Uma Revisão Sobre as Publicações de Sistemas de Detecção de Intrusão

O crescente registro de incidentes de segurança em redes de computadores tem motivado o desenvolvimento de estudos em detecção de intrusão, as principais técnicas de identificação de uma intrusão são baseadas em anomalias e assinaturas. Atualmente, a comunidade acadêmica explora preferencialmente pesquisas em redes baseadas em anomalias, entretanto, não existe um modelo comum de desenvolvimento destas propostas de modo que muitos autores descrevem, implementam e validam seus sistemas do modo heterogêneo. Neste artigo foi realizado uma pesquisa que investigou a produção científica de 112 publicações relacionadas a sistemas de detecção de intrusão. Alguns dos critérios utilizados para avaliação destes artigos foram fator de impacto, características de detecção utilizadas e a base de dados implementado. Os resultados obtidos demonstram que ocorreu um aumento da compreensão deste tema, entretanto futuros estudos serão necessários para explorar a validade dos novos métodos de avaliação em detecção de intrusão.

Y-Means Clustering Vs N-CP Clustering with Canopies for Intrusion Detection

Intrusions present a very serious security threat in a network environment. It is therefore essential to detect intrusions to prevent compromising the stability of the system or the security of information that is stored on the network. The most difficult problem is detecting new intrusion types, of which intrusion detection systems may not be aware. Many of the signature based methods and learning algorithms generally cannot detect these new intrusions. We propose an optimized algorithm called n-CP clustering algorithm that is capable of detecting intrusions that may be new or otherwise. The algorithm also overcomes two significant shortcomings of K-Means clustering namely dependency and degeneracy on the number of clusters. The proposed clustering method utilizes the concept of canopies to optimize the search by eliminating the pair-wise distance computation of all the data points. The system will also maintain a low false positive rate and high detection rate. The efficiency and the speed of the algorithm are analyzed by comparing with another clustering algorithms used for intrusion detection, called Y-Means clustering. Both the algorithms are tested against the KDD-99 data set to compute the detection rate and false positive rate. The algorithms are also tested for efficiency with varying number of data fields of the dataset. This thesis outlines the technical difficulties of K-means clustering, an algorithm to eliminate those shortcomings and the canopies technique to speed up the intrusion detection process. The results show that our clustering algorithm that uses canopies concept is approximately 40% faster than the Y-Means clustering and overcomes the two main limitations of K-Means clustering. Finally, a comparative analysis of the Y-means clustering and our proposed n-CP clustering with canopies was carried out with the help of ROC Curves showing the respective hit rates to false alarm rates.Computer Science Departmen

Aggregation of Heterogeneous Anomaly Detectors for Cyber-Physical Systems

Distributed, life-critical systems that bridge the gap between software and hardware are becoming an integral part of our everyday lives. From autonomous cars to smart electrical grids, such cyber-physical systems will soon be omnipresent. With this comes a corresponding increase in our vulnerability to cyber-attacks. Monitoring such systems to detect malicious actions is of critical importance. One method of monitoring cyber-physical systems is anomaly detection: the process of detecting when the target system is deviating from expected normal behavior. Anomaly detection is a vibrant research area with many different viable approaches. The literature suggests many different anomaly detection methods for the diversity and volume of data from cyber-physical systems. We focus on aggregating the result of multiple anomaly detection methods into a final anomalous or non-anomalous verdict. In this thesis, we present Palisade, a distributed data collection, anomaly detection, and aggregation framework for cyber-physical systems. We discuss various methods of anomaly detection and aggregation and include a case study of anomaly aggregation on a cyber-physical treadmill driving demonstrator. We conclude with a discussion of lessons learned from the construction of Palisade, and recommendations for future research

