self organized collaboration of distributed ids sensors
play

Self-organized Collaboration of Distributed IDS Sensors Karel Bartos - PowerPoint PPT Presentation

Feb 05, 2024 •17 likes •387 views

Self-organized Collaboration of Distributed IDS Sensors Karel Bartos 1 and Martin Rehak 1,2 and Michal Svoboda 2 1 Faculty of Electrical Engineering Czech Technical University in Prague 2 Cognitive Security, s.r.o., Prague DIMVA 2012 July 27

  1. Self-organized Collaboration of Distributed IDS Sensors Karel Bartos 1 and Martin Rehak 1,2 and Michal Svoboda 2 1 Faculty of Electrical Engineering Czech Technical University in Prague 2 Cognitive Security, s.r.o., Prague DIMVA 2012 July 27 2012

  2. Network Security – Motivation • Advanced Persistent Threats – Strategically motivated – Targeted (single/few targets) • Threats – Sophisticated industrial espionage – Organized crime – credit card fraud, banking attacks, spam • Challenges : – High traffic speeds – High number of increasingly sophisticated, evasive attacks

  3. All Industry Sectors at Risk “…every company in every conceivable industry with significant size & valuable intellectual property & trade secrets has been compromised (or will be shortly)…” - McAfee �������� �����������������������������

  4. Our Goal • Use a Collaboration of Multiple Heterogeneous Detectors to create Network Security Awareness

  5. Intrusion Detection • Intrusion Detection Systems – Deployed on key points of the network infrastructures – Detects malicious network/host behavior • Approaches – Host based vs. Network based – Anomaly detection vs. Signature matching – Multi-algorithm systems • Problem: Stand-alone IDS is not very effective on – Cooperative attacks – Large variability of malicious behavior

  6. Current Solution? Alert Correlation • IDEA: Data fusion of results from more detectors • GOAL: Create global full scale conclusions – Fusion of raw input data or low-level alerts – Increase the level of abstraction – Reveal more complex attacks scenarios – Find prerequisites and consequences

  7. Alert Correlation • Architectures Centralized Hierarchical Fully-distributed

  8. Example of Current Architecture – All detectors work in a stand-alone architecture – More sophisticated detectors can reconfigure based on local observations

  9. Alert Correlation • Collects results from more detectors to provide better overall results • WEAKNESSES: • It does not provide any feedback to the detectors – Detectors are not aware of the performance of other detectors – Detectors require initial (manual) configuration/tuning • It does not improve the performance of detectors

  10. Our Approach – All detectors work in a fully distributed and collaborative architecture – More sophisticated detectors can improve based on observations from other detectors

  11. Assumptions and Requirements • Communication – All-to-All, fully distributed • Reconfiguration – At least some detectors are able to change their internal states according to the observations • Security – Detectors do not provide information about their internal states • Strategic Deployment – Detectors are deployed in various parts of the monitored network; network traffic should overlap

  12. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes

  13. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes Q: Is it a good thing?

  14. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction)

  15. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) Q: Why the detectors generate a lot of FP?

  16. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) Q: Why the detectors generate a lot of FP? A: Because they: - want to be universal - want to generate a lot of TP

  17. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) NO – For our approach: ( specialization )

  18. Specialization • IDEA: Detectors communicate in order to be special • Each detector wants: (specialization allows) – to detect unique intrusions → essential – to minimize the amount of FP → effective • Each detector does not want: (specialization prevents) – to waste resources on already detected intrusions • Specialization in collaboration – Maximizes the overall detection potential of the system

  19. Proposed Collaboration Model • Set of feedback functions – Computes the specialization of each detector – f: E_local × E_remote → R • Set of configuration states – Defines the behavior of each detector • Solution Concept / Algorithm / Strategies – Feedback – reconfiguration mapping – Suitable for dynamic network environments

  20. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations of our University Faculty network – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  21. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  22. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network SUBNET IDS – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  23. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network SUBNET IDS – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  24. Experimental Evaluation - Malware INTERNET BACKBONE IDS SUBNET IDS http://www.damballa.com

