Obtendo segurança em uma rede a partir da utilização de intrusion

Este trabalho tem por objetivo realizar um estudo sobre algumas soluções em segurança de redes de computadores, culminando no Intrusion Prevention System (IPS). Esse sistema possui as mesmas características de um Intrusion Detection System (IDS), porém seu maior diferencial é que ele trabalha de modo ativo na rede, ou seja, ele não fica apenas coletando tráfego, mas interagindo com a rede. A proposta desses sistemas de prevenção de intrusão surgiu recentemente devido á habilidade de coletar e analisar tráfego TCP/IP em tempo real, a fim de, sempre que necessário, executar medidas próativas ou, pelo menos, reativas.This work has for aim to carry through a study on some solutions in security of computer networks, with its final results in the Intrusion Prevention System (IPS). This system has the same characteristics of a Intrusion Detection System (IDS), however the biggest difference between them is that it works in active way in the net, or either, does not only collect traffic, but it interacts with the net. The proposal of these systems of prevention of intrusion recently appeared due to ability to collect and to analyze traffic TCP/IP in real time, so that, whenever it’s necessary, it performs pro-active or, at least, reactive actions.Eje: Arquitectura, Redes y Sistemas Operativos (ARSO)Red de Universidades con Carreras en Informática (RedUNCI

BIOLOGICAL INSPIRED INTRUSION PREVENTION AND SELF-HEALING SYSTEM FOR CRITICAL SERVICES NETWORK

With the explosive development of the critical services network systems and Internet, the need for networks security systems have become even critical with the enlargement of information technology in everyday life. Intrusion Prevention System (IPS) provides an in-line mechanism focus on identifying and blocking malicious network activity in real time. This thesis presents new intrusion prevention and self-healing system (SH) for critical services network security. The design features of the proposed system are inspired by the human immune system, integrated with pattern recognition nonlinear classification algorithm and machine learning. Firstly, the current intrusions preventions systems, biological innate and adaptive immune systems, autonomic computing and self-healing mechanisms are studied and analyzed. The importance of intrusion prevention system recommends that artificial immune systems (AIS) should incorporate abstraction models from innate, adaptive immune system, pattern recognition, machine learning and self-healing mechanisms to present autonomous IPS system with fast and high accurate detection and prevention performance and survivability for critical services network system. Secondly, specification language, system design, mathematical and computational models for IPS and SH system are established, which are based upon nonlinear classification, prevention predictability trust, analysis, self-adaptation and self-healing algorithms. Finally, the validation of the system carried out by simulation tests, measuring, benchmarking and comparative studies. New benchmarking metrics for detection capabilities, prevention predictability trust and self-healing reliability are introduced as contributions for the IPS and SH system measuring and validation. Using the software system, design theories, AIS features, new nonlinear classification algorithm, and self-healing system show how the use of presented systems can ensure safety for critical services networks and heal the damage caused by intrusion. This autonomous system improves the performance of the current intrusion prevention system and carries on system continuity by using self-healing mechanism

Hunting IoT Cyberattacks With AI - Powered Intrusion Detection

The rapid progression of the Internet of Things allows the seamless integration of cyber and physical environments, thus creating an overall hyper-connected ecosystem. It is evident that this new reality provides several capabilities and benefits, such as real-time decision-making and increased efficiency and productivity. However, it also raises crucial cybersecurity issues that can lead to disastrous consequences due to the vulnerable nature of the Internet model and the new cyber risks originating from the multiple and heterogeneous technologies involved in the loT. Therefore, intrusion detection and prevention are valuable and necessary mechanisms in the arsenal of the loT security. In light of the aforementioned remarks, in this paper, we introduce an Artificial Intelligence (AI)-powered Intrusion Detection and Prevention System (IDPS) that can detect and mitigate potential loT cyberattacks. For the detection process, Deep Neural Networks (DNNs) are used, while Software Defined Networking (SDN) and Q-Learning are combined for the mitigation procedure. The evaluation analysis demonstrates the detection efficiency of the proposed IDPS, while Q- Learning converges successfully in terms of selecting the appropriate mitigation action

Obtendo segurança em uma rede a partir da utilização de intrusion

Este trabalho tem por objetivo realizar um estudo sobre algumas soluções em segurança de redes de computadores, culminando no Intrusion Prevention System (IPS). Esse sistema possui as mesmas características de um Intrusion Detection System (IDS), porém seu maior diferencial é que ele trabalha de modo ativo na rede, ou seja, ele não fica apenas coletando tráfego, mas interagindo com a rede. A proposta desses sistemas de prevenção de intrusão surgiu recentemente devido á habilidade de coletar e analisar tráfego TCP/IP em tempo real, a fim de, sempre que necessário, executar medidas próativas ou, pelo menos, reativas.This work has for aim to carry through a study on some solutions in security of computer networks, with its final results in the Intrusion Prevention System (IPS). This system has the same characteristics of a Intrusion Detection System (IDS), however the biggest difference between them is that it works in active way in the net, or either, does not only collect traffic, but it interacts with the net. The proposal of these systems of prevention of intrusion recently appeared due to ability to collect and to analyze traffic TCP/IP in real time, so that, whenever it’s necessary, it performs pro-active or, at least, reactive actions.Eje: Arquitectura, Redes y Sistemas Operativos (ARSO)Red de Universidades con Carreras en Informática (RedUNCI

