Neural Technology and Fuzzy Systems in Network Security Project Progress 2

1. Neural Technology and Fuzzy Systems in Network SecurityProject Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023

2. Neural Techniques • IPS tools are based on static rules alone • Neural Techniques seek to classify all new events and highlight those that appear most threatening • Neural Techniques allow the security expert to be the final arbiter

3. The Neural Security Layer • Fuzzy Clustering • Creates a baseline profile of the network in various states by “training” itself • Establishes patterns and does not determine an exact profile of what a user does • Uses algorithms that identify these patterns and separates clusters accordingly • Kernel Classifier • Determines which existing cluster a new event most likely belongs to • Classifies events according to how far away they are from the norm (any existing cluster) • Events farthest away bubble to the top where administrators take manual action • Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of time

4. Clusters • A set of XML files that become model filters or knowledge base for the network resource being monitored • The knowledge base is continually updated based on: • Results of day-to-day activities • Data from third-party sources, such as IDS signatures

5. Six Steps to Producing Security Intelligence • Designate Data: Data can be system log entries or any other raw or formatted measure of activity in the environment. • Model Analyst Expertise: Variables, weights, centers and pertinent even knowledge comprise the analytic or data mining model are configured based on the specific analysis requirements and the unique attributes of the particular environment. • Train Model: Process of organizing the designated security data into multi-dimensional “event vectors” within the context of the analytic models. This establishes the baseline activity. • Generate Knowledge: Live or offline data is compared against the contents of the training baseline and classified accordingly. • Teach Model: User-supervision and infusion of expert knowledge essential to accurate event classification and system base-lining and to filter out non-threatening anomalous activity. • Leverage Knowledge: System output is invaluable for the real-time or offline analysis, detection and prevention of any type of potentially internal and external criminal activity or system misuse.

6. Neural Security (NS) Tool • Monitors activity on Microsoft Internet Information Server (IIS) Web servers • Preconfigured to monitor activity on a single IIS server or an entire server farm • In training mode, examines IIS logs to determine normal activity of the server and creates its clusters • Comes with a knowledge base of known IIS exploits • Unlike rule-based security systems, NS quickly adapts to each unique installation and will continue to adapt as more information is added to its knowledge base

7. Neural Security (NS) Tool • Training Mode • Organize IIS-specific data into clusters that reflect normal use patterns (both trusted and untrusted) within the server environment • Process or organizing clusters guided through the use of a built-in knowledge base of published attack signatures • Monitor Mode • Compare all incoming requests to IIS against the Training Database to determine whether it falls within acceptable distance of trusted activity • Within limits of trusted activity: Process Continues • Outside limits of trusted activity: Initiate whatever action has been configured e.g. post an on-screen alert, block untrusted connection or shut down IIS

8. Neural Security (NS) Tool • Maintenance • Proper classification of events is essential • Maintain as Security Alerts are displayed, or • Review Security Alert Log periodically • After re-classification of events, “Re-Train” database • NS remembers correct classification and characteristics of events, which is then applicable to the analysis of subsequent events