6 research outputs found
A Taxonomy of Intrusion Response Systems
Recent advances in intrusion detection field brought new requirements to intrusion prevention and response. Traditionally, the response to an attack was manually triggered by an administrator. However, increased complexity and speed of the attack-spread during recent years showed acute necessity for complex dynamic response mechanisms. Although intrusion detection systems are being actively developed, research efforts in intrusion response are still isolated. In this work we present taxonomy of intrusion response systems, together with a review of current trends in intrusion response research. We also provide a set of essential fetures as a requirement for an ideal intrusion response system
FDF: Frequency Detection-Based Filtering of Scanning Worms
Abstract — In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate. I
An Insider Misuse Threat Detection and Prediction Language
Numerous studies indicate that amongst the various types of security threats, the
problem of insider misuse of IT systems can have serious consequences for the health
of computing infrastructures. Although incidents of external origin are also dangerous,
the insider IT misuse problem is difficult to address for a number of reasons. A
fundamental reason that makes the problem mitigation difficult relates to the level of
trust legitimate users possess inside the organization. The trust factor makes it difficult
to detect threats originating from the actions and credentials of individual users. An
equally important difficulty in the process of mitigating insider IT threats is based on
the variability of the problem. The nature of Insider IT misuse varies amongst
organizations. Hence, the problem of expressing what constitutes a threat, as well as
the process of detecting and predicting it are non trivial tasks that add up to the multi-
factorial nature of insider IT misuse.
This thesis is concerned with the process of systematizing the specification of insider
threats, focusing on their system-level detection and prediction. The design of suitable
user audit mechanisms and semantics form a Domain Specific Language to detect and
predict insider misuse incidents. As a result, the thesis proposes in detail ways to
construct standardized descriptions (signatures) of insider threat incidents, as means
of aiding researchers and IT system experts mitigate the problem of insider IT misuse.
The produced audit engine (LUARM – Logging User Actions in Relational Mode) and
the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that
can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit
engine designed specifically to address the needs of monitoring insider actions. These
needs cannot be met by traditional open source audit utilities. ITPSL is an XML based
markup that can standardize the description of incidents and threats and thus make use
of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as
well as predict instances of threats, a task that has not been achieved to this date by a
domain specific language to address threats.
The research project evaluated the produced language using a cyber-misuse
experiment approach derived from real world misuse incident data. The results of the
experiment showed that the ITPSL and its associated audit engine LUARM
provide a good foundation for insider threat specification and prediction. Some
language deficiencies relate to the fact that the insider threat specification process
requires a good knowledge of the software applications used in a computer system. As
the language is easily expandable, future developments to improve the language
towards this direction are suggested
Integrated formal modeling and automated analysis of computer network attacks
Die vorhandenen Ansätze zur formalen Modellierung und Analyse von Computernetzwerksicherheit sind entweder auf eine Protokoll-, Knoten-, oder Netzwerksicht ausgerichtet. Meist beschränken sie sich sogar auf einen speziellen Teilbereich einer dieser Sichten (z.B. eine bestimmte Art von Protokollen, die Interaktion zwischen den lokalen Komponenten eines Knotens, oder die Ausbreitung vordefininierter Verletzlichkeiten). Insgesamt wird von jedem Ansatz jeweils nur ein kleiner Teil der Aspekte, die in praktischen Computernetzwerkangriffsszenarien vorkommen, abgedeckt. Hinzu kommen oft weitere Einschränkungen in Bezug auf Unterstützung dynamischer Änderungen, modellier- und untersuchbare Eigenschaften, benötigte Unterstützung der Analyse durch den Benutzer, usw. Um eine vollständigere
Sicht auf Computernetzwerkangriffsszenarien zu erhalten, müssen daher mehrere
Ansätze, und damit auch Modelle, Formalismen und Werkzeuge, eingesetzt werden.
