DOCSLIB.ORG

Intrusion Detection Systems (IDS)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Adli Wahid Role of Detection in Security • Part of security monitoring o Violation of security policies o Indicators of compromise o Threat drive or Vulnerability driven o What’s happening on the network? • Rules o Detection is based on rules • Action • What do we do when detection happens? • Alert and Investigate • Drop / Block Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework https://attack.mitre.org • Tactics – what are the goals of the adversary? • Technique – how do they do it? • SubJect to: o Resources o Platforms • Can we used this knowledge for detection? o Observe Adversaries Behaviour o Techniques, Tactics and Procedures (TTPs) o Deploy in prevention, detection, response Your Adversaries Motives Infrastructure Targets Behaviour Your Assets Your Systems Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Making Your Infrastructure Forensics Ready • Detecting known or potentially malicious activities • Part of the incident response plan • If your infrastructure is compromised o Can you answer the questions: what happened and since when? o Can we ‘go back in time’ and how far back? • What information you you need to collect and secure? • Centralized logging Intrusion Detection Systems • An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system Different types of Intrusion Detection Systems • Host Based • Network Based IDS Technology landscape Preventive Real Time Host Based IDS • A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a computer system, based on how it is configured. o which program accesses what resources o state of a system o not been changed by intruders • Monitoring Dynamic Behaviour • Who is doing what in a system • Monitoring State • Detect modifications Host Based IDS (2) • Techniques o System Integrity Check o Alerting o Vulnerability Detection o Configuration assessment o Rootkit detection o Security Policy Source: https://wazuh.com o Active Response • OpenSCAP • OpenSCAP is an OVAL (Open Vulnerability Assessment Language) and XCCDF (Extensible Configuration Checklist Description Format) interpreter used to check system configurations and to detect vulnerable applications. Examples • OSSEC o https://www.ossec.net • Wazuh o https://www.wazuh.com • Some other interesting projects o OSQuery - https://www.osquery.io/ o Loki - https://github.com/Neo23x0/Loki o Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon oKey component – agent or log/data shipper Network Based IDS • Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. o performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. oDetection Method o Signature based o Anomaly based • Examples (Free / Open Source) o SNORT o Suricata o Zeek (Bro) Limitations • Noise • False Positives • Signature management o Outdated o 0-days • Can’t compensate for weak authentication / identification • Encrypted packets How to monitor the network? • Network TAPs o A network tap is a hardware device which provides a way to access the data flowing across a computer network o The network tap has (at least) three ports: an A port, a B port, and a monitor port o Network Taps are fully passive device § Pros § Passive / Fail Safe § Exact duplicate of network traffic § Cons § Expensive § Require physical infrastructure Port Mirroring / SPAN Port • Also known as SPAN (Switch Port Analyzer) • A SPAN is a dedicated port on a managed switch that takes a mirrored copy of network traffic off the switch to be sent to a monitoring device • Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port • Pros • Low cost, easy to deploy • Feature available in most switch • Cons • Potential packet loss • Utilise switch resources • Attacker can disable SPAN/Mirror Port Caveats of IDS • "Alert Fatigue", • can be a daunting task and quickly fill an analysts plate combing through false positives trying to find that one good alert. • Administrators fail to keep alerts relevant • IDS is seen as a system with many of false positives • No maintenance is devoted towards managing it, can be spotty coverage • Rules/signatures are not up to date • Analysts fail to understand rules • Don't have proper training on how to validate rules • Are not kept in the loop on specific rules that are of high importance • Organization can't respond to problems generated by IDS • Response policies are not in place • System administrators don't know where to look for issues • Security organization isn't empowered to respond to issues Suricata Suricata Intrusion Detection System • Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. • It is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). • Suricata is developed by the OISF • The Suricata source code is licensed under version 2 of the GNU General Public License Suricata - History • Beta release – Dec 2009 • First standard release – July 2010 • Features o Multi-threading o Automatic protocol detection o JSON standard outputs o file matching, logging, extraction, md5 checksum calculation o DNS logger o etc In a nutshell • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless Rules Management • It is important to have rules that are up-to-date • Management of rules is being done by suricata-update • Within the configuration file there are variables for default-rules-path and rule-files: • By default all rules are merged into a single file suricata.rules • Rules can be enabled and disabled • /etc/suricata/enabled.conf • /etc/suricata/disabled.conf Rules/Suricata • Actions (i.e. alert or drop) are decided by rules • In most occasions people are using existing rulesets • Emerging Threats • Talos/Cisco • https://github.com/suricata-rules/suricata-rules Rules Format • A rule/signature consists of the following: o The action, that determines what happens when the signature matches o The header, defining the protocol, IP addresses, ports and direction of the rule. o The rule options, defining the specifics of the rule drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Rules – Action • What happens if signature matches • Options o Pass o Drop (IPS mode) o Reject o Alert alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Rules - Protocol drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:troJan-activity; sid:2008124; rev:2;) • 4 protocols o tcp (for tcp-traffic) o udp o icmp o ip (ip stands for ‘all’ or ‘any’) • And some application layer protocols* o Dns, http, smb, ssh, smtp, imap, tls , etc Rules - Source and destination • drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0- 9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) • Source and Destination of traffic • IP address / Block • Domain names • Can be set as: • Variables – defined in /etc/suricata.yaml • IP address (v4/v6) format • ‘any’ • Negation i.e. ! can be used as well Rules - Ports (source and destination) • drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:troJan-activity; sid:2008124; rev:2;) • Port number(s) can be applied to source and destination traffic • Port helps to determine which application
Load more

Recommended publications
  • The Science DMZ
    The Science DMZ Brian Tierney, Eli Dart, Eric Pouyoul, Jason Zurawski ESnet Supporting Data-Intensive Research Workshop QuestNet 2013 Gold Coast, Australia July 2, 2013 What’s there to worry about? © Owen Humphreys/National Geographic Traveler Photo Contest 2013 7/2/13 2 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Science DMZ in 1 Slide Consists of three key components, all required: “Friction free” network path • Highly capable network devices (wire-speed, deep queues) • Virtual circuit connectivity option • Security policy and enforcement specific to science workflows • Located at or near site perimeter if possible Dedicated, high-performance Data Transfer Nodes (DTNs) • Hardware, operating system, libraries all optimized for transfer • Includes optimized data transfer tools such as Globus Online and GridFTP Performance measurement/test node • perfSONAR Details at http://fasterdata.es.net/science-dmz/ Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science Overview Part 1: • What is ESnet? • Science DMZ Motivation • Science DMZ Architecture Part 2: • PerfSONAR • The Data Transfer Node • Data Transfer Tools Part 3: • Science DMZ Security Best Practices • Conclusions Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Energy Sciences Network (ESnet) A Department of Energy Facility Naonal Fiber footprint Distributed Team of 35 Science Data Network Internaonal Collaboraons Mul3ple 10G waves 5 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science ESnetSC Supports Supports Research DOE at More Office than 300 of Institutions Science Across the U.S. Universities DOE laboratories The Office of Science supports: 27,000 Ph.D.s, graduate students, undergraduates, engineers, and technicians 26,000 users of open-access facilities 300 leading academic institutions 17 DOE laboratories 6 Lawrence Berkeley National Laboratory U.S.
    [Show full text]
  • USING LUA for DETECTION and MALWARE TRAFFIC ANALYSIS Dr Chris Wakelin, Senior Threat Analyst, Proofpoint November 2018
    MOONSTRUCK: USING LUA FOR DETECTION AND MALWARE TRAFFIC ANALYSIS Dr Chris Wakelin, Senior Threat Analyst, Proofpoint November 2018 1 © 2018 Proofpoint, Inc. Introduction . “Lua” is Portuguese for “Moon” . Small extensible language . Considered “well-engineered” by experts : . “If you read ... you'll see that the Lua team were well aware of many developments in programming languages and were able to choose from among the best ideas. Most designers of popular scripting languages have been amateurs and have not been nearly so well informed ... Lua is superbly designed so that the pieces fit together very nicely, with an excellent power-to-weight ratio ... Lua is superbly engineered. The implementation is just staggeringly good ...” . Currently used in . Wireshark . Games (Angry Birds, Crysis, Far Cry, Gary’s Mod …) . etc. 2 © 2018 Proofpoint, Inc. Introduction . Lua(jit) scripting support added initially in September 2012 . After suggestion by Will Metcalf of Emerging Threats . Lua Output support added March 2014 . Lua flowvar support added in 2013 . but only viewable (logged) from December 2016 3 © 2018 Proofpoint, Inc. Lua vs LuaJIT . LuaJIT – Just-In-Time compiler for Lua . Stable version 2.0.5 . Ubuntu 16.04 LTS included 2.0.4 . Development – version 2.1beta3 (for 18 months …) . Included in Ubuntu 18.04 LTS though . Some caveats . Based on older Lua 5.1 . Latest Lua is version 5.4 . Need to pre-allocate buffers in Suricata . Probably best to stick to Lua 5.1 features 4 © 2018 Proofpoint, Inc. Lua/LuaJIT options Suricata “configure” options (pick one) --enable-lua Enable Lua support --enable-luajit Enable Luajit support suricata.yaml … # Luajit has a strange memory requirement, it's 'states' need to be in the # first 2G of the process' memory.
