1 / 15

Second Line Intrusion Detection Using Personalization

Second Line Intrusion Detection Using Personalization. DISA Sponsored GWU-CS. Content. Introduction Examples and Analysis Prototype Design More to come Conclusion. Introduction.

jason
Download Presentation

Second Line Intrusion Detection Using Personalization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Second Line Intrusion DetectionUsing Personalization DISA Sponsored GWU-CS

  2. Content • Introduction • Examples and Analysis • Prototype Design • More to come • Conclusion

  3. Introduction • Penetration into computer systems continues at a high rate despite substantial progress in security research and technology • No reason to assume that this level of “insecurity” will change • Most penetrations are done by individuals or small teams • Only lately has personalization entered into security consideration

  4. Our research into personalization in areas such as: • User command lines behavior (e.g., UNIX) • User browser patterns as reflected by URL sequences • User work habits • Provides a basis for: • User classification • Abnormality observation • Detection of deviation from regular behavior • Changes in patterns

  5. Examples and Analysis www.fada.com www.fada.com/address.html www.fada.com/cline.html www.fada.com/cline-bisttram.html www.fada.com/cline-stella2.html www.fada.com/karges.html www.fada.com/karges1.html www.fada.com/karges3.html www.fada.com/karges8.html www.fada.com/mmfa.html www.fada.com/mmfa1.html www.fada.com/mmfa9.html

  6. Comments on Example 1 • Assumptions: • Access to server is through home page www.fada.com • Knowledge of structure and content of server pages www.fada.com • Provides the following: • Detailed access starts from server page address.html • Page cline.html leads to two links: • Cline-bisttrom.html and • Cline-stella.html • The example demonstrates “reasonable” behavior

  7. Example 2 www.fada.com/mmfa9.html www.fada.com/rehs10.html www.fada.com/stern3.html www.fada.com/address.html www.fada.com/trotter41.html www.fada.com/cantor8.html

  8. Comments on Example 2 • Access starts straight from a couple of internal pages (i.e., nodes of the tree) • It continues by a visit to a link off the home page • Summary: • The behavior does not follow regular access patterns • The behavior is difficult to explain • This access may indicate suspicious behavior

  9. Other Types of Entry Modes • In addition to URLs, one should watch out for: • FTP access • E-mail • Potential Logins • Other protocols access: e.g., port scanning • On a “sound” server: • FTPs port are predefined • E-mail, except for bugs, can be protected against • Port scanning is already trapped by IDS

  10. Prototype Design • We face suspicious behavior with two tools • Automatic recognition • Machine Learning • Data Mining • Automatic recognition may be trained on “regular’ access patterns and attempt detection of “irregular” access patterns • So far, results are good, but not great – enough penetration is undetected

  11. Behavior Analysis Application • A JAVA application that classifies behavior is partially done and operational • It shows a high level of detection of irregular behavior • The approach is promising and has a proven track record • Web Browser communication performance improved by 20% by changing cache to use Next URL Prediction • Prediction is based on the underlining assumption of “regularity” of behavior

  12. Observation • URL, IP packets, and Port scanning look like an algorithm (or a program) without termination • Example 1 can be written as: Initialize; www.fada.com Initialize; www.fada.com/address.html Loop; rest of URLs • The loop is a while that selects links in www.fada.com/address.html for viewing • The selection criterion is personal • Example 2 seems as an unordered set of program statements • Therefore Example 2 does not seem to be a “regular” access pattern

  13. Prototype Design Details STEPS • Analyze Server pages hierarchy • Analyze each page for links and sources (i.e. src) files • Build an identification engine based on • Behavior categorization • Page hierarchy • Isolation of individual users to identifying agents • Construct input benchmarks • Continue work on Other Types of Entry Modes

  14. More to come • Examples of more complex relationships to be explored • Server pages link to other servers pages • Same source (IP) for different communication types • Accessing different locations on tree concurrently • Can be done by using two copies of the browser • The two sessions will have different Ids but may be cooperating • The agents monitoring the two browsers must collaborate • URLs and FTPs from same source at the same time • Multiple FTPs • Similar case to multiple browsers • ...

  15. Conclusion • A substantial prototype will be completed by end of Summer • Complex relationships will be explored: • Threats will be enumerated • Potential detection will be proposed • Prototype will include some of these results • Open areas will be reported on in detail

More Related