Modern information security management best practices dictate that an enterprise assumes full
configuration control of end user computer systems (laptops, deskside computers, etc.). The benefit of this
explicit control yields lower support costs since there are less variation of machines, operating systems,
and applications to provide support on, but more importantly today, dictating specifically what software,
hardware, and security configurations exist on an end user's machine can help reduce the occurrence of
infection by malicious software significantly. If the data pertaining to end user systems is organized and
catalogued as part of normal information security logging activities, an extended picture of what the end
system actually is may be available to the investigator at a moment's notice to enhance incident response
and mitigation. The purpose of this research is to provide a way of cataloguing this data by using and
augmenting existing tools and open source software deployed in an enterprise network.
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
This document summarizes a research paper on current studies of intrusion detection systems using genetic algorithms and fuzzy logic. The paper presents an overview of intrusion detection systems, including different techniques like misuse detection and anomaly detection. It discusses using genetic algorithms to generate fuzzy rules to characterize normal and abnormal network behavior in order to reduce false alarms. The paper also outlines the dataset, genetic algorithm approach, and use of fuzzy logic that are proposed for the intrusion detection system.
This document describes a proposed artificial neural network based intrusion detection system. It uses a multilayer perceptron neural network architecture trained on the KDD Cup 99 intrusion detection dataset. The system monitors network traffic in real-time, extracts features from network packets, and classifies the traffic into six categories using the neural network. It is able to detect both known and unknown attacks. The system aims to improve upon traditional signature-based intrusion detection systems.
Survey on Host and Network Based Intrusion Detection SystemEswar Publications
With invent of new technologies and devices, Intrusion has become an area of concern because of security issues, in the ever growing area of cyber-attack. An intrusion detection system (IDS) is defined as a device or software application which monitors system or network activities for malicious activities or policy violations. It produces reports to a management station [1]. In this paper we are mainly focused on different IDS concepts based on Host and Network systems.
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSieijjournal
An intrusion detection system detects various malicious behaviors and abnormal activities that might harm
security and trust of computer system. IDS operate either on host or network level via utilizing anomaly
detection or misuse detection. Main problem is to correctly detect intruder attack against computer
network. The key point of successful detection of intrusion is choice of proper features. To resolve the
problems of IDS scheme this research work propose “an improved method to detect intrusion using
machine learning algorithms”. In our paper we use KDDCUP 99 dataset to analyze efficiency of intrusion
detection with different machine learning algorithms like Bayes, NaiveBayes, J48, J48Graft and Random
forest. To identify network based IDS with KDDCUP 99 dataset, experimental results shows that the three
algorithms J48, J48Graft and Random forest gives much better results than other machine learning
algorithms. We use WEKA to check the accuracy of classified dataset via our proposed method. We have
considered all the parameter for computation of result i.e. precision, recall, F – measure and ROC.
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
This document discusses an enhanced method for intrusion detection using the KDD Cup 99 dataset. It aims to improve the accuracy of the dataset by analyzing the contribution of different attack classes to metrics like true positive rate and precision. The study examines these evaluation metrics for an intrusion detection system to identify which attack classes most impact recall and precision. The goal is to help improve the quality of the KDD Cup 99 dataset to achieve higher accuracy with lower false positives.
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
In a hostile area of network, it is a severe challenge to protect sink, developing flexible and adaptive
security oriented approaches against malicious activities. Intrusion detection is the act of detecting, monitoring
unwanted activity and traffic on a network or a device, which violates security policy. This paper begins with a
review of the most well-known anomaly based intrusion detection techniques. AIDS is a system for detecting
computer intrusions, type of misuse that falls out of normal operation by monitoring system activity and
classifying it as either normal or anomalous .It is based on Machine Learning AIDS schemes model that allows
the attacks analyzed to be categorized and find probabilistic relationships among attacks using Bayesian
network.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
This document summarizes a research paper on current studies of intrusion detection systems using genetic algorithms and fuzzy logic. The paper presents an overview of intrusion detection systems, including different techniques like misuse detection and anomaly detection. It discusses using genetic algorithms to generate fuzzy rules to characterize normal and abnormal network behavior in order to reduce false alarms. The paper also outlines the dataset, genetic algorithm approach, and use of fuzzy logic that are proposed for the intrusion detection system.
