The Analysis of Web Server Security For Multiple Attacks in The Tic Timor IP Network

The current technology is changing rapidly, with the significant growth of the internet technology, cyber threats are becoming challenging for IT professionals in the companies and organisations to guard their system. Especially when all the hacking tools and instructions are freely available on the Internet for beginners to learn how to hack such as stealing data and information. Tic Timor IP is one of the organisations involved and engaged in the data center operation. It often gets attacks from the outside networks. A network traffic monitoring system is fundamental to detect any unknown activities happening within a network. Port scanning is one of the first methods commonly used to attack a network by utilizing several free applications such as Angry IP Scan, Nmap and Low Orbit Ion Cannon (LOIC).  On the other hand, the snort-based Intrusion Detection System (IDS) can be used to detect such attacks that occur within the network perimeter including on the web server. Based on the research result, snort has the ability to detect various types of attack including port scanning attacks and multiple snort rules can be accurately set to protect the network from any unknown threats. 

ANALYZING SURICATA ALERT DETECTION PERFORMANCE ISSUES BASED ON ACTIVE INDICATOR OF COMPROMISE RULES

Many studies have been related to the Intrusion Detection System (IDS) performance analysis. Still, most focus on inspection performance on high-capacity networks with packet drop percentage as a performance parameter. Few studies are related to performance analysis in the form of detection accuracy based on the number of rules activated. This research will analyze the performance of IDS Suricata based on the number of active rules in the form of Indicator of Compromise (IoC), including IPRep, HTTP, DNS, MD5, and JA3. The analysis method focuses on the detection accuracy of varying the number of active rules up to 1 million, expressed in 5 scenarios. In scenarios 1 to 4, where IoC rules are tested separately, the reduction in detection accuracy performance starts to occur when the number of active rules is at 100,000 and continues to decrease when the number reaches 1 million. However, in scenario 5, where the IoC rules are tested together, the percentage of rules detection accuracy decreases when the number of active rules from each IoC is less than 10,000. The percentage decrease in detection accuracy performance in scenario five can occur with an average reduction of 19.64%. Even further in scenario 5, when the total number of rules reaches 1,000,000 or 200,000 from each IoC, IDS Suricata fails to detect all rules (detection percentage is 0%). This research show that the higher number of rules activated, the decrease in the Suricata IDS performance in terms of detection accuracy

Suricata como detector de intrusos para la seguridad en redes de datos empresariales

The objective of this research is to analyze the relevance and applicability of Suricata as an intrusion detection system to strengthen security in digital networks of small and medium enterprises. A descriptive type of research was developed using synthetic analytical and experimental scientific methods. Suricata's hardware resource consumption and its intrusion detection capacity were evaluated through signature-based analysis in the network of a medium-sized Cuban agro-industrial company. Malicious network traffic was generated using Kali Linux distribution to simulate network probing, denial of service and brute force attacks. The results obtained showed that Suricata has a good effectiveness for intrusion detection through signature-based analysis with an efficient consumption of hardware resources. The use of Suricata in small and medium enterprises will contribute to ensure the confidentiality, availability and integrity of their digital resources.El objetivo de esta investigación consiste en analizar la pertinencia y aplicabilidad de Suricata como sistema de detección de intrusiones para fortalecer la seguridad en las redes digitales de las pequeñas y medianas empresas. Se desarrolló una investigación de tipo descriptiva donde se emplearon como métodos científicos el analítico sintético y el experimental. Se evaluó el consumo de recursos de hardware de Suricata y su capacidad para la detección de intrusiones mediante el análisis basado en firmas en la red de una mediana empresa agroindustrial cubana. Se generó tráfico de red malicioso mediante la distribución Kali Linux para simular ataques de sondeo de redes, denegación de servicios y de fuerza bruta. Los resultados obtenidos evidenciaron que Suricata posee una buena efectividad para la detección de intrusiones mediante el análisis basado en firmas con un consumo eficiente de recursos de hardware. El uso de Suricata en las pequeñas y medianas empresas contribuirá a asegurar la confidencialidad, disponibilidad e integridad de sus recursos digitales

An enhanced classification framework for intrusions detection system using intelligent exoplanet atmospheric retrieval

Currently, many companies use data mining for various implementations. One form of implementation is intrusion detection system (IDS). In IDS, the main problem for nuisance network administrators in detecting attacks is false alerts. Regardless of the methods implemented by this system, eliminating false alerts is still a huge problem. To describe data traffic passing through the network, a database of the network security layer (NSL) knowledge discovery in database (KDD) dataset is used. The massive traffic of data sent over the network contains excessive and duplicated amounts of information. This causes the classifier to be biased, reduce classification accuracy, and increase false alert. To that end, we proposed a model that significantly improve the accuracy of the intrusion detection system by eliminating false alerts, whether they are false negative or false positive negative alerts. The results show that the proposed intelligent exoplanet atmospheric retrieval (INARA) algorithm has improved accuracy and is able to detect new attack types efficiently

