Learning to Customize Network Security Rules

Security is a major concern for organizations who wish to leverage cloud computing. In order to reduce security vulnerabilities, public cloud providers offer firewall functionalities. When properly configured, a firewall protects cloud networks from cyber-attacks. However, proper firewall configuration requires intimate knowledge of the protected system, high expertise and on-going maintenance. As a result, many organizations do not use firewalls effectively, leaving their cloud resources vulnerable. In this paper, we present a novel supervised learning method, and prototype, which compute recommendations for firewall rules. Recommendations are based on sampled network traffic meta-data (NetFlow) collected from a public cloud provider. Labels are extracted from firewall configurations deemed to be authored by experts. NetFlow is collected from network routers, avoiding expensive collection from cloud VMs, as well as relieving privacy concerns. The proposed method captures network routines and dependencies between resources and firewall configuration. The method predicts IPs to be allowed by the firewall. A grouping algorithm is subsequently used to generate a manageable number of IP ranges. Each range is a parameter for a firewall rule. We present results of experiments on real data, showing ROC AUC of 0.92, compared to 0.58 for an unsupervised baseline. The results prove the hypothesis that firewall rules can be automatically generated based on router data, and that an automated method can be effective in blocking a high percentage of malicious traffic.Comment: 5 pages, 5 figures, one tabl

A False Alert Reduction And An Alert Score Assessment Framework For Intrusion Alerts

The Alert Detection Engine (ADE) is a powerful network security system that is used to secure computer networks. ADE can detect security breaches which other forms of security measures unable to uncover. Yet, it still suffers from the problem of generating huge amounts of alerts that are mostly false positives. Each ADE generates a large number of alerts, where some are real and the others are not (i.e. false or redundant alert). Consequently, this increases the ambiguity among the decision makers as they conduct assessments of alerts. In particular, real alerts of ADE are not classified based on the magnitude of the threat they pose. Therefore, it is difficult for the security analyst to identify attacks and take remedial action against their threats, making it necessary to categorize the magnitude of each threat. For this reason, it becomes necessary to categorize the degrees of threat using data mining techniques, especially where huge data are involved. Several reduction and assessment approaches have been proposed to solve these problems; however, they unable to address many other problems related to ADE. This thesis proposes a new framework called A False Alert Reduction and an Alert Score Assessment Framework for Intrusion Alerts. The objectives of using this framework are to reduce the false alerts and to assess such alerts and examine their threat scores. This work aims to provide a full understanding of the network attacks as well as ease the process for the analysts and save their time. Framework is a standalone system that can work online and offline. It combines the following algorithms: the first algorithm is New Alert Reduction (NAR) algorithm to remove the redundancy from the alert’s file and reduce the false positives

A Framework for Hybrid Intrusion Detection Systems

Web application security is a definite threat to the world’s information technology infrastructure. The Open Web Application Security Project (OWASP), generally defines web application security violations as unauthorized or unintentional exposure, disclosure, or loss of personal information. These breaches occur without the company’s knowledge and it often takes a while before the web application attack is revealed to the public, specifically because the security violations are fixed. Due to the need to protect their reputation, organizations have begun researching solutions to these problems. The most widely accepted solution is the use of an Intrusion Detection System (IDS). Such systems currently rely on either signatures of the attack used for the data breach or changes in the behavior patterns of the system to identify an intruder. These systems, either signature-based or anomaly-based, are readily understood by attackers. Issues arise when attacks are not noticed by an existing IDS because the attack does not fit the pre-defined attack signatures the IDS is implemented to discover. Despite current IDSs capabilities, little research has identified a method to detect all potential attacks on a system. This thesis intends to address this problem. A particular emphasis will be placed on detecting advanced attacks, such as those that take place at the application layer. These types of attacks are able to bypass existing IDSs, increase the potential for a web application security breach to occur and not be detected. In particular, the attacks under study are all web application layer attacks. Those included in this thesis are SQL injection, cross-site scripting, directory traversal and remote file inclusion. This work identifies common and existing data breach detection methods as well as the necessary improvements for IDS models. Ultimately, the proposed approach combines an anomaly detection technique measured by cross entropy and a signature-based attack detection framework utilizing genetic algorithm. The proposed hybrid model for data breach detection benefits organizations by increasing security measures and allowing attacks to be identified in less time and more efficiently