IP flow based intrusion detection

Download as ppt, pdf

1 like496 views

This document discusses IP flow based intrusion detection. It notes issues with payload-based network intrusion detection systems and describes how flow-based detection addresses these issues by relying only on header information. It covers topics like flow sampling techniques, common types of attacks, and how flow-based detection is well-suited for detecting denial of service attacks, scans, worms, and botnets.

IP Flow based intrusion detection

Arangamanikkannan Manickam

IP Flow based Intrusion Detection

Presented by
Arangamanikkannan Manickam

Sampling

State information kept for each active flow

Flow look-up for each incoming packet puts heavy
demand on CPU and memory resources

IETF PSAMP working group creating standards for
sampling

Makes intrusion detection harder

Two categories:
− Packet sampling
− Flow Sampling

Sampling...

Packet Sampling
− Systematic Sampling

Time-driven sampling

Event-driven sampling
− Random Sampling

Probability distribution function is used
− n-inN sampling
− Probabilistic sampling

Sampling...

Flow Sampling
− Similar to random packet sampling
− Sample and hold method

A new incoming packet that does not
belong to existing flow leads to the creation
of new flow entry with probability p.
− Smart Sampling

Dynamically controls the size of sampled
data

Threshold sampling and priority
sampling
− Flow sampling probability depending on

Attack Classification

Physical attacks

Buffer overflow attacks

Password attacks

(Distributed) Denial of Service attacks

Information gathering attacks

Trojan horses

Worms

Viruses

Attack classification...

Botnets
− Group of computers infected with
malicious programs that cause them to
operate against their owners' intentions
and without their knowledge
− Remotely controlled by bot-masters
− Perfect for performing distributed attacks

Flow based Intrusion detection

As it relies only the header information it
addresses the following attacks
− Denial of service
− Scans
− Worms
− Botnets

This document summarizes a research paper on detecting anomalous packets in network traffic to identify security threats. It describes a two-stage anomaly detection system that first filters network traffic to examine only the start of incoming server requests. It then models the most common network protocols at the byte level to flag events that are rare or have not been observed recently. The models are tested on real network traffic captures containing simulated attacks and anomalies. The detection system is able to successfully identify all the attacks as well as some normal anomalies in the traffic.

Optimal remote access trojans detection based on network behaviorIJECEIAES

��

The document presents a study on an optimal detection model for remote access trojans (RATs) based on network behavior, addressing existing challenges such as false negatives and the influence of unbalanced datasets on detection accuracy. The proposed method utilizes a balanced dataset and captures different behaviors of RATs during the early stages of communication, achieving a detection accuracy of 99% with a false negative rate of only 0.3% using a random forest algorithm. The research highlights the importance of early detection and effective feature extraction to enhance the detection of both known and unknown RATs.

DDOSMaulik Kotak

��

This document discusses distributed denial-of-service (DDoS) attacks and methods to defend against them. It defines a DDoS attack as utilizing many compromised machines to flood a target with traffic in order to overwhelm it. The document then outlines techniques like IP traceback, probabilistic packet marking, and pushback that can help identify attackers and rate limit malicious traffic closer to its source in order to mitigate DDoS attacks.

Stock Motion/Gambit and deadpool part 2maggotmatt676

��

Stock Motion/Gambit and deadpool 3maggotmatt676

��

Question 1 Updatedmaggotmatt676

��

The trailer uses various storylines and conventions of soap operas to engage audiences. It begins with a dramatic car crash to grab attention. It then shows the pregnant girlfriend of the victim to create emotional connection. Another storyline features a drug deal gone wrong with a chase. Finally, a character walks in on an act of infidelity, creating a cliffhanger. The multiple parallel storylines spread intrigue across episodes like real soap operas. Natural lighting and a gradual build of drama make the scenes feel realistic like a soap.

Evalution: Question 1maggotmatt676

��

The document describes how a media product called "The Grove" uses and develops conventions of real soap operas. It discusses how the camera acts as a "fourth wall" to create realism. It also explores how techniques like close-ups, point-of-view shots, and multiple storylines engage audiences in a way similar to real soap operas. The document then analyzes some specific shots, costumes, lighting, and use of phones to further reflect the conventions of soap operas and relate to audiences. In under 3 sentences.

Question 4maggotmatt676

��

The document describes Matthew Tildesley's use of various media technologies in creating his project for Aquinas College. He used PowerPoint to organize his responses and present ancillary materials. YouTube was utilized to upload a trailer for feedback. Blogger allowed him to upload videos, pictures, and embed PowerPoints from other sites. Photoshop enabled editing of images and effects for a magazine cover. Illustrator facilitated text design for the cover and poster with effects and formatting.

Network forensics1Santosh Khadsare

��

Network forensics is the capture, recording, and analysis of network events and traffic in order to discover the source of security attacks or other problem incidents. It involves systematically capturing and analyzing network traffic and events to trace and prove a network security incident. Network forensics provides crucial network-based evidence that can be used to successfully prosecute criminals. It is a difficult process that depends on maintaining high-quality network information.

