scalable parallel intrusion detection
Skip this Video
Download Presentation
Scalable Parallel Intrusion Detection

Loading in 2 Seconds...

play fullscreen
1 / 17

Scalable Parallel Intrusion Detection - PowerPoint PPT Presentation

  • Uploaded on

Scalable Parallel Intrusion Detection. Fahad Zafar. Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha. University of Maryland Baltimore County. Intrusion Detection Systems (IDS). Network IDS

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Scalable Parallel Intrusion Detection ' - tex

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
scalable parallel intrusion detection

Scalable Parallel Intrusion Detection

Fahad Zafar

Advising Faculty: Dr. John Dorband and Dr. YaacovYeesha

University of Maryland Baltimore County

intrusion detection systems ids
Intrusion Detection Systems (IDS)
  • Network IDS
    • are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network
  • Host IDS
    • monitors the inbound and outbound packets from the device only
  • Signature based IDS
    • will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats
  • Anomaly based IDS
    • will monitor network traffic and compare it against an established baseline
existing limitations
Existing Limitations
  • Network IDS:
    • Network Speed affected if you analyze all inbound and outbound traffic.
  • Host IDS:
    • Slows productivity.
  • Signature based IDS:
    • Signature database keeps increasing in size.
  • Anomaly based IDS:
    • Training models is hard.
ping broadcast attack
Ping Broadcast Attack
  • Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim)
ping broadcast attacks
Ping broadcast attacks
  • If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.
points worth a mention
Points worth a mention
  • One type of IDS cannot handle all types of attacks
      • Application IDS cannot handle PING broadcast attacks, but network IDS’ can.
  • Network rules are needed for dynamic network management
      • When an attack is identified, write a rule for it.
our design
Our Design
  • Understandings
    • Hetrogeneous IDS is the future
    • Better load balancing and minimum packet loss is a requirement.
  • Main Characteristics
    • Isolating different IDS
    • Traffic specific intrusion detection
  • 1. Smart Switch
    • Block , Fork, Divert traffic.
    • Small cache for faster throughput.
  • 2. Decentralized Intrusion Detection
    • Working with current open source IDS packages
  • 3. Smart Hashing
    • Destination specific hashing.
    • Source specific hashing.
    • Session specific hashing.
intrusion detection algorithms
Intrusion Detection Algorithms
  • Signature Extraction
  • Detect changes in registry, use of dlls
  • N-grams to train learning models and detect unknown viruses
    • Instance-Based Learner, Vector Machines, Decision Trees etc.
a scalable multi level feature extraction technique to detect malicious executables 5
A scalable multi-level feature extraction technique to detect malicious executables [5]

[5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham

A scalable multi-level feature extraction technique to detect malicious executables

we explore multiple paths
We explore multiple paths
  • Use semantic based searching for malicious code.
  • Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence.
  • Better feature extraction techniques for malicious and benign code.
future work evolution of malware
Future Work: Evolution of Malware
  • Use metasploit for N-gram analysis
  • Test our detection techniques
      • Apply identification technique for encrypted and altered versions of malware code.
future work detecting a process in execution
Future Work: Detecting a process in execution
  • Send tagged code and 16K memory dump
  • Offload work to bluegrit
  • Fast search according to signature + code sequence Reg-ex.
  • Reply to server within reasonable time limits
future work current progress
Future Work: Current Progress
  • Survey Infected Files.
    • Repository
  • Look for ways to reduce false negatives and false positives compared to previous approaches.[6]
  • Parallel scalable detection.

[6] Learning to Detect and Classify Malicious Executables in the Wild

J. Zico Kolter KOLTER, Marcus A. Maloof