second line intrusion detection using personalization n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Second Line Intrusion Detection Using Personalization PowerPoint Presentation
Download Presentation
Second Line Intrusion Detection Using Personalization

Loading in 2 Seconds...

play fullscreen
1 / 15
jason

Second Line Intrusion Detection Using Personalization - PowerPoint PPT Presentation

80 Views
Download Presentation
Second Line Intrusion Detection Using Personalization
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Second Line Intrusion DetectionUsing Personalization DISA Sponsored GWU-CS

  2. Content • Introduction • Examples and Analysis • Prototype Design • More to come • Conclusion

  3. Introduction • Penetration into computer systems continues at a high rate despite substantial progress in security research and technology • No reason to assume that this level of “insecurity” will change • Most penetrations are done by individuals or small teams • Only lately has personalization entered into security consideration

  4. Our research into personalization in areas such as: • User command lines behavior (e.g., UNIX) • User browser patterns as reflected by URL sequences • User work habits • Provides a basis for: • User classification • Abnormality observation • Detection of deviation from regular behavior • Changes in patterns

  5. Examples and Analysis www.fada.com www.fada.com/address.html www.fada.com/cline.html www.fada.com/cline-bisttram.html www.fada.com/cline-stella2.html www.fada.com/karges.html www.fada.com/karges1.html www.fada.com/karges3.html www.fada.com/karges8.html www.fada.com/mmfa.html www.fada.com/mmfa1.html www.fada.com/mmfa9.html

  6. Comments on Example 1 • Assumptions: • Access to server is through home page www.fada.com • Knowledge of structure and content of server pages www.fada.com • Provides the following: • Detailed access starts from server page address.html • Page cline.html leads to two links: • Cline-bisttrom.html and • Cline-stella.html • The example demonstrates “reasonable” behavior

  7. Example 2 www.fada.com/mmfa9.html www.fada.com/rehs10.html www.fada.com/stern3.html www.fada.com/address.html www.fada.com/trotter41.html www.fada.com/cantor8.html

  8. Comments on Example 2 • Access starts straight from a couple of internal pages (i.e., nodes of the tree) • It continues by a visit to a link off the home page • Summary: • The behavior does not follow regular access patterns • The behavior is difficult to explain • This access may indicate suspicious behavior

  9. Other Types of Entry Modes • In addition to URLs, one should watch out for: • FTP access • E-mail • Potential Logins • Other protocols access: e.g., port scanning • On a “sound” server: • FTPs port are predefined • E-mail, except for bugs, can be protected against • Port scanning is already trapped by IDS

  10. Prototype Design • We face suspicious behavior with two tools • Automatic recognition • Machine Learning • Data Mining • Automatic recognition may be trained on “regular’ access patterns and attempt detection of “irregular” access patterns • So far, results are good, but not great – enough penetration is undetected

  11. Behavior Analysis Application • A JAVA application that classifies behavior is partially done and operational • It shows a high level of detection of irregular behavior • The approach is promising and has a proven track record • Web Browser communication performance improved by 20% by changing cache to use Next URL Prediction • Prediction is based on the underlining assumption of “regularity” of behavior

  12. Observation • URL, IP packets, and Port scanning look like an algorithm (or a program) without termination • Example 1 can be written as: Initialize; www.fada.com Initialize; www.fada.com/address.html Loop; rest of URLs • The loop is a while that selects links in www.fada.com/address.html for viewing • The selection criterion is personal • Example 2 seems as an unordered set of program statements • Therefore Example 2 does not seem to be a “regular” access pattern

  13. Prototype Design Details STEPS • Analyze Server pages hierarchy • Analyze each page for links and sources (i.e. src) files • Build an identification engine based on • Behavior categorization • Page hierarchy • Isolation of individual users to identifying agents • Construct input benchmarks • Continue work on Other Types of Entry Modes

  14. More to come • Examples of more complex relationships to be explored • Server pages link to other servers pages • Same source (IP) for different communication types • Accessing different locations on tree concurrently • Can be done by using two copies of the browser • The two sessions will have different Ids but may be cooperating • The agents monitoring the two browsers must collaborate • URLs and FTPs from same source at the same time • Multiple FTPs • Similar case to multiple browsers • ...

  15. Conclusion • A substantial prototype will be completed by end of Summer • Complex relationships will be explored: • Threats will be enumerated • Potential detection will be proposed • Prototype will include some of these results • Open areas will be reported on in detail