1 / 19

Network Behaviors Monitoring and Management

Network Behaviors Monitoring and Management. Shian-Shyong Tseng Department of Computer and Information Science, National Chiao Tung Univ. Introduction. Dramatically increasing growth of networked computer resources.

morrison
Download Presentation

Network Behaviors Monitoring and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Behaviors Monitoring and Management Shian-Shyong Tseng Department of Computer and Information Science, National Chiao Tung Univ.

  2. Introduction • Dramatically increasing growth of networked computer resources. • How to identify possible intrusion behaviors and secure the system infrastructure. • Representation of intrusion patterns • Intrusion Detection Markup Language (IDML) based on XML.

  3. Introduction • Data Mining for Intrusion Analysis. • Finding Unknown Intrusions by Analyzing Network Logs.

  4. Related Works • Related Products • CheckPoint2000, TIS Firewall Toolkit (FWTK) , Server Guard, Cisco PIX Firewall, Sonic Wall, Cyber Guard 4.0, Border Ware 6.0, etc... • The Problem • Can not detect complex intrusions. • Lack of extendibility for unknown intrusions.

  5. Related Works • Intrusion categories • Probing • User to Root • Remote to Local • DoS • Intrusion Representation. • Implicit representation, Rule oriented representation, Pattern oriented representation, Specific representation.

  6. Related Works • Intrusion Detection Systems. • Firewall Systems • Single and simple rules • Packet Level Filtering • Research Models • Complicated rules, Goal Tree, etc. • The performance may not meet the on-line performance requirements. • Ideal intrusion detection system • Efficient detection mechanism • Good representation of expert knowledge

  7. IDML Based I. D. Model • A standardized intrusion behavior expression will help to accumulate expertise about intrusion. • Issues to design an intrusion detection system: • Pattern representation • Computability • Understandability • Performance • Extendibility and maintenance

  8. IDML Hierarchy

  9. IDML Components • Property • A pair of property name and value. • Event • A set of properties. • Event Comparator • Expressing the condition of an intrusion pattern. • Intrusion State • States are defined to record information about the situation of the intrusion process. • Intrusion Pattern

  10. Intrusion Pattern Representation in IDML • Issues for an intrusion pattern representation: • How to collect and analyze the event information required in the pattern • How to transform the intrusion into state transition pattern • How to express event comparison between states • What kind of actions should be taken for the intrusion

  11. IDML Parser • IDML Parser • Parse the related information in the IDML document. • Intrusion patterns can be transformed into finite state machine for further intrusion detecting.

  12. Intrusion Pattern State Machine • The finite state machine for IDML documents.

  13. User Identification for I. D. • User identification to find the person with intruding attempt. • IP Address • User Login • Application Log • User behavior mining

  14. IDML Based I.D. Model Architecture

  15. Implementation Architecture

  16. Data Mining for Intrusion Pattern • The Platform

  17. Center of Intrusion Detection System • CIDS • Center of Intrusion Detection System. • Receive Events and Network Records from IDD. • Provide Offline Data Mining. • Provide Knowledge feedback to IDD.

  18. Intrusion Detection Device • IDD • Intrusion Detection Device • Provide Online Detection with Knowledge from CIDS. • Provide Data Collection. • Report records and events using IDML. • Detection Model based on IDML.

  19. Concluding remarks • A standardized and flexible mechanism for intrusion detection. • Knowledge accumulation. • Experiments. • IDD and CIDS model for Intrusion Data Mining. • KDD based on IDML.

More Related