    [Show full text]
  • Downloads." the Open Information Security Foundation
    Performance Testing Suricata The Effect of Configuration Variables On Offline Suricata Performance A Project Completed for CS 6266 Under Jonathon T. Giffin, Assistant Professor, Georgia Institute of Technology by Winston H Messer Project Advisor: Matt Jonkman, President, Open Information Security Foundation December 2011 Messer ii Abstract The Suricata IDS/IPS engine, a viable alternative to Snort, has a multitude of potential configurations. A simplified automated testing system was devised for the purpose of performance testing Suricata in an offline environment. Of the available configuration variables, seventeen were analyzed independently by testing in fifty-six configurations. Of these, three variables were found to have a statistically significant effect on performance: Detect Engine Profile, Multi Pattern Algorithm, and CPU affinity. Acknowledgements In writing the final report on this endeavor, I would like to start by thanking four people who made this project possible: Matt Jonkman, President, Open Information Security Foundation: For allowing me the opportunity to carry out this project under his supervision. Victor Julien, Lead Programmer, Open Information Security Foundation and Anne-Fleur Koolstra, Documentation Specialist, Open Information Security Foundation: For their willingness to share their wisdom and experience of Suricata via email for the past four months. John M. Weathersby, Jr., Executive Director, Open Source Software Institute: For allowing me the use of Institute equipment for the creation of a suitable testing
    [Show full text]
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools
    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
    [Show full text]
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
    [Show full text]
  • Securing Security Tools Suricon Ö.Wï
    Securing Security Tools SuriCon ö.wÏ Pierre Chiìier [email protected] French National Information Security Agency ö.wÏ ANSSI ◮ Created on July Åth ö..R, theANSSI (FrenchNetwork and Information SecurityAgency)isthe national authorityfor the defense and the security of information systems. ◮ Under the authority of the Prime Minister ◮ Main missions are: ◮ prevention ◮ defense of information systems ◮ awareness-rising http://www.ssi.gouv.fr/en/ ANSSI Securing Security Tools ö/öÏ Securing Security Tools Objectives of this talk: ◮ Improving security of tools ◮ Not on small steps,but trying to solve problems ◮ Consider alternatives to common solutions ◮ Test our claims ANSSI Securing Security Tools é/öÏ What is a network IDS ? A device that ◮ monitors network for malicious activity ◮ does stateful protocol analysis ◮ raises alerts to the administrators ◮ has to be fast ANSSI Securing Security Tools ÿ/öÏ What is a network IDS ? From the security point of view, a NIDS is: ◮ exposed to malicious traíc ◮ running lots of protocols dissectors ◮ connected to the admin network ◮ coded for performance ANSSI Securing Security Tools ó/öÏ Root causes ◮ Bad speciícations ◮ when they exist ◮ Design complexity and attack surface ◮ Formats complexity ◮ Programming language ◮ Paradox: many security tools are not securely coded ◮ “I’ll íx it later” ◮ Infosec peopleconsidering it’s “not their job” ANSSI Securing Security Tools Ï/öÏ Mimimal solutions ◮ Finding vulns does not (really)help security! ◮ But it helps (raising awareness, demonstrating the
    [Show full text]
  • Release 3.2Dev OISF
    Suricata User Guide Release 3.2dev OISF Jun 07, 2017 Contents 1 What is Suricata 1 1.1 About the Open Information Security Foundation............................1 2 Installation 3 2.1 Source..................................................3 2.2 Binary packages.............................................4 2.3 Advanced Installation..........................................5 3 Command Line Options 7 3.1 Unit Tests.................................................9 4 Suricata Rules 11 4.1 Rules Introduction............................................ 11 4.2 Meta-settings............................................... 16 4.3 Header Keywords............................................ 20 4.4 Prefilter.................................................. 31 4.5 Payload Keywords............................................ 32 4.6 HTTP Keywords............................................. 51 4.7 Flow Keywords.............................................. 67 4.8 Flowint.................................................. 70 4.9 Xbits................................................... 72 4.10 File Keywords.............................................. 73 4.11 Rule Thresholding............................................ 75 4.12 DNS Keywords.............................................. 77 4.13 SSL/TLS Keywords........................................... 78 4.14 Modbus Keyword............................................ 81 4.15 DNP3 Keywords............................................. 82 4.16 ENIP/CIP Keywords..........................................
