runtime monitoring and dynamic reconfiguration for
play

Runtime Monitoring and Dynamic Reconfiguration for Intrusion - PowerPoint PPT Presentation

Oct 04, 2023 •168 likes •419 views

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

  1. Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in Prague ( 2 ) Cognitive Security ( 3 ) University of Luxembourg Supported by U.S. ARMY ITC-A/RDECOM – CERDEC project W911NF-08-1-0250

  2. (Research) Questions What is our IDS/NBA good for ? Does it work right now ? How sensitive it is ? Can it detect X ?

  3. Our Answer Use of trust modeling techniques combined with challenge insertion for a dynamic reconfiguration of an anomaly-based network intrusion detection system

  4. Challenge-based Monitoring • Unlabeled background (1) Response evaluation input data (2) What challenges ? • Insertion of small set of challenges (3) How many ? – Legitimate vs Malicious

  5. Network Behavior Analysis • Processes NetFlow data • Anomaly detection methods – no content – source, destination IP • Broad decision rules address/port + protocol • Statistical traffic – bytes, packets, (flows) prediction and analysis – flags (TCP) – Aggregation 1-15 min. interval (typ. 5 min.) – widely available, quality varies, IETF standard

  6. Anomaly Detection vs. Signatures Signature matching Anomaly detection • Historically validated • No patterns • Widely deployed • New threats detection • Verifiable & Stable • Scaling • Number of patterns • Error Rate/Sensitivity • Scaling • Verifiability • Management • Stability • New threats detection • Management

  7. CAMNEP: Detection Layer • Flows to categories • Multiple AD methods • Multiple trust models • Multiple aggregation methods • Dynamic • Several layers of learning

  8. Dynamic classifier selection • Unsupervised • Dynamic – Background traffic – Model performance – Attacks • Strategic behavior – Evasion – Attacks on AD/learning

  9. Why bother ?: False/True Positives Individual AD methods 300:2 Averaged anomalies 58:2 Averaged trust 15:2 Adaptive average 5:2

  10. Adaptation Principles • Self-Awareness: Threat/Risk – Self-monitoring Model – Self-evaluation – Goal representation Monitoring, Challenges • Self-Optimization: – (Aggregation generation) – Aggregation function selection Adaptation

  11. Monitoring: Challenge Insertion • Unlabeled background (1) Response evaluation input data (2) What challenges ? • Insertion of small set of challenges (3) How many ? – Legitimate vs Malicious

  12. Attack Trees - (Simplified) Examples Server take-over File sharing locate exploit Buff. ov. Pswd. bf.

  13. Decision-Theoretic Threat Modeling • Threat modeled as: – attack tree (T) – loss value (D) • Loss values propagation to leaf nodes, i.e. attack actions (A i ) • Loss value aggregated over threats for attack classes (AC)

  14. From Challenge Insertion to Trust • Trust in the aggregator agent models its ability to separate the legitimate from malicious behavior under current conditions

  15. Trust Modeling – Issues • Regret/FIRE model individual reputation component used – Startup delay considerations – Changing network traffic character – Number of inserted challenges vs. the number of attack types – Relationship between the challenge insertion and trust

  16. Challenge Insertion Control

  17. Challenge Insertion Control (2) • Trust values used to parameter the challenge insertion • We prevent random order inversion between the two most trusted agents

  18. Evaluation • Real network traffic – 1Gb link – 200-300 Mb/sec eff. – 200 flows/sec – 6 hours … 70 datasets – 5 minute collection • Third party attacks • SSH scans, password brute force, worms/botnets, malware, P2P

  19. Experimental results

  20. Experimental results

  21. Experimental Results • False positives reduced (excesses avoided) • False negatives comparable/reduced Aggregation False Negative (sIP) False Positive (sIP) Arithmetic average 14.7 12.5 Average aggregation fct. 13.1 24.3 Min FP aggregation fct. 14.5 5.3 Min FN aggregation fct. 9.8 125.2 Best aggregation fct. 13.7 5.7 Adaptive selection 14.0 3.1 University network, third party attacks only – scans, P2P, password bf,… •

  22. Attack-Type Insertion Effects • Observable effects on trustfulness values • Slow/low volume attacks are still undetectable • So far inconclusive on the extracted event level • Natural background traffic, known test attacks Attack All challenges Selected challenges Horizontal scan 1.1/-0.2 1.4/0.0 Vertical scan 1.2/-0.2 1.4/0.3 Fingerprinting 1.5/1.2 1.9/1.6 SSH pass. brute force -0.2/0.6 0.17/1.2 Buffer overflow -0.2/0.1 0.2/0.0