A CONTENT-ADDRESSABLE-MEMORY ASSISTED INTRUSION PREVENTION EXPERT SYSTEM FOR GIGABIT NETWORKS

Cyber intrusions have become a serious problem with growing frequency and complexity. Current Intrusion Detection/Prevention Systems (IDS/IPS) are deficient in speed and/or accuracy. Expert systems are one functionally effective IDS/IPS method. However, they are in general computationally intensive and too slow for real time requirements. This poor performance prohibits expert system's applications in gigabit networks. This dissertation describes a novel intrusion prevention expert system architecture that utilizes the parallel search capability of Content Addressable Memory (CAM) to perform intrusion detection at gigabit/second wire speed. A CAM is a parallel search memory that compares all of its entries against input data in parallel. This parallel search is much faster than the serial search operation in Random Access Memory (RAM). The major contribution of this thesis is to accelerate the expert system's performance bottleneck "match" processes using the parallel search power of a CAM, thereby enabling the expert systems for wire speed network IDS/IPS applications. To map an expert system's Match process into a CAM, this research introduces a novel "Contextual Rule" (C-Rule) method that fundamentally changes expert systems' computational structures without changing its functionality for the IDS/IPS problem domain. This "Contextual Rule" method combines expert system rules and current network states into a new type of dynamic rule that exists only under specific network state conditions. This method converts the conventional two-database match process into a one-database search process. Therefore it enables the core functionality of the expert system to be mapped into a CAM and take advantage of its search parallelism.This thesis also introduces the CAM-Assisted Intrusion Prevention Expert System (CAIPES) architecture and shows how it can support the vast majority of the rules in the 1999 Lincoln Lab's DARPA Intrusion Detection Evaluation data set, and rules in the open source IDS "Snort". Supported rules are able to detect single-packet attacks, abusive traffic and packet flooding attacks, sequences of packets attacks, and flooding of sequences attacks. Prototyping and simulation have been performed to demonstrate the detection capability of these four types of attacks. Hardware simulation of an existing CAM shows that the CAIPES architecture enables gigabit/s IDS/IPS

Review of neural networks and particle swarm optimization contribution in intrusion detection

The progress in the field of computer networks and internet is increasing with tremendous volume in recent years. This raises important issues concerning security. Several solutions emerged in the past, which provide security at the host or network level. These traditional solutions like antivirus, firewall, spyware and authentication mechanism provide security to some extents but they still face the challenges of inherent system flaws and social engineering attacks. Some interesting solution emerged like intrusion detection and prevention systems but these too have some problems like detecting and responding in real time and discovering novel attacks. Because the network intrusion behaviors are characterized with uncertainty, complexity and diversity, an intrusion detection method based on neural network and Particle Swarm Optimization (PSO) algorithm is widely used in order to address the problem. This paper gives an insight into how PSO and its variants can be combined with various neural network techniques in order to be used for anomaly detection in network intrusion detection system in order to enhance the performance of intrusion detection system

Anomaly-based botnet detection for 10 Gb/s networks

Current network data rates have made it increasingly difficult for cyber security specialists to protect the information stored on private systems. Greater throughput not only allows for higher productivity, but also creates a “larger” security hole that may allow numerous malicious applications (e.g. bots) to enter a private network. Software-based intrusion detection/prevention systems are not fast enough for the massive amounts of traffic found on 1 Gb/s and 10 Gb/s networks to be fully effective. Consequently, businesses accept more risk and are forced to make a conscious trade-off between threat and performance. A solution that can handle a much broader view of large-scale, high-speed systems will allow us to increase maximum throughput and network productivity. This paper describes a novel method of solving this problem by joining a pre-existing signature-based intrusion prevention system with an anomaly-based botnet detection algorithm in a hybrid hardware/software implementation. Our contributions include the addition of an anomaly detection engine to a pre-existing signature detection engine in hardware. This hybrid system is capable of processing full-duplex 10 Gb/s traffic in real-time with no packet loss. The behavior-based algorithm and user interface are customizable. This research has also led to improvements of the vendor supplied signal and programming interface specifications which we have made readily available

Enhancing Cloud Security by a Series of Mobile Applications That Provide Timely and Process Level Intervention of Real-Time Attacks