  25. Experimental Evaluation - Model • Feedback function is defined as – Uniqueness of generated events – Number of alerts that I detected and others did not • Set of configuration states – Each detector consists of several detection methods – Several opinions have to be aggregated = parameter – State = aggregation function within each IDS

  26. Experimental Evaluation - Strategies • Stand-alone Stand-alone INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  27. Experimental Evaluation - Strategies • Stand-alone Fusion INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  28. Experimental Evaluation - Strategies • Stand-alone Fusion + Feedback INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  29. FIRE Epsilon-greedy Adaptation • Model consists of configuration states and their uniqueness values (weighted 5 past values) • Algorithm – Detectors exchange events – Compute uniqueness of last used configuration – Update last 5 uniqueness values for last used configuration – With probability p: • p ≥ ε select most unique configuration • p < ε select random configuration

  30. Experimental Evaluation - Results • Subnet location – # of detected malware samples 132 Feedback + Fusion 71 Fusion only 38 Stand-alone

  31. Experimental Evaluation - Results • Subnet location – relative false positive rate

  32. Experimental Evaluation - Results • Backbone location – # of detected malware samples 72 Feedback + Fusion 53 Fusion only 39 Stand-alone • Backbone location – relative false positive rate

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

EMX Industries Inc . Application Driven Sensors Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity Sensors Brightness Sensors Special Sensors Bluetooth Switch The Facts Fastest Speed

309 views • 10 slides
Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body.

Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body.

Introduction Distributed Pattern Recognition Conclusion Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body. Locations are given and fixed. Each sensor carries triaxial accelerometer and biaxial

781 views • 29 slides
Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors: Tipping Bucket Above Water - Radar, Ultrasonic Soil Moisture Sensor Measures Accumulation and Rainfall Rate Submersible

536 views • 7 slides
Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note

Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note

Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note that the middleware layer extends over multiple machines. 2 Communication Alternatives Raw message passing TCP/IP: reliable byte stream

875 views • 26 slides
CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP Brazilian National Research and Education Network (RNP). Created in 1989. Implementing the first Latin American fiber network in 2005.

470 views • 22 slides
Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und

Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und

Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und Erweiterte Realitt&quot; der GI-Fachgruppe AR/VR Martin Wagner Lehrstuhl fr Angewandte Softwaretechnik Fachgebiet Augmented Reality Institut

460 views • 17 slides
Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15, 2001 Outline Introduction to blind beamforming array Different usages of blind beamforming arrays Applications 1. Acoustic source

301 views • 19 slides
Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen

Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen

Securing Wiki-Style Technology in the Global Enterprise: The Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen FIRST Conference 2008 Agenda The Evolving Collaboration Landscape Risk Redefined

354 views • 9 slides
Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex

Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex

Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex Olshevsky and Angelia Nedi c LCCC - Focus Period on Large-Scale and Distributed Optimization June 5th, 2017 Optimization

899 views • 53 slides
CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers

CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers

Sensors for Mobile Robots CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers (spring-mounted masses) Gyroscopes (spinning mass, laser light) Compasses, inclinometers (earth magnetic field, gravity)

253 views • 7 slides
INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration

INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration

Hello RURAL DEVELOPMENT INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration with: RURAL OPPORTUNITY YOUTH ACROSS THE NATION, 2016 Andrew Schaefer, PhD Research Scientist Carsey School of Public

146 views • 10 slides
Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial

Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial

Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial collocation and its pitfalls Pushing team performance a step beyond The biggest pain point for distributed teams Empl ployees es o of f compa

688 views • 34 slides
Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P.

Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P.

Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P. Larionov for the CBM Collaboration (Darmstadt, DPG-2016) Outline Sensors for the Silicon Tracking System of CBM o Strategy for Quality Assurance o

420 views • 21 slides
Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration with Professor Reid Harrison Insect Inspired Two kinds of vehicles: Micro Hovering Aerial Vehicles (MHAVs) ~ 50cm diameter Larger, but

507 views • 19 slides
Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin Tate &amp; Jeff Hansberger University of Edinburgh &amp; US Army Research Lab http://openvce.net Project to provide a Virtual Collaboration

370 views • 34 slides
From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical

From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical

Sensors: From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical world made of atoms and the abstract world of data. Humans have sensors that perceive many physical quantities whose output is transmitted

965 views • 24 slides
THE GLOBAL BIOPOLITICS RESEARCH CENTRES SOCIAL MEDIA AND RESEARCH DISSEMINATION STRATEGY: A

THE GLOBAL BIOPOLITICS RESEARCH CENTRES SOCIAL MEDIA AND RESEARCH DISSEMINATION STRATEGY: A

THE GLOBAL BIOPOLITICS RESEARCH CENTRES SOCIAL MEDIA AND RESEARCH DISSEMINATION STRATEGY: A REPORT INTRODUCTION 4 students were tasked with designing a workable research dissemination strategy The task involved getting GBRC on social

203 views • 8 slides
Support for Dissemination : A Role for Evaluators American Evaluation Association October 2014

Support for Dissemination : A Role for Evaluators American Evaluation Association October 2014

Support for Dissemination : A Role for Evaluators American Evaluation Association October 2014 Denver, CO Tania Jarosewich, PhD Censeo Group LLC Tania@CenseoGroup.com @TaniaJarosewich Expect Expectation ion fo for Di Dissem ssemina nation

385 views • 19 slides
Dissemination Courtney L. Harrison, MPA March 28, 2017 Maine Tennessee South Carolina

Dissemination Courtney L. Harrison, MPA March 28, 2017 Maine Tennessee South Carolina

Dissemination Courtney L. Harrison, MPA March 28, 2017 Maine Tennessee South Carolina 1. Dont 2. Have an 3. Know Illinois know and idea about Introductions about and havent done and have actively Washington a lot

392 views • 27 slides
of PCORI Research Findings Authorizing Legislation The purpose of the Institute is to assist

of PCORI Research Findings Authorizing Legislation The purpose of the Institute is to assist

Dissemination and Implementation of PCORI Research Findings Authorizing Legislation The purpose of the Institute is to assist patients, clinicians, purchasers, and policy-makers in making informed health decisions by advancing the quality and

221 views • 20 slides
Reviewing the Use of Research- Community Partnerships to Facilitate Implementation of

Reviewing the Use of Research- Community Partnerships to Facilitate Implementation of

Reviewing the Use of Research- Community Partnerships to Facilitate Implementation of Evidence-Based Practices in Childrens Community Services Nicole Stadnick, Lauren Brookman-Frazee, Aubyn Stahmer, Amy Herschell, Colby Chlebowski &amp; Ann

409 views • 39 slides
Collaborative Committee Committee Mission Statement To increase educational offerings for all

Collaborative Committee Committee Mission Statement To increase educational offerings for all

Connecticut River Collaborative Committee Committee Mission Statement To increase educational offerings for all area students at a reasonable cost to taxpayers Agenda 1. Welcome - Opening Statement 2. Review of Committee Work over last 9

307 views • 27 slides
Ten Things Marc P. Armstrong Professor and CLAS Fellow Click to edit Master subtitle style

Ten Things Marc P. Armstrong Professor and CLAS Fellow Click to edit Master subtitle style

Ten Things Marc P. Armstrong Professor and CLAS Fellow Click to edit Master subtitle style Chair, Department of Geography Interim Director, School of Journalism and Mass Communication Administrative Fellow (Dean-like Object), CLAS The

194 views • 8 slides
1/31/2018 First Year Experience Conference, Texas, February 2018 First Year Experience

1/31/2018 First Year Experience Conference, Texas, February 2018 First Year Experience

1/31/2018 First Year Experience Conference, Texas, February 2018 First Year Experience Conference, Texas, February 2018 About us KingstonUniversity London University of Mississippi Hands Across the Sea: UK/USA Collaboration on Common

229 views • 4 slides

More recommend