Evaluación de Snort y Suricata para la detección de sondeos de redes y ataques de denegación de servicio

Intrusion detection systems are one of the most widely used tools to identify attacks or intrusions in data networks in order to ensure the confidentiality, availability and integrity of the information transmitted through them. Due to the complexity of its application in companies' cybersecurity schemes, it is necessary to carry out an objective evaluation of these solutions in order to select the tool that best suits the requirements of these organizations. The objective of this research is to quantitatively compare the performance of Snort and Suricata for the detection of network probes and denial of service attacks. The htop tool was used to test the performance of Snort and Suricata against network probes and denial of service attacks simulated with different Kali Linux applications. It was identified that Snort has a lower CPU consumption than Suricata during intrusion detection through signature analysis, however, Suricata showed better effectiveness rates. The results obtained contribute to decision making in relation to the selection, deployment and implementation of intrusion detection systems in business data networks.Los sistemas de detección de intrusiones constituyen una de las herramientas más utilizadas para identificar ataques o intrusiones en redes de datos en aras de asegurar la confidencialidad, disponibilidad e integridad de la información que por ellas se transmite. Debido a la complejidad de su aplicación en los esquemas de ciberseguridad de las empresas es necesario realizar una evaluación objetiva de estas soluciones con el propósito de seleccionar la herramienta que mejor se ajuste a los requerimientos de estas organizaciones. El objetivo de la presente investigación consiste en comparar cuantitativamente el rendimiento de Snort y Suricata para la detección de sondeos de redes y ataques de denegación de servicio. Se utilizó la herramienta htop para comprobar el rendimiento de Snort y Suricata ante sondeos de redes y ataques de denegación de servicio simulados con diferentes aplicaciones de Kali Linux. Se identificó que Snort posee un consumo de CPU inferior a Suricata durante la detección de intrusiones mediante análisis de firmas, sin embargo, Suri-cata evidenció mejores índices de efectividad. Los resultados obtenidos contribuyen a la toma de decisiones en relación a la selección, despliegue e implementación de sistemas de detección de intrusiones en redes de datos empresariales

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work. View Full-TextMinisterio de Ciencias e Innovación (MICINN)/AEI 10.13039/501100011033: PID2020-115199RB-I00FEDER/Junta de Andalucía-Consejería de Transformación Económica, Industria, Conocimiento y Universidades PYC20-RE-087-US

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

This work has been partly funded by the research grant PID2020-115199RB-I00 provided by the Spanish ministry of Industry under the contract MICIN/AEI/10.13039/501100011033, and also by FEDER/Junta de Andalucia-Consejeria de Transformacion Economica, Industria, Conocimiento y Universidades under project PYC20-RE-087-USE.Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.Spanish Government PID2020-115199RB-I00 MICIN/AEI/10.13039/501100011033FEDER/Junta de Andalucia-Consejeria de Transformacion Economica, Industria, Conocimiento y Universidades PYC20-RE-087-US

An enhancement of optimized detection rule of security monitoring and control for detection of cyberthreat in location-based mobile system

A lot of mobile applications which provided location information by using a location-based service are being developed recently.For instance, a smart phone would find my location and destination by running a program using a GPS chip in a device. However,the information leakage and the crime thatmisused the leaked information caused by the cyberattack ofmobile information systemoccurred. So the interest and importance of information security are increasing. Also the number of users who has used mobiledevices in Korea is increasing, and the security of mobile devices is becoming more important. Snort detection system has beenused to detect and handle cyberattacks but the policy of Snort detection system is applied differently for each of the different kindsof equipment. It is expected that the security of mobile information system would be improved and information leakage would beblocked by selecting options through optimization of Snort detection policy to protect users who are using location-based servicein mobile information system environment in this paper

Seiðr: Dataplane Assisted Flow Classification Using ML

Real-time, high-speed flow classification is fundamental for network operation tasks, including reactive and proactive traffic engineering, anomaly detection and security enhancement. Existing flow classification solutions, however, do not allow operators to classify traffic based on fine-grained, temporal dynamics due to imprecise timing, often rely on sampled data, or only work with low traffic volumes and rates. In this paper, we present Seiðr, a classification solution that: (i) uses precision timing, (ii) has the ability to examine every packet on the network, (iii) classifies very high traffic volumes with high precision. To achieve this, Seiðr exploits the data aggregation and timestamping functionality of programmable dataplanes. As a concrete example, we present how Seiðr can be used together with Machine Learning algorithms (such as CNN, k -NN) to provide accurate, real-time and high-speed TCP congestion control classification, separating TCP BBR from its predecessors with over 88–96% accuracy and F1-score of 0.864-0.965, while only using 15.5 MiB of memory in the dataplane