self organized collaboration of distributed ids sensors
play

Self-organized Collaboration of Distributed IDS Sensors Karel Bartos - PowerPoint PPT Presentation

Feb 05, 2024 •17 likes •387 views

Self-organized Collaboration of Distributed IDS Sensors Karel Bartos 1 and Martin Rehak 1,2 and Michal Svoboda 2 1 Faculty of Electrical Engineering Czech Technical University in Prague 2 Cognitive Security, s.r.o., Prague DIMVA 2012 July 27

  1. Self-organized Collaboration of Distributed IDS Sensors Karel Bartos 1 and Martin Rehak 1,2 and Michal Svoboda 2 1 Faculty of Electrical Engineering Czech Technical University in Prague 2 Cognitive Security, s.r.o., Prague DIMVA 2012 July 27 2012

  2. Network Security – Motivation • Advanced Persistent Threats – Strategically motivated – Targeted (single/few targets) • Threats – Sophisticated industrial espionage – Organized crime – credit card fraud, banking attacks, spam • Challenges : – High traffic speeds – High number of increasingly sophisticated, evasive attacks

  3. All Industry Sectors at Risk “…every company in every conceivable industry with significant size & valuable intellectual property & trade secrets has been compromised (or will be shortly)…” - McAfee �������� �����������������������������

  4. Our Goal • Use a Collaboration of Multiple Heterogeneous Detectors to create Network Security Awareness

  5. Intrusion Detection • Intrusion Detection Systems – Deployed on key points of the network infrastructures – Detects malicious network/host behavior • Approaches – Host based vs. Network based – Anomaly detection vs. Signature matching – Multi-algorithm systems • Problem: Stand-alone IDS is not very effective on – Cooperative attacks – Large variability of malicious behavior

  6. Current Solution? Alert Correlation • IDEA: Data fusion of results from more detectors • GOAL: Create global full scale conclusions – Fusion of raw input data or low-level alerts – Increase the level of abstraction – Reveal more complex attacks scenarios – Find prerequisites and consequences

  7. Alert Correlation • Architectures Centralized Hierarchical Fully-distributed

  8. Example of Current Architecture – All detectors work in a stand-alone architecture – More sophisticated detectors can reconfigure based on local observations

  9. Alert Correlation • Collects results from more detectors to provide better overall results • WEAKNESSES: • It does not provide any feedback to the detectors – Detectors are not aware of the performance of other detectors – Detectors require initial (manual) configuration/tuning • It does not improve the performance of detectors

  10. Our Approach – All detectors work in a fully distributed and collaborative architecture – More sophisticated detectors can improve based on observations from other detectors

  11. Assumptions and Requirements • Communication – All-to-All, fully distributed • Reconfiguration – At least some detectors are able to change their internal states according to the observations • Security – Detectors do not provide information about their internal states • Strategic Deployment – Detectors are deployed in various parts of the monitored network; network traffic should overlap

  12. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes

  13. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes Q: Is it a good thing?

  14. Why to communicate and share results? • Large variability of network attacks and threats – No single detector is able to detect all intrusions • To detect more intrusions, we need more detectors – More detection methods, various locations • Many detectors report a lot of same intrusions – They make similar conclusions and mistakes Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction)

  15. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) Q: Why the detectors generate a lot of FP?

  16. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) Q: Why the detectors generate a lot of FP? A: Because they: - want to be universal - want to generate a lot of TP

  17. Why to communicate and share results? • Large variability of network attacks and threats • To detect more intrusions, we need more detectors • Many detectors report a lot of same intrusions Q: Is it a good thing? YES – For traditional alert correlation: (FP reduction) NO – For our approach: ( specialization )

  18. Specialization • IDEA: Detectors communicate in order to be special • Each detector wants: (specialization allows) – to detect unique intrusions → essential – to minimize the amount of FP → effective • Each detector does not want: (specialization prevents) – to waste resources on already detected intrusions • Specialization in collaboration – Maximizes the overall detection potential of the system

  19. Proposed Collaboration Model • Set of feedback functions – Computes the specialization of each detector – f: E_local × E_remote → R • Set of configuration states – Defines the behavior of each detector • Solution Concept / Algorithm / Strategies – Feedback – reconfiguration mapping – Suitable for dynamic network environments

  20. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations of our University Faculty network – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  21. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  22. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network SUBNET IDS – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  23. Experimental Evaluation - Setup INTERNET • 2 network IDS deployed in different locations BACKBONE IDS of our University Faculty network SUBNET IDS – Backbone IDS – Faculty – Subnet IDS – Department Department 1 Other Departments – 10 hours of network traffic (NetFlow) – Including samples of malware behavior