Aplicação da análise de causa raiz em sistemas de detecção de intrusões

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico. Programa de Pós-Graduação em Ciência da Computação.Os Sistemas de Detecção de Intrusões são ferramentas especializadas na análise do comportamento de um computador ou rede, visando a detecção de indícios de intrusão nestes meios. Entre os benefícios de sua utilização estão a possibilidade de receber notificações na forma de alertas a respeito das intrusões, executar contramedidas em tempo real ou armazenar uma cópia dos pacotes para análise futura. A exposição dos computadores na Internet e a crescente intensidade na freqüência e variedade de ataques vêm causando uma sobrecarga na quantidade de informações manipuladas e exibidas pelos Sistemas de Detecção de Intrusões aos administradores do sistema. Logo, a busca por novos conceitos para análise dos alertas pode ajudar na tarefa de manter computadores, redes e informações livres de ameaças. A Análise de Causa Raiz é uma metodologia que permite a investigação detalhada e progressiva de incidentes isolados. Muito utilizada em ambientes industriais, no segmento aeroespacial e na medicina, a Análise de Causa Raiz envolve o estudo de dois ou mais acontecimentos correlacionados com o objetivo de identificar como e por que um problema aconteceu, de forma que seja possível evitar sua recorrência. A proposta deste trabalho é aplicar a Análise de Causa Raiz nos Sistemas de Detecção de Intrusões com o objetivo de melhorar a qualidade das informações apresentadas ao administrador do sistema. Este objetivo é alcançado através da aplicação da Análise nas 10 vulnerabilidades mais críticas para os sistemas UNIX segundo o Instituto SANS e na adição de interpretação de Análise de Causa Raiz para as regras correspondentes presentes no Sistema de Detecção de Intrusões Snort

Active network security

Most discussions of network security focus on the tools and techniques used to fortify networks: firewalls, biometrics, access controls, encryption. This paper presents an outline of tools that assist an administrator in verifying and maintaining the security of a networked system - Active Security tools. It discusses why there is a need for such tools and how security mechanisms are attacked. The report also describes the main tools available in this field, with particular emphasis on Intrusion Detection tools - how they work, what is available, and how they are changing. Finally, it demonstrates some of the concepts in a practical firewall network simulation

Active Network Security

Most discussions of network security focus on the tools and techniques used to fortify networks: firewalls, biometrics, access controls, encryption. This paper presents an outline of tools that assist an administrator in verifying and maintaining the security of a networked system -- Active Security tools. It discusses why there is a need for such tools and how security mechanisms are attacked. The report also describes the main tools available in this field, with particular emphasis on Intrusion Detection tools -- how they work, what is available, and how they are changing. Finally, it demonstrates some of the concepts in a practical firewall network simulation

Simulating Network Structure, Layering Multi-layer Network System and Developing Network Block Configuration Model to Understand and Improve Energy Conservation in Residential Buildings

The building sector is a major contributor to total energy consumption in most countries. Traditionally, researchers have focused on leveraging energy efficiency by improving building materials, in-house facilities and transmission equipment. More recently, however, there has been increased focus on research concerning demand-side energy consumption behavior. Current research suggests that energy efficient behavior of a building's occupants can be extensively enhanced through the sharing of energy consumption information among residents in a peer network. However, most of this research relies on experimental tests and does not theorize concepts related to peer network energy efficiency systematically. My dissertation addresses this research gap on two levels. First, I examined if and how the structure of peer networks can impact residents' conservation behaviors through network analysis by employing agent-based simulation techniques. Following confirmation of the impact that network structure has on user behavior, I created a layered network model to integrate information from various network layers and a block configuration model to reconstruct increasingly reliable random networks. In contrast to controlled energy efficiency experiments, real-world networks are large in size, heterogeneous in nature and regularly interact with other networks. By utilizing models developed in this dissertation, we are able to estimate the contribution of network structural coefficients to the energy consumption performance of peer networks. By comparing the layered network and block configuration model I developed with other conventional models, I prove the efficiency, accuracy and reliability of these improved models. These findings have implications for assessing network performance, creating accurate complex random networks for large-scale research, and developing strategies for network design to improve building energy efficiency. This research establishes a system to study residents' energy efficient behaviors from the perspective of peer networks and proposes some instructive models for further energy feedback system design

Identifying and modeling unwanted traffic on the Internet

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 2006.Includes bibliographical references (p. 61-62).Accurate models of Internet traffic are important for successful testing of devices that provide network security. However, with the growth of the Internet. it has become increasingly difficult to develop and maintain accurate traffic models. While much internet traffic is legitimate, productive communications between users and services, a significant portion of Internet traffic is the result of unwanted messages sent to IP addresses without regard as to whether there is an active host at that address. In an effort to analyze unwanted traffic, tools were developed that generate statistics and plots on captured unwanted traffic to unused IP addresses. These tools were used on a four-day period of traffic received on an inactive IPv4 class A network address space. Each class B subnet in this address space received an average of 7 million packets corresponding to 21 packets per second. Analyses were performed on a range of class B and C subnets with the intent of discovering the types of variability that are characteristic of unwanted traffic. Traffic volume over time, number of scans, destinations ports, and traffic sources varied substantially across class B and C subnets.(cont.) The results of the analyses, along with tools to replay traffic. allow security tools to be analyzed on the LARIAT network testbed. LARIAT is a real-time adaptable network testbed developed at Lincoln Laboratory that provides an Internet-like environment in which to test network hardware and software.by Paul Soto.M.Eng

