cyber threat analysis l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Threat Analysis PowerPoint Presentation
Download Presentation
Cyber Threat Analysis

Loading in 2 Seconds...

play fullscreen
1 / 5

Cyber Threat Analysis - PowerPoint PPT Presentation


  • 151 Views
  • Uploaded on

Cyber Threat Analysis. As the cost of information processing and Internet accessibility falls, organizations are becoming increasingly vulnerable to potential cyber threats such as network intrusions. Intrusions are actions that attempt to bypass security mechanisms of computer systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Threat Analysis' - kueng


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cyber threat analysis
Cyber Threat Analysis
  • As the cost of information processing and Internet accessibility falls, organizations are becoming increasingly vulnerable to potential cyber threats such as network intrusions
  • Intrusions are actions that attempt to bypass security mechanisms of computer systems
  • Intrusions are caused by:
    • Attackers accessing the system from Internet
    • Insider attackers - authorized users attempting to gain and misuse non-authorized privileges
data mining for intrusion detection
Data Mining for Intrusion Detection
  • Traditional intrusion detection system IDS tools (e.g. SNORT) are based on signatures of known attacks
    • These signatures have to be manually revised for each new type of discovered intrusion, and they cannot detect emerging cyber threats
  • Data mining based systems are adaptive in nature and do not have limitations of signature-based systems
    • Predictive models can be more sophisticated and precise than manually created signatures
    • Outlier detection techniques can identify novel cyber attacks as deviations from “normal” behavior

www.snort.org

novel intrusion detection using data mining
Novel Intrusion Detection Using Data Mining

MINDS (MINnesota INtrusion Detection System) –A data mining based system for detecting network intrusionshttp://www.cs.umn.edu/~kumar/Presentation/minds.ppt

  • A sample of top ranked anomalies/attacks picked by MINDS on the University of Minnesota network traffic data. None of these attacks were detected by SNORT, which is a state of the art intrusion detection system
    • On August 13, 2002, detected scanning for Microsoft DS service on port 445/TCP (Ranked #1 by the MINDS outlier detection scheme)
      • Reported by CERT as a DoS attack that needs further analysis (CERT August 9, 2002)
      • Undetected by SNORT since the scanning was non-sequential and thus very slow
      • A new rule has since been added to SNORT to detect slow scanning on this port

Number of scanning activities on Microsoft DS service on port 445/TCP reported in the World (Source www.incidents.org)

snort vs minds outlier detection
SNORT vs. MINDS Outlier Detection
  • August 13, 2002
    • Detected scanning for Oracle server (Ranked #2)
      • Reported by CERT, June 13, 2002
      • First detection of this attack type by our University
      • Undetected by SNORT because the scanning was hidden within another Web scanning
  • August 8, 2002
    • Identified machine that was running Microsoft PPTP VPN server on non-standard ports, which is a policy violation (Ranked #1)
      • Undetected by SNORT since the collected GRE traffic was part of the normal traffic
      • Example of an insider attack
  • October 30, 2002
    • Identified compromised machines that were running FTP servers on non-standard ports, which is a policy violation (Ranked #1)
      • Anomaly detection identified this due to huge file transfer on a non-standard port
      • Undetectable by SNORT due to the fact there are no signatures for these activities
      • Example of anomalous behavior following a successful Trojan horse attack
snort vs minds outlier detection5
SNORT vs. MINDS Outlier Detection
  • October 10, 2002
    • Detected several instances of slapper worm that were not identified by SNORT since they were variations of existing worm code
    • Detected by MINDS anomaly detection algorithm since source and destination ports are the same but non-standard, and slow scan-like behavior for the source port
    • Potentially detectable by SNORT using more general rules, but the false alarm rate will be too high
    • Virus detection through anomalous behavior of infected machine

Number of slapper worms on port 2002 reported in the World (Source www.incidents.org)