Scalable parallel intrusion detection
1 / 17

Scalable Parallel Intrusion Detection - PowerPoint PPT Presentation

  • Uploaded on

Scalable Parallel Intrusion Detection. Fahad Zafar. Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha. University of Maryland Baltimore County. Intrusion Detection Systems (IDS). Network IDS

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Scalable Parallel Intrusion Detection' - tex

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Scalable parallel intrusion detection

Scalable Parallel Intrusion Detection

Fahad Zafar

Advising Faculty: Dr. John Dorband and Dr. YaacovYeesha

University of Maryland Baltimore County

Intrusion detection systems ids
Intrusion Detection Systems (IDS)

  • Network IDS

    • are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network

  • Host IDS

    • monitors the inbound and outbound packets from the device only

  • Signature based IDS

    • will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats

  • Anomaly based IDS

    • will monitor network traffic and compare it against an established baseline

Existing limitations
Existing Limitations

  • Network IDS:

    • Network Speed affected if you analyze all inbound and outbound traffic.

  • Host IDS:

    • Slows productivity.

  • Signature based IDS:

    • Signature database keeps increasing in size.

  • Anomaly based IDS:

    • Training models is hard.

Ping broadcast attack
Ping Broadcast Attack

  • Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim)

Ping broadcast attacks
Ping broadcast attacks

  • If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.

Points worth a mention
Points worth a mention

  • One type of IDS cannot handle all types of attacks

    • Application IDS cannot handle PING broadcast attacks, but network IDS’ can.

  • Network rules are needed for dynamic network management

    • When an attack is identified, write a rule for it.

  • Our design
    Our Design

    • Understandings

      • Hetrogeneous IDS is the future

      • Better load balancing and minimum packet loss is a requirement.

    • Main Characteristics

      • Isolating different IDS

      • Traffic specific intrusion detection

    Decentralized traffic based heterogeneous intrusion detection
    Decentralized traffic based Heterogeneous Intrusion Detection

    eg. SNORT

    eg. OSSEC HIDS

    Novelty Detection

    • 1. Smart Switch

      • Block , Fork, Divert traffic.

      • Small cache for faster throughput.

    • 2. Decentralized Intrusion Detection

      • Working with current open source IDS packages

    • 3. Smart Hashing

      • Destination specific hashing.

      • Source specific hashing.

      • Session specific hashing.

    Intrusion detection algorithms
    Intrusion Detection Algorithms Detection

    • Signature Extraction

    • Detect changes in registry, use of dlls

    • N-grams to train learning models and detect unknown viruses

      • Instance-Based Learner, Vector Machines, Decision Trees etc.

    A scalable multi level feature extraction technique to detect malicious executables 5
    A scalable multi-level feature extraction technique to detect malicious executables [5]

    [5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham

    A scalable multi-level feature extraction technique to detect malicious executables

    Extracting n grams
    Extracting n-grams detect malicious executables

    We explore multiple paths
    We explore multiple paths detect malicious executables

    • Use semantic based searching for malicious code.

    • Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence.

    • Better feature extraction techniques for malicious and benign code.

    Future work evolution of malware
    Future Work: Evolution of Malware detect malicious executables

    • Use metasploit for N-gram analysis

    • Test our detection techniques

      • Apply identification technique for encrypted and altered versions of malware code.

    Future work detecting a process in execution
    Future Work: Detecting a process in execution detect malicious executables

    • Send tagged code and 16K memory dump

    • Offload work to bluegrit

    • Fast search according to signature + code sequence Reg-ex.

    • Reply to server within reasonable time limits

    Future work current progress
    Future Work: Current Progress detect malicious executables

    • Survey Infected Files.

      • Repository

    • Look for ways to reduce false negatives and false positives compared to previous approaches.[6]

    • Parallel scalable detection.

    [6] Learning to Detect and Classify Malicious Executables in the Wild

    J. Zico Kolter KOLTER, Marcus A. Maloof