specification based intrusion detection
play

Specification-based intrusion detection Effectively detecting - PowerPoint PPT Presentation

Mar 14, 2023 •25 likes •375 views

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

  1. Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1

  2. Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the protection of IT systems in general, and particularly the systems used to command, support and control critical infrastructures, where public transportation networks are inserted. Intrusion detection systems (IDS) have been used as a tool to detect attempted, or already accomplished, intrusions on IT systems, providing support to security administrators in the monitoring of their networks, in order to discover actual, and avoid future, intrusions. However the extensively acknowledged effectiveness problems these systems suffer have been hampering their broad usage. In the context of the SECUR-ED FP7 project, an intrusion detection tool using an innovative, business-process specification-based approach, that may be effective in increasing the protection of critical infrastructures and, at the same time, is able to solve some of the typical IDS problems, while working at an high semantic abstraction level. 2 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  3. Presentation outline § INOV and SECUR-ED presentation § Intrusion detection systems Ø Current strategies and technologies Ø Limitation and challenges § Business logic intrusion detection system Ø System architecture Ø Business logic specification-based model § Laboratory validation 3 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  4. INOV - INESC Inovação INOV - INESC Inovação is a leading private non-profit Research & Technology Organization in Portugal. It provides Consultancy, Innovation and Technological Development in collaboration with governments, companies and universities worldwide. INOV has strong technical expertise in: Ø Monitoring and Surveillance Solutions Ø Electronics Product Development Ø Cyber Security & Defense Ø Communication Networks & Services Ø IT & Open Source Solutions Ø Enterprise Engineering & IT Governance 4 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  5. Activity Areas • Sensors and Remote Monitoring Monitoring, Navigation • Command and Control Centres and Control • Automatic Incident Detection • Embedded Systems • LASER / LIDAR • Signal Processing • Organisational Engineering • IP networks • Systems Integration • Cybersecurity • Technological Consulting • Fixed and Mobile Comms • Software Quality Assurance Equipment • Open Source • Telecom Platforms and Services • IVRs & Voice Portals • Information Communications Technologies 5 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  6. INOV 6 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  7. SECUR-ED in short Ø Call FP7-SEC-2010-1, Security in Mass transportation Ø SECured URban transportation – European Demonstration • Budget = 40M € , EC Funding = 25 M € , the biggest FP7 Security project • Starting date: 1 st April 2011 • Duration: 42 months Ø The main objective of the SECUR-ED project is to give transport operators of large and medium European cities the means to enhance urban transport security Ø The second main objective is to enlarge the mass transport security market for the European industry 7 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  8. A consistent and balanced consortium § 40 partners: Authorities, Industries Organisations THALES TCS (coordinator) France ALSTOM TRANSPORT France Operators EOS Belgium ANSALDO STS Italy STSI France BOMBARDIER Germany CRTM Spain TRANSPORTATION ATM Italy UITP Belgium NICE Israel DEUTSCHE BAHN Germany UNIFE Belgium MORPHO France RATB (Bucharest) Romania AXIS Sweden EMEF Portugal SELEX ELSAG Italy Research RATP France SME EMT MADRID Spain CEA France SNCF France FOI Sweden EDISOFT Portugal FNM MILANO Italy FRAUNHOFER Germany HAMBURG CONSULT Germany JRC Europe STIB Belgium ICCA Spain PADERBORN UNIV. Germany MTRS3 Israel TCDD Turkey STAVANGER UNIV. Norway INECO Spain TNO Netherlands G. TEAM Israel TU DRESDEN Germany VTT Finland WUERZBURG UNIV. Germany INOV Portugal 8 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  9. Security Capacities § By security capacities, we mean all measures enhancing the security of passengers, staff and assets in a multimodal transport node § This implies: Ø Specific tools for deeper analysis of the security risks & solutions Ø Smart and generic security operating procedures Ø Improve interoperability of technical security solutions • Video surveillance (CCTV) • Infrastructure protection and/or resilience • Protection against CBRN-E • Information management and communication • Preventive & early analysis • Cyber Security Ø Training programmes for various stakeholders: • Passengers, employees (PTO or shops) • Operators of control centre, security manager, decision maker A mix of technologies and procedures A mix of best practices and training programmes 9 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  10. SECUR-ED presentation INOV role in SECUR-ED: Ø Perform security risk assessments on 5 cities public transport operators (Lisbon, Bilbao, Krakow, Bucharest & Flensburg) Ø Create a intrusion detection solution targeted for usage in urban public transportation 10 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  11. Intrusion detection systems Overview § Have been studied and used for more than 30 years Ø Need for IDSs was first justified by Anderson Ø Primitive IDS proposed by the same author years later Ø First IDS called IDES was proposed by Dorothy Denning Ø First proposals developed to protect small and seldom- changed systems with a restricted and well defined number of users 11 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  12. Intrusion detection systems Current Technologies and strategies § Data Collection Ø Host-based Ø Network-based § Processing method Ø Misuse detection § System architecture Ø Anomaly detection and processing Ø Specification-based strategy Ø Single instance Ø Centralised Ø Distributed 12 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  13. Intrusion detection systems Limitations and challenges § DARPA 1998 and 1999 evaluations Ø IDSs of several research teams were set to be tested Ø Comprehensive set of attack were conducted against several test hosts Ø Significant number of false positives and false negatives generated by the systems at test § Werlinger et al. usability assessment Ø Personal interview of 35 participants from 16 organizations with background in IT management and security Ø IDSs are said to be expensive, hard to deploy and maintain, unreliable and apparently useless § Vigna et al. Ø Main challenge is yet to expand IDS’s scope in order “ to take into account the surrounding context, in terms (…) of missions, tasks, and stakeholders, when analysing data in an effort to identify malicious intent. ” 13 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  14. Business logic IDS System architecture § System architecture and § Data Collection processing strategy Ø Network-based Ø Centralised • “Core” sensors of the solution • Intrusion detection sensors • Used solution based on rules spread along the target to detect misuse and system specification-based => Snort Ø Host-based § Processing method • Used when is not possible to Ø Misuse detection obtain information from the • Used to find attacks already network, or the information known obtained is rather inconclusive • Used to monitor the integrity in Ø Specification-based critical systems that are • Used to find deviations from expected to be seldom the application processes changed 14 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