  23. Conclusions • Advanced AI techniques can: – Automatically reduce and maintain the error rate – Monitor system performance – Optimize system performance by: • Aggregation function selection • Challenge insertion process management • Current/Future work – behavior generation (promising) – reduction of evasion/strategic behavior – opponent models

  24. Questions ? rehak@cognitivesecurity.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu Amjad Nusayr, anusayr@cs.nmsu.edu The 2009 Workshop on Dynamic Analysis New Mexico State University Runtime Monitoring The act of observing an

590 views • 23 slides
Software Components with Fractal: Reflective Software Architecture and Runtime Reconfiguration

Software Components with Fractal: Reflective Software Architecture and Runtime Reconfiguration

Software Components with Fractal: Reflective Software Architecture and Runtime Reconfiguration Martin Monperrus Creative Commons Attribution License Copying and modifying are authorized as long as proper credit is given to the author.

907 views • 35 slides
MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

Runtime Monitoring Quantified Event Automata Efficient monitoring Using MarQ MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz, David Rydeheard at University of Manchester, UK April 17th, 2015 Runtime

1.01k views • 97 slides
A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A.

A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A.

A UAV Test and Development Environment Based on Dynamic System Reconfiguration Osamah A. Rawashdeh, Garrett D. Chandler, and James E. Lumpp, Jr. Department of Electrical and Computer Engineering University of Kentucky Lexington, KY Outline

300 views • 11 slides
Satisfaction Algorithm for Dynamic Reconfiguration Sina Entekhabi Ahmet Serkan Karata Halit O

Satisfaction Algorithm for Dynamic Reconfiguration Sina Entekhabi Ahmet Serkan Karata Halit O

An Incremental Constraint Satisfaction Algorithm for Dynamic Reconfiguration Sina Entekhabi Ahmet Serkan Karata Halit O uztzn ODT, Ankara IZTECH Dependability, 8 May 2017 Supported by TBTAK -ARDEB-1001 program under project

659 views • 31 slides
CO406H: Concurrent Processes -calculus: dynamic reconfiguration of communication links

CO406H: Concurrent Processes -calculus: dynamic reconfiguration of communication links

CO406H: Concurrent Processes -calculus: dynamic reconfiguration of communication links Session types for distributed protocols Plan of Lectures and Tutorials Lectures, Tutorials and Coursework Room 342, Monday, 16.0018.00

811 views • 39 slides
Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org

Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org

Introduction & Recap Runtime Adaptation Implementation & Tests Conclusions Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org University of West London/Middlesex University FOSD 2014

529 views • 24 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj University of California, Berkeley, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh University of California, Irvine,

415 views • 13 slides
Supervisor: Prof Robert W Stewart Dr Louise Crockett Outline Motivation and Objective

Supervisor: Prof Robert W Stewart Dr Louise Crockett Outline Motivation and Objective

Dynamic Reconfiguration Technologies Based on FPGA in Software Defined Radio System Ke He Supervisor: Prof Robert W Stewart Dr Louise Crockett Outline Motivation and Objective Reconfiguration Technologies : Dynamic Reconfigurable Ports

192 views • 18 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
Managing software variability for dynamic reconfiguration of robot control systems Davide Brugali

Managing software variability for dynamic reconfiguration of robot control systems Davide Brugali

Managing software variability for dynamic reconfiguration of robot control systems Davide Brugali University of Bergamo, Italy Outline Managing software variability for : 1. Reducing software development costs 2. Enforcing NF-Requirements at

672 views • 21 slides
Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail.

Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail.

Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail. Two Camps Strict Rules No Ceremony compiler detects errors Freedom Modularity Flexibility separate maintenance self modifying code Enforced

304 views • 17 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh UCI, Distributed Mentor Program, Mentor Outline I. Introduction

607 views • 27 slides
Iron* - An Introduction to Getting Dynamic on .NET //kristiankristensen.dk

Iron* - An Introduction to Getting Dynamic on .NET //kristiankristensen.dk

Iron* - An Introduction to Getting Dynamic on .NET //kristiankristensen.dk twitter.com/kkristensen mail@kristiankristensen.dk Question Agenda Dynamic Languages Dynamic Demo! Language Runtime 45 min 15 min Why Dynamic Languages

689 views • 33 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

365 views • 20 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an

671 views • 37 slides
Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer

Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer

Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer Science Institute Lawrence Berkeley National Laboratory vern@icsi.berkeley.edu November 16, 2005 Outline ! What problem are we trying to solve? !

566 views • 40 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides

More recommend