  24. Experimental Evaluation - Malware INTERNET BACKBONE IDS SUBNET IDS http://www.damballa.com

  25. Experimental Evaluation - Model • Feedback function is defined as – Uniqueness of generated events – Number of alerts that I detected and others did not • Set of configuration states – Each detector consists of several detection methods – Several opinions have to be aggregated = parameter – State = aggregation function within each IDS

  26. Experimental Evaluation - Strategies • Stand-alone Stand-alone INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  27. Experimental Evaluation - Strategies • Stand-alone Fusion INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  28. Experimental Evaluation - Strategies • Stand-alone Fusion + Feedback INTERNET – No feedback, No fusion • Fusion only BACKBONE IDS – Detectors are connected SUBNET IDS and exchange their results • Fusion + Feedback – Distributed feedback, Event fusion Department 1 – Encourages specialization

  29. FIRE Epsilon-greedy Adaptation • Model consists of configuration states and their uniqueness values (weighted 5 past values) • Algorithm – Detectors exchange events – Compute uniqueness of last used configuration – Update last 5 uniqueness values for last used configuration – With probability p: • p ≥ ε select most unique configuration • p < ε select random configuration

  30. Experimental Evaluation - Results • Subnet location – # of detected malware samples 132 Feedback + Fusion 71 Fusion only 38 Stand-alone

  31. Experimental Evaluation - Results • Subnet location – relative false positive rate

  32. Experimental Evaluation - Results • Backbone location – # of detected malware samples 72 Feedback + Fusion 53 Fusion only 39 Stand-alone • Backbone location – relative false positive rate

Recommend

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

EMX Industries Inc . Application Driven Sensors Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity Sensors Brightness Sensors Special Sensors Bluetooth Switch The Facts Fastest Speed

309 views • 10 slides
Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body.

Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body.

Introduction Distributed Pattern Recognition Conclusion Problem Formulation: Distributed Action Recognition Architecture Eight sensors on human body. Locations are given and fixed. Each sensor carries triaxial accelerometer and biaxial

781 views • 29 slides
Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors: Tipping Bucket Above Water - Radar, Ultrasonic Soil Moisture Sensor Measures Accumulation and Rainfall Rate Submersible

536 views • 7 slides
Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note

Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note

Communication Middleware Software Layers 1.1 A distributed system organized as middleware. Note that the middleware layer extends over multiple machines. 2 Communication Alternatives Raw message passing TCP/IP: reliable byte stream

875 views • 26 slides
CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP Brazilian National Research and Education Network (RNP). Created in 1989. Implementing the first Latin American fiber network in 2005.

470 views • 22 slides
Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und

Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und

Distributed Tracking with Multiple Sensors for Augmented Reality 1. Workshop &quot;Virtuelle und Erweiterte Realitt&quot; der GI-Fachgruppe AR/VR Martin Wagner Lehrstuhl fr Angewandte Softwaretechnik Fachgebiet Augmented Reality Institut

460 views • 17 slides
Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15, 2001 Outline Introduction to blind beamforming array Different usages of blind beamforming arrays Applications 1. Acoustic source

301 views • 19 slides
Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen

Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen

Securing Wiki-Style Technology in the Global Enterprise: The Competing Tensions of Privacy Law and Distributed Collaboration Steven Michalove Thomas Daemen FIRST Conference 2008 Agenda The Evolving Collaboration Landscape Risk Redefined

354 views • 9 slides
Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex

Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex

Distributed Learning for Cooperative Inference C esar A. Uribe . Collaboration with: Alex Olshevsky and Angelia Nedi c LCCC - Focus Period on Large-Scale and Distributed Optimization June 5th, 2017 Optimization

899 views • 53 slides
CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers

CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers

Sensors for Mobile Robots CSE-571 Contact sensors: Bumpers Internal sensors Robotics Accelerometers (spring-mounted masses) Gyroscopes (spinning mass, laser light) Compasses, inclinometers (earth magnetic field, gravity)

253 views • 7 slides
INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration

INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration

Hello RURAL DEVELOPMENT INNOVATION GROUP Hellp Todays Rural Opportunity Youth session organized in collaboration with: RURAL OPPORTUNITY YOUTH ACROSS THE NATION, 2016 Andrew Schaefer, PhD Research Scientist Carsey School of Public

146 views • 10 slides
Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial

Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial

Melinda Stelzer and Bill Opsal Enhancing collaboration in distributed teams Partial collocation and its pitfalls Pushing team performance a step beyond The biggest pain point for distributed teams Empl ployees es o of f compa

688 views • 34 slides
Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P.

Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P.

Quality Assurance of Silicon Microstrip Sensors for the CBM Experiment I. Panasenko and P. Larionov for the CBM Collaboration (Darmstadt, DPG-2016) Outline Sensors for the Silicon Tracking System of CBM o Strategy for Quality Assurance o

420 views • 21 slides
Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration with Professor Reid Harrison Insect Inspired Two kinds of vehicles: Micro Hovering Aerial Vehicles (MHAVs) ~ 50cm diameter Larger, but

507 views • 19 slides
Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin

Virtual Operations Centres for Coalition Operations and Distributed Team Collaboration Austin Tate &amp; Jeff Hansberger University of Edinburgh &amp; US Army Research Lab http://openvce.net Project to provide a Virtual Collaboration

370 views • 34 slides
From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical

From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical

Sensors: From atom to bits Ermanno Pietrosemoli 1 Sensors Sensors are the bridge between the physical world made of atoms and the abstract world of data. Humans have sensors that perceive many physical quantities whose output is transmitted

965 views • 24 slides
Silicon Sensors for High-Radiation Tracking Detectors- RD50 Status Report A. Junkes for the RD50

Silicon Sensors for High-Radiation Tracking Detectors- RD50 Status Report A. Junkes for the RD50

Silicon Sensors for High-Radiation Tracking Detectors- RD50 Status Report A. Junkes for the RD50 Collaboration 8 th International Hiroshima Symposium December 5 th to 8 th 2011 Taipei, Taiwan RD50 The RD50 collaboration Development of

872 views • 54 slides
An Information Management System for Collaboration within Distributed Working Environment

An Information Management System for Collaboration within Distributed Working Environment

An Information Management System for Collaboration within Distributed Working Environment http://urchin.spbcas.ru/downloads/esimbios/ Maria Samsonova, Andrei Pisarev, Konstantin Kozlov, Ekaterina Poustelnikova, Arthur Tkachenko Outline

646 views • 33 slides
Algorithmic approaches to distributed adaptive transmit beamforming 5th international conference

Algorithmic approaches to distributed adaptive transmit beamforming 5th international conference

Algorithmic approaches to distributed adaptive transmit beamforming 5th international conference on Intelligent Sensors, Sensor Networks and Information Processing Stephan Sigg, Michael Beigl Institute of Distributed and Ubiquitous Systems

386 views • 27 slides
a HIGH IMPEDANCE SENSORS I Photodiode Preamplifiers I Piezoelectric Sensors N Accelerometers N

a HIGH IMPEDANCE SENSORS I Photodiode Preamplifiers I Piezoelectric Sensors N Accelerometers N

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING 1 Introduction 2 Bridge Circuits 3 Amplifiers for Signal Conditioning 4 Strain, Force, Pressure, and Flow Measurements I 5 High Impedance Sensors 6 Position and Motion Sensors 7

773 views • 43 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
3D ACTIVE EDGE SILICON 3D ACTIVE EDGE SILICON SENSORS SENSORS Cinzia Da Via- Vertex 06 -

3D ACTIVE EDGE SILICON 3D ACTIVE EDGE SILICON SENSORS SENSORS Cinzia Da Via- Vertex 06 -

3D ACTIVE EDGE SILICON 3D ACTIVE EDGE SILICON SENSORS SENSORS Cinzia Da Via- Vertex 06 - Perugia - September 2006 Cinzia Da Via , Brunel University UK , Brunel University UK Cinzia Da Via OUTLINE Collaboration OUTLINE Pixel

477 views • 33 slides
Mobile &amp; Service Robotics Mobile &amp; Service Robotics Sensors for Sensors for Robotics

Mobile &amp; Service Robotics Mobile &amp; Service Robotics Sensors for Sensors for Robotics

Mobile &amp; Service Robotics Mobile &amp; Service Robotics Sensors for Sensors for Robotics Sensors for Sensors for Robotics Robotics 1 Robotics 1 An Example of robots with their sensors 2 Basilio Bona Robotica 03CFIOR 2011 Another

583 views • 20 slides
July 16, 2014 What is an Organized Delivery System? An Organized Delivery System (ODS) is a

July 16, 2014 What is an Organized Delivery System? An Organized Delivery System (ODS) is a

What is an Organized Delivery System (ODS) from a Filing and Legal Perspective? Presented By: Kevin Joyce: VP, Network &amp; Delivery Systems, QualCare, Inc. Carol Grelecki: Esq, Brach Eichler, LLC July 16, 2014 What is an Organized Delivery

650 views • 19 slides

More recommend