  15. Business logic specification model § Focused in business and application architectural layers Ø Specification of the interactions between systems in order to accomplish a certain objective => Business processes • BPMN as a graphical notation Ø Specification of rules that must be valid across the organization / execution of business processes => Business rules § Technically this model was divided in two sub-models Ø Types model -> supports the definition of the business logic Ø Instances model -> supports the verification of the business logic 15 Presented at Lisbon 2013 FIRST/TF-CSIRT Technical Colloquium SECUR-ED partly funded by EU FP7 under CA nº 261605

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Synthesis of non-interferent systems Gilles Benattar Franck Cassez Didier Lime Olivier

Synthesis of non-interferent systems Gilles Benattar Franck Cassez Didier Lime Olivier

Introduction Definitions Results Conclusion Synthesis of non-interferent systems Gilles Benattar Franck Cassez Didier Lime Olivier H.Roux IRCCyN/CNRS UMR 6597, Nantes, France CNRS and National ICT Australia, Sydney,

753 views • 42 slides
Comte Head: Catuscia Palamidessi Comit de Visite AERES, February 3-4, 2009 1 / 15 The

Comte Head: Catuscia Palamidessi Comit de Visite AERES, February 3-4, 2009 1 / 15 The

Comte Head: Catuscia Palamidessi Comit de Visite AERES, February 3-4, 2009 1 / 15 The Comte team Name Function Institution Since Permanent Researchers Catuscia Palamidessi DR INRIA 2003 Frank Valencia CR CNRS 2004 Post-docs

398 views • 15 slides
Enhancing constraints on modified gravity and inflation with multi-tracer cosmological surveys

Enhancing constraints on modified gravity and inflation with multi-tracer cosmological surveys

Enhancing constraints on modified gravity and inflation with multi-tracer cosmological surveys arXiv:1505.04106 (MNRAS 2016) 1403.5237 (J-PAS white paper) 1302.5444 (MNRAS 2013) 1108.5449 (MNRAS 2012) L. Raul Abramo Instituto de Fisica &

1.07k views • 27 slides
Using Science Texts Using Science Texts and Content in and Content in Interventions that

Using Science Texts Using Science Texts and Content in and Content in Interventions that

Using Science Texts Using Science Texts and Content in and Content in Interventions that Interventions that Bring Struggling Bring Struggling Readers to Readers to Proficient Reading Proficient Reading Elfrieda H. Hiebert University of

741 views • 30 slides
Rails Response to COVID-19 A Joint Webinar from FTR & RFC Rails Response to COVID-19 A

Rails Response to COVID-19 A Joint Webinar from FTR & RFC Rails Response to COVID-19 A

Rails Response to COVID-19 A Joint Webinar from FTR & RFC Rails Response to COVID-19 A Joint Webinar from FTR & RFC Eric Starks Todd Tranausky David Nahass William Geiger FTR Chairman & CEO FTR VP of Rail & Intermodal

680 views • 40 slides
LoanSTAR Pilot Program Texas State Energy Conservation Office Dub Taylor, Director

LoanSTAR Pilot Program Texas State Energy Conservation Office Dub Taylor, Director

LoanSTAR Pilot Program Texas State Energy Conservation Office Dub Taylor, Director dub.taylor@cpa.texas.gov Eddy Trevino, Program Manager eddy.trevino@cpa.texas.gov State Agencies and Public Higher Education No of Loans Project Cost

391 views • 8 slides
Version 1.2 of the Catalogue AMI-SeCo Meeting 07 December 2017 DG-Market Infrastructure and

Version 1.2 of the Catalogue AMI-SeCo Meeting 07 December 2017 DG-Market Infrastructure and

Version 1.2 of the Catalogue AMI-SeCo Meeting 07 December 2017 DG-Market Infrastructure and Payments European Central Bank ECB-UNRESTRICTED 0 Version 1.2 of the Catalogue The Version 1.2 of the Catalogue is based on: 1) The version 2.0 of

472 views • 8 slides
Questions Historical research questions that are suitable for a prosopographical approach What

Questions Historical research questions that are suitable for a prosopographical approach What

Prosopographical Research Questions Historical research questions that are suitable for a prosopographical approach What is prosopography? Lawrence Stone: Prosopography is the investigation of the common background characteristics of a

528 views • 9 slides

More recommend