Cyber threat indicators that can be instantly shared in real-time may often be the only mitigating factor between preventing and succumbing to a cyber-attack. Detecting threats in cloud computing environment can be even more of a challenge given the dynamic and complex nature of hosts as well as the services running. Information security professionals have long relied on automated tools such as intrusion detection/prevention systems, SIEM (security information and event management), and vulnerability scanners to report system, application and architectural weaknesses. Although these mechanisms are widely accepted and considered effective at helping organizations stay more secure, each can also have unique limitations that can hinder in this regard. Therefore, in addition to utilizing these resources, a more proactive approach must be incorporated to bring to light possible attack vectors and hidden places where hackers may infiltrate. This paper shares an insightful example of such lessor known attack vectors by closely examining a host routing table cache, which unveiled a great deal of information that went unrecognized by an intrusion detection system. Furthermore, the author researched and developed a robust mobile app tool that has a multitude of functions which can provide the information security community with a low-cost countermeasure that can be used in a variety of infrastructures (e.g. cloud, host-based etc.). The designed mobile app also illustrates how system administrators and other IT leaders can be alerted of brute force attacks and other rogue processes by quickly identifying and blocking the attacking IP addresses. Furthermore, it is an Android based application that also uses logs created by the Fail2Ban intrusion prevention framework for Linux. Additionally, the paper will also familiarize readers with indirect detection techniques, ways to tune and protect the routing cache, the impact of low and slow hacking techniques, as well as the need for mobile app management in a cloud

Network-Based Detection and Prevention System against DNS-Based Attacks

Individuals and organizations rely on the Internet as an essential environment for personal or business transactions. However, individuals and organizations have been primary targets for attacks that steal sensitive data. Adversaries can use different approaches to hide their activities inside the compromised network and communicate covertly between the malicious servers and the victims. The domain name system (DNS) protocol is one of these approaches that adversaries use to transfer stolen data outside the organization\u27s network using various forms of DNS tunneling attacks. The main reason for targeting the DNS protocol is because DNS is available in almost every network, ignored, and rarely monitored. In this work, the primary aim is to design a reliable and robust network-based solution as a detection system against DNS-based attacks using various techniques, including visualization, machine learning techniques, and statistical analysis. The network-based solution acts as a DNS proxy server that provides DNS services as well as detection and prevention against DNS-based attacks, which are either embedded in malware or used as stand-alone attacking tools. The detection system works in two modes: real-time and offline modes. The real-time mode relies on the developed Payload Analysis (PA) module. In contrast, the offline mode operates based on two of the contributed modules in this dissertation, including the visualization and Traffic Analysis (TA) modules. We conducted various experiments in order to test and evaluate the detection system against simulated real-world attacks. Overall, the detection system achieved high accuracy of 99.8% with no false-negative rate. To validate the method, we compared the developed detection system against the open-source detection system, Snort intrusion detection system (IDS). We evaluated the two detection systems using a confusion matrix, including the recall, false-negatives rate, accuracy, and others. The detection system detects all case scenarios of the attacks while Snort missed 50% of the performed attacks. Based on the results, we can conclude that the detection system is significant and original improvement of the present methods used for detecting and preventing DNS-based attacks

Statistical Methods for Detection and Mitigation of the Effect of Different Types of Cyber-Attacks and Inconsistencies in Electrical Design Parameters in a Real World Distribution System

In the present grid real time control systems are the energy management systems and distribution management systems that utilize measurements from real-time units (RTUs) and Supervisory Control and Data Acquisition (SCADA). The SCADA systems are designed to operate on isolated, private networks without even basic security features which are now being migrated to modern IP-based communications providing near real time information from measuring and controlling units. To function brain (SCADA) properly heart (RTUs) should provide necessary response thereby creating a coupling which makes SCADA systems as targets for cyber-attacks to cripple either part of the electric transmission grid or fully shut down (create blackout) the grid. Cyber-security research for a distribution grid is a topic yet to be addressed. To date firewalls and classic signature-based intrusion detection systems have provided access control and awareness of suspicious network traffic but typically have not offered any real-time detection and defense solutions for electric distribution grids.;This thesis work not only addresses the cyber security modeling, detection and prevention but also addresses model inconsistencies for effectively utilizing and controlling distribution management systems. Inconsistencies in the electrical design parameters of the distribution network or cyber-attack conditions may result in failing of the automated operations or distribution state estimation process which might lead the system to a catastrophic condition or give erroneous solutions for the probable problems. This research work also develops a robust and reliable voltage controller based on Multiple Linear Regression (MLR) to maintain the voltage profile in a smart distribution system under cyber-attacks and model inconsistencies. The developed cyber-attack detection and mitigation algorithms have been tested on IEEE 13 node and 600+ node real American electric distribution systems modeled in Electric Power Research Institute\u27s (EPRI) OpenDSS software