Malware Analysis and Prediction SystemAzri Hafiz

��

This document provides a summary of the MAPS (Malware Analysis and Prediction System) developed by the Security and Forensic Research Group at Universiti Sains Malaysia. MAPS uses multiple modules including an anti-malware module, prediction system, malware analysis, forensic tools, signature database, online repository, and evidence storage to detect, analyze, predict, and prevent malware attacks. It also compares the functions of MAPS to other commercial anti-malware systems such as Avira and Kaspersky.

System hijacking using ratn|u - The Open Security Community

��

This document discusses remote access trojans (RATs) and how they work. A RAT is a type of malware that provides backdoor administrative control over an infected computer. It uses a client-server model with a server program that listens on specific ports for a client program to connect from the infected machine. RATs can be delivered via file binders like documents or games, Java exploits, or email attachments. Antivirus programs work to detect RATs by scanning their API calls and code against databases of known malicious software.

Intrusion Detection with Neural Networksantoniomorancardenas

��

The document discusses the use of neural networks in intrusion detection and classification within computer networks, highlighting the increasing need for robust security measures due to rising threats. It describes various components of intrusion detection systems, types of network attacks, and methods for anomaly detection, including the benefits of neural networks for discerning normal and abnormal network behavior. The paper concludes by emphasizing the effectiveness of a hybrid system combining misuse and anomaly detection techniques for real-time intrusion detection and classification.

Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1

��

The document discusses intrusion detection systems (IDS) and their importance in securing information transmission amidst increasing risks of cyber threats. It elaborates on different detection methods, such as misuse-based and anomaly-based detection, as well as the architecture and functionality of IDS, including their benefits and limitations. Additionally, it introduces a hybrid IDS model that combines both detection approaches to enhance security measures.

Entropy and denial of service attackschris zlatis

��

The document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks, defining them and highlighting their increasing sophistication and threat to internet security since 2000. It introduces a new method for traceback of DDoS attacks using entropy variations, which avoids the limitations of traditional packet marking while improving detection and response capabilities. Additionally, it examines previous works on detection methods using Shannon and Renyi cross entropy, showcasing their effectiveness in identifying network anomalies.

Development, Confusion and Exploration of Honeypot TechnologyAntiy Labs

��

This document discusses the development, status, challenges, and future outlook of honeypot technology. It describes how honeypots have evolved from early experimental systems in the 1990s to integrated production tools today. The document outlines the main categories of honeypots and discusses ongoing technical challenges around simulating targets, analyzing large amounts of data, and security threats. It presents several research initiatives and the Wind-catcher plan to further cultivation and analysis of malware samples using distributed honeypot networks.

ids.pptAgostinho9

��

This document discusses intrusion detection and prevention systems. It defines intrusion, intrusion detection, and intrusion prevention. It describes the components and approaches of intrusion detection systems, including misuse detection, anomaly detection, host-based detection, and network-based detection. It compares the pros and cons of different approaches and deployment methods. It also discusses key metrics, architectures, and examples like Snort.

Intrusion detection system pptSheetal Verma

��

This document discusses intrusion detection systems (IDS). An IDS monitors network or system activities for malicious activities or policy violations. IDS can be classified based on detection method (anomaly-based detects deviations from normal usage, signature-based looks for known attack patterns) or location (host-based monitors individual systems, network-based monitors entire network traffic). The document outlines strengths and limitations of different IDS types and discusses the future of integrating detection methods.

IP flow based intrusion detection

1. IP Flow based intrusion detection Arangamanikkannan Manickam

2. IP Flow based Intrusion Detection Presented by Arangamanikkannan Manickam

3. Section Title

4. Overview

5. Issues with payload based NIDS

7. Sampling  State information kept for each active flow  Flow look-up for each incoming packet puts heavy demand on CPU and memory resources  IETF PSAMP working group creating standards for sampling  Makes intrusion detection harder  Two categories: − Packet sampling − Flow Sampling

8. Sampling...  Packet Sampling − Systematic Sampling  Time-driven sampling  Event-driven sampling − Random Sampling  Probability distribution function is used − n-inN sampling − Probabilistic sampling

9. Sampling...  Flow Sampling − Similar to random packet sampling − Sample and hold method  A new incoming packet that does not belong to existing flow leads to the creation of new flow entry with probability p. − Smart Sampling  Dynamically controls the size of sampled data  Threshold sampling and priority sampling − Flow sampling probability depending on

10. Attack Classification  Physical attacks  Buffer overflow attacks  Password attacks  (Distributed) Denial of Service attacks  Information gathering attacks  Trojan horses  Worms  Viruses

11. Attack classification...  Botnets − Group of computers infected with malicious programs that cause them to operate against their owners' intentions and without their knowledge − Remotely controlled by bot-masters − Perfect for performing distributed attacks

12. Flow based Intrusion detection  As it relies only the header information it addresses the following attacks − Denial of service − Scans − Worms − Botnets

�ݺ�ߣ

IP flow based intrusion detection

Recommended

More Related Content

Similar to IP flow based intrusion detection (9)

IP flow based intrusion detection