Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network Attack and Intrusion Prevention System

283 views

Published on

Network Attack from laboratory simulation and
Intrusion Prevention System

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Network Attack and Intrusion Prevention System

  1. 1. Network Attack and Intrusion Prevention System Deris Stiawan. Ph.D C|EH, C|HFI Computer Network & Information Security (COMNETS) Research Group Universitas Sriwijaya 2017
  2. 2. David, S. (2012). "The state of network security." Network Security 2012(2): 14-20.
  3. 3. Dlamini, M. T., J. H. P. Eloff, et al. (2009). "Information security: The moving target." Computers & Security 28(3–4): 189-198.
  4. 4. Hansman, S. and R. Hunt (2005). "A taxonomy of network and computer attacks." Computers & Security 24: 31-43.
  5. 5. Reported increasing numbers of types, methods and volume of attacks There are explosion of security threats in recent years: Trojan, virus, worms, adware, spyware and DoS are continuing to grow, multiply, evolve and toward future in the cyber war. New method / trend of attack, and cyber attack challenging described According to; (CSI/FBI 2011), (CERT-IST, 2012) (Kenneth, 2010b), (Mansfield- Devine, 2011) and (David, 2012) (Kenneth, 2010a), (Amoroso, 2011), (Sommer, 2012) and (Chen et al., 2012)
  6. 6. Intrusion Prevention System IPS are considered to be an extension of IDSs, although IPS and IDS both examine network traffic searching for attacks. They both detect malicious or unwanted traffic but IPS able to eliminate the threats traffic. (Patel A et al., 2010; Patel A et al., 2013) Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. IDS inform of a potential attack, whereas, IPS makes attempts to stop it. IPS is designed and developed for more active protection to improve upon the IDS and Firewall
  7. 7. Detection Prevention Reaction Response Firewall Features Access Control Policy Management Alarm Accuracy Sensor Reporting Readiness Early prevent Prediction Abstracted by; (Manikopoulos 2003), (Zou & Towsley 2005), (Stakhanova et al. 2007), (Debar et al. 2008), (Anuar et al. 2010), (Patel et al. 2010), (Mu et al. 2010), (K. Salah & Kahtani 2010), (Elshoush & Osman 2011), (Patel et al. 2013)
  8. 8. CSI/FBI (2010) : Satisfaction With Security Technology
  9. 9. Patel, A., Q. Qassim, et al. (2010). "A survey of intrusion detection and prevention systems.“ Information Management & Computer Security 18(4): 277 - 290. Comparison IDS & IPS
  10. 10. IDS design just only identify and examined to produce alarm IPS design is to enhance data processing ability, intelligent, accurate of it self. - Simple pattern matching - Stateful pattern matching -Protocol decode-based analysis - Heuristic-based analysis - Recognize attack pattern - Blocking action - Stateful pattern matching - Protocol decode-based analysis - Heuristic-based analysis - A passive security solution - Detect attack only after they have entered the network, and do nothing to stop attacks only just attacks traffic and send alert to trigger. - Active response security solution - Early Detection, proactive technique, early prevent the attack, when an attack is identified then blocks the offending data - Commonly collected in source sensors - Multisensory architectures - Enable to integrated with other platform - Have the ability to integrate with heterogeneous sensor Usefulness Signatures Action Activity / Response Sensor I D S I P S
  11. 11. The Problem & Issues IDPS Active Reaction Passive Reaction On-line / Off-line Detection Speed / Accuracy Response Time of Detection Sniffing Packet Features Identification Testing / Comparing Data Sets Identify threat Simulation Live Environment Live attack Pentest DARPA MIT ISCX ITD UTM HighHumanInteraction ResourceConsumption TrafficData
  12. 12. ITD UTM Data set
  13. 13. Attack Pattern (sample) ScanningBruteForceDoS Windows Server 2003 Freebsd Linux Redhat (www.pcrg-utm.org/dataset)
  14. 14. 10.10.10.15, 10.10.10.20 (Attacker’s) 10.10.10.10.5 (Redhat), 10.10.10.10 (FreeBsd), 10.10.10.25 (Windows Server 2003)
  15. 15. Normal & Attack Traffic DoS Normal / Attack ? Normal Access: Web 2.0 ( Video, Blog, Chat) Penetration Testing: Probe: Scanning, Network Mapping U2R: Rooting, Escalating Privilege R2L: Malware, SQL Injection, ARP Man in the Middle Attack DoS: ICMP Flooding
