Scalable Parallel Intrusion Detection - PowerPoint PPT Presentation

Scalable parallel intrusion detection
1 / 17

  • Uploaded on
  • Presentation posted in: General

Scalable Parallel Intrusion Detection. Fahad Zafar. Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha. University of Maryland Baltimore County. Intrusion Detection Systems (IDS). Network IDS

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Scalable Parallel Intrusion Detection

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Scalable parallel intrusion detection

Scalable Parallel Intrusion Detection

Fahad Zafar

Advising Faculty: Dr. John Dorband and Dr. YaacovYeesha

University of Maryland Baltimore County

Intrusion detection systems ids

Intrusion Detection Systems (IDS)

  • Network IDS

    • are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network

  • Host IDS

    • monitors the inbound and outbound packets from the device only

  • Signature based IDS

    • will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats

  • Anomaly based IDS

    • will monitor network traffic and compare it against an established baseline

Existing limitations

Existing Limitations

  • Network IDS:

    • Network Speed affected if you analyze all inbound and outbound traffic.

  • Host IDS:

    • Slows productivity.

  • Signature based IDS:

    • Signature database keeps increasing in size.

  • Anomaly based IDS:

    • Training models is hard.

Ping broadcast attack

Ping Broadcast Attack

  • Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim)

Ping broadcast attacks

Ping broadcast attacks

  • If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.

Points worth a mention

Points worth a mention

  • One type of IDS cannot handle all types of attacks

    • Application IDS cannot handle PING broadcast attacks, but network IDS’ can.

  • Network rules are needed for dynamic network management

    • When an attack is identified, write a rule for it.

  • Our design

    Our Design

    • Understandings

      • Hetrogeneous IDS is the future

      • Better load balancing and minimum packet loss is a requirement.

    • Main Characteristics

      • Isolating different IDS

      • Traffic specific intrusion detection

    Decentralized traffic based heterogeneous intrusion detection

    Decentralized traffic based Heterogeneous Intrusion Detection

    eg. SNORT

    eg. OSSEC HIDS



    • 1. Smart Switch

      • Block , Fork, Divert traffic.

      • Small cache for faster throughput.

    • 2. Decentralized Intrusion Detection

      • Working with current open source IDS packages

    • 3. Smart Hashing

      • Destination specific hashing.

      • Source specific hashing.

      • Session specific hashing.

    Intrusion detection algorithms

    Intrusion Detection Algorithms

    • Signature Extraction

    • Detect changes in registry, use of dlls

    • N-grams to train learning models and detect unknown viruses

      • Instance-Based Learner, Vector Machines, Decision Trees etc.

    A scalable multi level feature extraction technique to detect malicious executables 5

    A scalable multi-level feature extraction technique to detect malicious executables [5]

    [5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham

    A scalable multi-level feature extraction technique to detect malicious executables

    Extracting n grams

    Extracting n-grams

    We explore multiple paths

    We explore multiple paths

    • Use semantic based searching for malicious code.

    • Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence.

    • Better feature extraction techniques for malicious and benign code.

    Future work evolution of malware

    Future Work: Evolution of Malware

    • Use metasploit for N-gram analysis

    • Test our detection techniques

      • Apply identification technique for encrypted and altered versions of malware code.

    Future work detecting a process in execution

    Future Work: Detecting a process in execution

    • Send tagged code and 16K memory dump

    • Offload work to bluegrit

    • Fast search according to signature + code sequence Reg-ex.

    • Reply to server within reasonable time limits

    Future work current progress

    Future Work: Current Progress

    • Survey Infected Files.

      • Repository

    • Look for ways to reduce false negatives and false positives compared to previous approaches.[6]

    • Parallel scalable detection.

    [6] Learning to Detect and Classify Malicious Executables in the Wild

    J. Zico Kolter KOLTER, Marcus A. Maloof

  • Login