Sowohl die Modellierungs- als auch die Analysearbeit fallen damit mehrfach
an und Konsistenz zwischen den verschiedenen Modellen und Analyseergebnissen
lässt sich nur sehr schwer erreichen.
In dieser Arbeit wird ein neuartiger Ansatz vorgestellt, der die Protokoll-, Knoten und Netzwerksicht auf mittlerer Detailebene übergreifend integriert. Die Modelle
sind ausdrucksstark genug, um dynamische Änderungen zu beinhalten. Vielfältige
Eigenschaften können über unterschiedliche Mechanismen spezifiziert werden. Da
integrierte Modelle deutlich komplexer als eingeschränkte Modelle für einen Teilbereich sind, ist die Analyse besonders schwierig. Im Allgemeinen schlagen Ansätze zur automatischen Analyse schnell durch Zustandsraumexplosion fehl. Durch eine intelligente Modellierung, die Berücksichtigung von Optimierungsmöglichkeiten
auf allen Ebenen, die Modellierung mit einer objektorientieren und kompositionalen,
aber trotzdem auf einer einfachen Struktur basierenden Sprache, und dem Einsatz
eines dem aktuellen Stand der Forschung entsprechenden Analysewerkzeuges
sind wir trotzdem in der Lage, erfolgreich automatisiert zu analysieren.
Unser Ansatz basiert auf der Spezifikationshochsprache CTLA 2003, einem Framework zur Modellierung von Computernetzwerkangriffsszenarien, einem Übersetzungsschema von CTLA 2003 nach PROMELA, dem CTLA2PC Übersetzungs- und Optimierungswerkzeug, und dem mächtigen Modellchecker SPIN. Die Durchführbarkeit unseres Ansatzes wird durch die Modellierung und Analyse von drei dynamischen Netzwerkszenarien zunehmender Komplexität aufgezeigt. In diesen Szenarien werden konkrete Angriffsfolgen als Verletzungen vorgegebener Sicherheitseigenschaften automatisch aufgedeckt.In the field of formal modeling and analysis as related to computer network security, existing approaches are highly specialized towards either a protocol, node, or network view. Typically, they are even further specialized towards a specific subset of one view (e.g., a certain class of protocols, interactions of local node components, or network propagation of predefined vulnerabilities). Thus, each approach covers only a small part of the aspects related to practical computer network attack scenarios. Often, further restrictions with respect to the dynamics allowed for the model, properties supported or user guidance required during analysis, have to be observed. Multiple approaches, and thus models, formalisms, and analysis tools, need to be employed to provide a more complete view of computer network attack scenarios. Both the modeling task and the analysis task have to be done multiple times and it is hard to ensure the consistency of the models and analysis results.
We present a novel approach that comprehensively integrates the protocol, node,
and network view on a middle level of detail. Furthermore, the models are expressive enough to support dynamic changes. A wide range of properties can be
specified using different mechanisms. As integrated models naturally are of higher
complexity than more specialized models limited to a single view, analysis is particularly challenging. Generally, automated analysis approaches quickly fail due
to state space explosion effects. Nevertheless, by careful modeling, considering
optimization possibilities at all stages, modeling using an object-oriented and compositional yet simple structured language, and employing a state of the art analysis tool we are able to achieve automated analysis.
Our approach is based on the high-level specification language CTLA 2003, a
framework for modeling computer network attack scenarios, a scheme for translating
CTLA 2003 to PROMELA, the CTLA2PC translation and optimization tool,
and the powerful model checker SPIN. For demonstrating the feasibility of our
approach, the modeling and analysis of three case studies involving multi-node
dynamic network scenarios is presented. In these case studies, precise attack
sequences are automatically predicted as violations of abstract security properties
Prävention, Detektion und Reaktion gegen drei Ausprägungsformen automotiver Malware : eine methodische Analyse im Spektrum von Manipulationen und Schutzkonzepten
Magdeburg, Univ., Fak. für Informatik, Diss., 2014von Tobias Hopp