  16. 16. (1) How to capture, analyse the traffic and recognise threats in online traffic? The Research Question (2) How to feature extracts from the TCP/IP header of packets and decrease the dimensionality of the dataset by discarding any redundant or irrelevant features ? (3) What are the criteria to decide which features should be monitored (Niemelä, 2011); (Davis and Clark, 2011) ? (4) Is it possible for the intrusion prevention system to react automatically to certain problems to try to contain or stop the damage (Niemi , 2012; Stakhanova, 2007) ?
  17. 17. (1) Capture, analyze the traffic and recognize
  18. 18. (2) Feature extraction from raw data
  19. 19. (3) What the Relevant Parameter Features
  20. 20. Sensor Analyzer Reporting Event Response SniffingModule (4) Identify and Response Mechanism Allow Deny LogNotificationCapturing
  21. 21. Experimental Stages • Training the data • The methodology • Avoid some unexpected results • Testing (sequence / randomize) process and continuous – Standard stages of observations – Resume the results
  22. 22. Research: IPS Existing method: Static Parameters for update policy Naveed et al., (2010) Nicoletti , (2009) ; Zhou et al., (2010) abortion, ads, adult, banking, blog, chat, drug, ecommerce, Gambling, hacking, porn, warez, etc Wuu et al., 2007 The current methods of payload attacks have changed, modern attackers are able to change the information and content of packets Those solutions were only unable to identify traffic and can not detect or block threats occurring in real-time traffic Able to identify threats without any response method Detection threat based on src IP, Dst IP, Packet Length, TCP lags URL lookup & Content Filtering Able to block based on URL & content filtering IP Access List Able to block threat based on IP / Port
  23. 23. Wattanapongsakorn et al., (2012)Sangkatsanee et al., (2011)
  24. 24. Practical: IPS Hardware / Software based - Box devices, add on / module device for router (hardware based) - Applications running on operating system (software based) IPS Features from Firewall & IDS function with Unified Threat Management - Able to stop L7 (Application), L4 (Transport), L3 (Network), L2 (Data Link) - Firewall function: stop / reject the malicious - IDS function: detection, monitoring and deep packet inspections - One integration management system Engine for device knowledge - They have own knowledge / method or combined with Snort signature
  25. 25. Source: www.dtginc.net
  26. 26. Command Rules
  27. 27. Astaro Security Gateway 110/120 Astaro Security Gateway 220 Astaro Security Gateway 320 Astaro Security Gateway 425 Astaro Security Gateway 525/525F Environment Small office/ branch office Small to Medium business Medium business Medium business, enterprise division enterprise division Hardware specs 3 x 10/100 Base-TX ports integrated HD 8 x 10/100 Base-TX ports integrated HD 4 x 10/100 Base-TX ports 4 x Gigabit Base-TX port integrated HD 4 x Gigabit ports – PCI bus 4 x Gigabit ports – PCI Express bus Hardware acceleration card integrated HD Dual Intel Xeon CPU 10 x Gigabit ports – PCI Express bus - 525: 10 x Copper - 525F: 4 x Copper/6 x SFP Hardware acceleration card 2 integrated HD (RAID1) 1) 2 redundant Power supplies) Performance Firewall VPN IPS 100 Mbps 30 Mbps 55 Mbps 260 Mbps 150 Mbps 110 Mbps 420 Mbps 200 Mbps 180 Mbps 1,200 Mbps 265 Mbps 450 Mbps 3,000 Mbps 400 Mbps 750 Mbps 1) hot-swappable Sophos Astaro: Security Gateway Appliances
  28. 28. Screenshot Dashboard Sophos
  29. 29. Screenshot Dashboard Sophos
  30. 30. Screenshot Dashboard Sophos
  31. 31. 2013:05:26-17:09:24 sophos ulogd*4673+: id="2001” severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="68:ef:bd:ab:13:7f" dstmac="e4:1f:13:69:44:14" srcip="115.239.210.27" dstip="202.9.69.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="47" srcport="80" dstport="29238" tcpflags="ACK SYN“ Sample Log Astaro drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"D WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; classtype:web-application-activity; sid:1101;) Sample Rule Astaro
  32. 32. Testbed & Pentest
  33. 33. Analysis and Results Traffic accuracy for inbound – outbound: (a) without policy, (b) Other method, (c) RT-IPS pitcher flow
  34. 34. Thank You deris@ieee.org

×