Data-Driven Approaches for Detecting Malware-Infected IoT Devices and Characterizing Their Unsolicited Behaviors by Leveraging Passive Internet Measurements

Despite the benefits of Internet of Things (IoT) devices, the insecurity of IoT and their deployment nature have turned them into attractive targets for adversaries, which contributed to the rise of IoT-tailored malware as a major threat to the Internet ecosystem. In this thesis, we address the threats associated with the emerging IoT malware, which utilize exploited devices to perform large-scale cyber attacks (e.g., DDoS). To mitigate such threat, there is a need to possess an Internet perspective of the deployed IoT devices while building a better understanding about the behavioral characteristic of malware-infected devices, which is challenging due to the lack of empirical data and knowledge about the deployed IoT devices and their behavioral characteristics. To address these challenges, in this thesis, we leverage passive Internet measurements and IoT device information to detect exploited IoT devices and investigate their generated traffic at the network telescope (darknet). We aim at proposing data-driven approaches for effective and near real-time IoT threat detection and characterization. Additionally, we leverage a specialized IoT Honeypot to analyze a large corpus of real IoT malware binary executable. We aim at building a better understanding about the current state of IoT malware while addressing the problems of IoT malware classification and family attribution. To this end, we perform the following to achieve our objectives: First, we address the lack of empirical data and knowledge about IoT devices and their activities. To this end, we leverage an online IoT search engine (e.g., Shodan.io) to obtain publicly available device information in the realms of consumer and cyber-physical system (CPS), while utilizing passive network measurements collected at a large-scale network telescope (CAIDA), to infer compromised devices and their unsolicited activities. Indeed, we were among the first to report experimental results on detecting compromised IoT devices and their behavioral characteristics in the wild, while demonstrating their active involvement in large-scale malware-generated malicious activities such as Internet scanning. Additionally, we leverage the IoT-generated backscatter traffic towards the network telescope to shed light on IoT devices that were victims of intensive Denial of Service (DoS) attacks. Second, given the highly orchestrated nature of IoT-driven cyber-attacks, we focus on the analysis of IoT-generated scanning activities to detect and characterize scanning campaigns generated by IoT botnets. To this end, we aggregate IoT-generated traffic and performing association rules mining to infer campaigns through common scanning objectives represented by targeted destination ports. Further, we leverage behavioural characteristics and aggregated flow features to correlate IoT devices using DBSCAN clustering algorithm. Indeed, our findings shed light on compromised IoT devices, which tend to operate within well coordinated IoT botnets. Third, considering the huge number of IoT devices and the magnitude of their malicious scanning traffic, we focus on addressing the operational challenges to automate large-scale campaign detection and analysis while generating threat intelligence in a timely manner. To this end, we leverage big data analytic frameworks such as Apache Spark to develop a scalable system for automated detection of infected IoT devices and characterization of their scanning activities using our proposed approach. Our evaluation results with over 4TB of IoT traffic demonstrated the effectiveness of the system to infer scanning campaigns generated by IoT botnets. Moreover, we demonstrate the feasibility of the implemented system/framework as a platform for implementing further supporting applications, which leverage passive Internet measurement for characterizing IoT traffic and generating IoT-related threat intelligence. Fourth, we take first steps towards mitigating threats associated with the rise of IoT malware by creating a better understanding about the characteristics and inter-relations of IoT malware. To this end, we analyze about 70,000 IoT malware binaries obtained by a specialized IoT honeypot in the past two years. We investigate the distribution of IoT malware across known families, while exploring their detection timeline and persistent. Moreover, while we shed light on the effectiveness of IoT honeypots in detecting new/unknown malware samples, we utilize static and dynamic malware analysis techniques to uncover adversarial infrastructure and investigate functional similarities. Indeed, our findings enable unknown malware labeling/attribution while identifying new IoT malware variants. Additionally, we collect malware-generated scanning traffic (whenever available) to explore behavioral characteristics and associated threats/vulnerabilities. We conclude this thesis by discussing research gaps that pave the way for future work