions Answered

813 views • 38 slides
High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron

High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron

High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron Weinsberg Shimrit Tzur-David Danny Dolev Tal Anker The Hebrew University Of Jerusalem Radlan - a Marvell Company Email: { wyaron,shimritd,dolev

183 views • 7 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br Instituto de Informtica UFRGS Securing Networks in the Programmable Data Plane Era Network softwarization : the first wave P4 programs are

607 views • 12 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS RFP #2416 OUR DIFFERENTIATORS Global Risk Atlantic has a deep understanding of Risk Assessment and Penetration Testing on a Assessment global

519 views • 7 slides
HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH What is this? What is this? Federal Regulations

514 views • 29 slides

More recommend