    [Show full text]
  • A Comparative Analysis of the Snort and Suricata Intrusion-Detection Systems
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2011-09 A comparative analysis of the Snort and Suricata intrusion-detection systems Albin, Eugene Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/5480 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS A COMPARATIVE ANALYSIS OF THE SNORT AND SURICATA INTRUSION-DETECTION SYSTEMS by Eugene Albin September 2011 Thesis Advisor: Neil Rowe Second Reader: Rex Buddenberg Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September 2011 Master’s Thesis 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS A Comparative Analysis of the Snort and Suricata Intrusion-Detection Systems 6. AUTHOR(S) Eugene Albin 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8.
    [Show full text]
  • Suricata IDPS and Its Interaction with Linux Kernel
    Suricata IDPS and its interaction with Linux kernel Eric Leblond, Giuseppe Longo Stamus Networks France, Italy [email protected] [email protected] Abstract All reconstructions that are handled differently by operating system due to RFC incompletion or bad implementation must Suricata is an open source network intrusion detection and pre- be taken into account by the IDS. If streaming is not done this vention system. It analyzes the traffic content against a set of signatures to discover know attacks and also journalize proto- way, then attackers can abuse this interpretation mistake to col information. get this attack unnoticed. For instance, if they attack a Win- One particularity of IDS systems is that they need to analyze dows operating system seen as a Linux by the IDS, they just the traffic as it is seen by the target. For example, the TCP need to use a TCP segmentation scheme that is done differ- streaming reconstruction has to be done the same way it is done ently on Linux and on Windows so the IDS will see a content on the target operating systems and for this reason it can’t rely that is not the one received by the target. This kind of tech- on its host operating system to do it. nique is called evasion [4] and it is available in attack tools Suricata interacts in a number of ways with the underlying just as Metasploit [2]. For this reason it can’t rely on the op- operating system to capture network traffic. Under Linux erating system it is running on to do it.
    [Show full text]
  • Based Intrusion Detection System
    EXAMENSARBETE INOM ELEKTRONIK OCH DATORTEKNIK, GRUNDNIVÅ, 15 HP STOCKHOLM, SVERIGE 2019 Machine Learning for a Network- based Intrusion Detection System Maskininlärning för ett Nätverksbaserat Intrångsdetekteringssystem VILHELM GUSTAVSSON KTH SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP Machine Learning for a Network-based Intrusion Detection System An application using Zeek and the CCIDS2017 dataset Swedish title: Maskininl¨arningf¨orett N¨atverksbaserat Intr˚angsdetekteringssystem Thesis project for the degree: Bachelor of Science in Computer Engineering Vilhelm Gustavsson May 2019 Royal Institute of Technology, KTH School of Electrical Engineering and Computer Science Stockholm, Sweden TRITA-CBH-GRU-2019:033 Abstract Cyber security is an emerging field in the IT-sector. As more devices are con- nected to the internet, the attack surface for hackers is steadily increasing. Network-based Intrusion Detection Systems (NIDS) can be used to detect ma- licious traffic in networks and Machine Learning is an up and coming approach for improving the detection rate. In this thesis the NIDS Zeek is used to extract features based on time and data size from network traffic. The features are then analyzed with Machine Learning in Scikit-learn in order to detect malicious traf- fic. A 98.58% Bayesian detection rate was achieved for the CICIDS2017 which is about the same level as the results from previous works on CICIDS2017 (with- out Zeek). The best performing algorithms were K-Nearest Neighbors, Random Forest and Decision Tree. Sammanfattning (Swedish abstract) IT-s¨akerhet ¨ar ett v¨axande f¨alt inom IT-sektorn. I takt med att allt fler sa- ker ansluts till internet, ¨okar ¨aven angreppsytan och risken f¨or IT-attacker.
