1 / 17

Scalable Parallel Intrusion Detection

Scalable Parallel Intrusion Detection. Fahad Zafar. Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha. University of Maryland Baltimore County. Intrusion Detection Systems (IDS). Network IDS

tex
Download Presentation

Scalable Parallel Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. YaacovYeesha University of Maryland Baltimore County

  2. Intrusion Detection Systems (IDS) • Network IDS • are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network • Host IDS • monitors the inbound and outbound packets from the device only • Signature based IDS • will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats • Anomaly based IDS • will monitor network traffic and compare it against an established baseline

  3. Existing Limitations • Network IDS: • Network Speed affected if you analyze all inbound and outbound traffic. • Host IDS: • Slows productivity. • Signature based IDS: • Signature database keeps increasing in size. • Anomaly based IDS: • Training models is hard.

  4. Ping Broadcast Attack • Send an ICMP echo to the network broadcast address with spoofed ip of the server (victim)

  5. Ping broadcast attacks • If you have 81 pcs on the network and your router forwards the request. A single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic.

  6. Points worth a mention • One type of IDS cannot handle all types of attacks • Application IDS cannot handle PING broadcast attacks, but network IDS’ can. • Network rules are needed for dynamic network management • When an attack is identified, write a rule for it.

  7. Our Design • Understandings • Hetrogeneous IDS is the future • Better load balancing and minimum packet loss is a requirement. • Main Characteristics • Isolating different IDS • Traffic specific intrusion detection

  8. Decentralized traffic based Heterogeneous Intrusion Detection eg. SNORT eg. OSSEC HIDS

  9. Novelty • 1. Smart Switch • Block , Fork, Divert traffic. • Small cache for faster throughput. • 2. Decentralized Intrusion Detection • Working with current open source IDS packages • 3. Smart Hashing • Destination specific hashing. • Source specific hashing. • Session specific hashing.

  10. Intrusion Detection Algorithms • Signature Extraction • Detect changes in registry, use of dlls • N-grams to train learning models and detect unknown viruses • Instance-Based Learner, Vector Machines, Decision Trees etc.

  11. A scalable multi-level feature extraction technique to detect malicious executables [5] [5] Mohammad M. Masud & Latifur Khan & Bhavani Thuraisingham A scalable multi-level feature extraction technique to detect malicious executables

  12. Extracting n-grams

  13. We explore multiple paths • Use semantic based searching for malicious code. • Use restricted Regular Expressions for parallel sequence and n-grams for the serial sequence. • Better feature extraction techniques for malicious and benign code.

  14. Future Work: Evolution of Malware • Use metasploit for N-gram analysis • Test our detection techniques • Apply identification technique for encrypted and altered versions of malware code.

  15. Future Work: Detecting a process in execution • Send tagged code and 16K memory dump • Offload work to bluegrit • Fast search according to signature + code sequence Reg-ex. • Reply to server within reasonable time limits

  16. Future Work: Current Progress • Survey Infected Files. • Repository • Look for ways to reduce false negatives and false positives compared to previous approaches.[6] • Parallel scalable detection. [6] Learning to Detect and Classify Malicious Executables in the Wild J. Zico Kolter KOLTER, Marcus A. Maloof

More Related