1 / 13

Developing Anomaly Detection Model for Security Auditing Service

Daisuke Mashima (with Professor Mustaque Ahamad). Developing Anomaly Detection Model for Security Auditing Service. Motivation and Scope. Online identity theft is going to be more serious Emergence of novel Internet devices Diversity of Internet users

dorie
Download Presentation

Developing Anomaly Detection Model for Security Auditing Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Daisuke Mashima (with Professor Mustaque Ahamad) Developing Anomaly Detection Model for Security Auditing Service

  2. Motivation and Scope Online identity theft is going to be more serious Emergence of novel Internet devices Diversity of Internet users Prevention of identity theft is never perfect. Social engineering etc. We have to do detection in addition to prevention. The system must be transparent not only to users but also to existing applications We focus on detecting suspicious login to web applications.

  3. Abstract Image

  4. Identity-usage Monitoring System System Architecture Centralized Monitoring Service Conduct anomaly detection Decentralized Reverse Proxy Send login information to Monitoring Service Web Bug Make user send information automatically

  5. System Architecture On the same LAN

  6. Process and Flow

  7. Dummy Application (/logintest/login.html, /logintest/loginDemo) Monitoring Service (/gtim/SecurityService) Compare UserAgent in Web Bug request and that in profile DB Dummy image request (Web Bug) IP Address, ASP ID, userAgent, etc. Tomcat 5.5 (Port: 8080) Anomaly Detection userID, IP Address AspID, userAgent http://192.168.245.128:8080/logintest/* userID, password, etc. Reverse Proxy Java application (Port: 80) VMWare(192.168.245.128) http://192.168.245.128/logintest/* userID, password, IP Address userAgent etc. User (192.168.245.1) OVERVIEW OF DEMO SYSTEM

  8. Detail of Anomaly Detection Process • Periodic Detection • Main purpose is creating blacklist • Frequency of the source IP address • Total number of access • Per-request Detection • Based on blacklist and user's individual profile • Define user’s individual profile for time category • Ex. Weekdays and weekends • Calendar Schema • Utilize Delay-based IP Geolocation technique • Higher availability and precision • Can detect IP Spoofing “to a certain extent.”

  9. Individual Profile • Defined under each pair of user ID and Web App ID • By categorizing wisely, the number of tuples can be reduced. Calendar Schema

  10. Rule-Based Detection Search by User ID and Web App ID NG result OK Notification Time tuple frequency Check OK Feedback NG Device and Location Check Profile-Based Detection Suspicious result OK Notification OK Feedback NG Abnormal Normal Abnormal

  11. Interaction between Monitoring Service and Users Must be independent of the Internet Automated phone call to users' cell phones is a strong candidate. Most people have cell phones. As long as phone companies are trustworthy, the channel is regarded as secure.

  12. Future work Future work includes Improve anomaly detection model User Profiling Intrusion Detection Evaluation System Architecture Security Performance Precision of detection

  13. Thank you very much for your attention.

More Related