    [Show full text]
  • Running Bro on BSD
    Running Bro on BSD An analysis of high performance solutions running on BSD operating systems. Michael Shirk BroCon 2016 @Shirkdog http://github.com/Shirkdog Agenda l Introduction l Bro is awesome l Why FreeBSD? l High Performance and FreeBSD l FreeBSD at the Berkley Lab l PF_RING vs. netmap l OpenBSD Rant Warning l Whenever you see the beastie with a hammer, there is a potential for some BSD bias to slip in. l The goal is to minimize this throughout the talk. l All information not cited in this talk is based on personal experience or opinion (marked with an asterisk *). Introduction l Worked in IDS/IPS since 2003 (various positions including consulting) - Engines: Snort, Suricata, Dragon and now Bro (also had to work with McAfee, ISS, NFR … others) - Signatures for Emerging Threats (since they were Bleeding Edge Snort) l Support Open Source Security Tools and Software - Maintain pulledpork for Snort/Suricata (rule updating script): http://github.com/shirkdog/pulledpork - Active community member of open source projects: l Operating Systems: FreeBSD, OpenBSD, HardenedBSD l Security Tools: Snort, Suricata, AIDE, Bro (starting) Bro Beginnings l 2013 – Bro setup on Linux with PF_RING and Suricata ( Dell R610 12 Core 32GB Appliance) - PoC was Security Onion, the production setup was on Ubuntu with PF_RING, Suricata and nothing else. - Gigamon TAP aggregated data to a single 10Gb Fiber interface fed to the Bro/Suricata sensor. - ~700Mbps peak, ~350Mbps non-peak l Bro logs were fed into Splunk (modified Splunk_TA_Bro to work with log formats) l Set it and forget it, it's just that simple.
    [Show full text]
  • Network Security Presentation
    http://bit.ly/2LamWxj Network Security & Performance Jason Zurawski Scott Chevalier [email protected] [email protected] ESnet / Lawrence Berkeley National Laboratory Indiana University International Networks Linux Cluster Institute (LCI) Introductory Workshop University of Oklahoma May 15-16, 2019 This document is a result of work by volunteer LCI instructors and is licensed under CC BY- NC-ND 4.0 (https://creativecommons.org/licenses/by-nc-nd/4.0/). National Science Foundation Award #1826994 https://epoc.global Science DMZ as Security Architecture • Allows for better segmentation of risks, more granular application of controls to those segmented risks. • Limit risk profile for high-performance data transfer applications • Apply specific controls to data transfer hosts • Avoid including unnecessary risks, unnecessary controls • Remove degrees of freedom – focus only on what is necessary • Easier to secure • Easier to achieve performance • Easier to troubleshoot Science DMZ Security • Goal : Disentangle security policy and enforcement for science flows from security for business systems • Rationale • Science data traffic is simple from a security perspective • Narrow application set on Science DMZ • Data transfer, data streaming packages • No printers, document readers, web browsers, building control systems, financial databases, staff desktops, etc. • Security controls that are typically implemented to protect business resources often cause performance problems • Separation allows each to be optimized Performance is a Core Requirement •Core information security principles • Confidentiality, Integrity, Availability (CIA) •In data-intensive science, performance is an additional core mission requirement: CIA PICA • CIA principles are important, but if the performance isn’t there the science mission fails • This isn’t about “how much” security you have, but how the security is implemented • Need to appropriately secure systems without performance compromises Motivations • The big myth: The main goal of the Science DMZ is to avoid firewalls and other security controls.
    [Show full text]