This document describes a proposed artificial neural network based intrusion detection system. It uses a multilayer perceptron neural network architecture trained on the KDD Cup 99 intrusion detection dataset. The system monitors network traffic in real-time, extracts features from network packets, and classifies the traffic into six categories using the neural network. It is able to detect both known and unknown attacks. The system aims to improve upon traditional signature-based intrusion detection systems.
Survey on Host and Network Based Intrusion Detection SystemEswar Publications
With invent of new technologies and devices, Intrusion has become an area of concern because of security issues, in the ever growing area of cyber-attack. An intrusion detection system (IDS) is defined as a device or software application which monitors system or network activities for malicious activities or policy violations. It produces reports to a management station [1]. In this paper we are mainly focused on different IDS concepts based on Host and Network systems.
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSieijjournal
An intrusion detection system detects various malicious behaviors and abnormal activities that might harm
security and trust of computer system. IDS operate either on host or network level via utilizing anomaly
detection or misuse detection. Main problem is to correctly detect intruder attack against computer
network. The key point of successful detection of intrusion is choice of proper features. To resolve the
problems of IDS scheme this research work propose “an improved method to detect intrusion using
machine learning algorithms”. In our paper we use KDDCUP 99 dataset to analyze efficiency of intrusion
detection with different machine learning algorithms like Bayes, NaiveBayes, J48, J48Graft and Random
forest. To identify network based IDS with KDDCUP 99 dataset, experimental results shows that the three
algorithms J48, J48Graft and Random forest gives much better results than other machine learning
algorithms. We use WEKA to check the accuracy of classified dataset via our proposed method. We have
considered all the parameter for computation of result i.e. precision, recall, F – measure and ROC.
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
This document discusses an enhanced method for intrusion detection using the KDD Cup 99 dataset. It aims to improve the accuracy of the dataset by analyzing the contribution of different attack classes to metrics like true positive rate and precision. The study examines these evaluation metrics for an intrusion detection system to identify which attack classes most impact recall and precision. The goal is to help improve the quality of the KDD Cup 99 dataset to achieve higher accuracy with lower false positives.
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
In a hostile area of network, it is a severe challenge to protect sink, developing flexible and adaptive
security oriented approaches against malicious activities. Intrusion detection is the act of detecting, monitoring
unwanted activity and traffic on a network or a device, which violates security policy. This paper begins with a
review of the most well-known anomaly based intrusion detection techniques. AIDS is a system for detecting
computer intrusions, type of misuse that falls out of normal operation by monitoring system activity and
classifying it as either normal or anomalous .It is based on Machine Learning AIDS schemes model that allows
the attacks analyzed to be categorized and find probabilistic relationships among attacks using Bayesian
network.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
A Study on Recent Trends and Developments in Intrusion Detection SystemIOSR Journals
This document discusses recent trends and developments in intrusion detection systems. It covers several topics:
- Artificial intelligence and machine learning techniques like neural networks, genetic algorithms, and fuzzy logic can be applied to intrusion detection to improve detection capabilities.
- There are different types of intrusion detection systems, including network-based, host-based, and wireless intrusion detection. Signature-based and anomaly-based detection are also discussed.
- Popular open source intrusion detection tools like Snort are discussed as alternatives to commercial intrusion prevention systems for some organizations.
- Intrusion prevention systems not only detect attacks but can also block attacks in real-time, providing an enhanced level of protection over intrusion
Intrusion detection systems aim to detect unauthorized access or activity in a computer system or network. There are two main types: network-based systems monitor network traffic to detect intrusions, while host-based systems monitor operating system logs and files on individual computers. Effective intrusion detection requires an incident response team to assess damage from intrusions and prevent future vulnerabilities, as well as securely storing logs as potential evidence.
Enchaning system effiency through process scanningsai kiran
this project is to find new processes in the system which are not shown in the task manager. it works greatly in the windows system. it compares system processes with user defined data base process(orginal processes of windows).
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detectionijsrd.com
In today's interconnected world, one of pervasive issue is how to protect system from intrusion based security attacks. It is an important issue to detect the intrusion attacks for the security of network communication.Denial of Service (DoS) attacks is evolving continuously. These attacks make network resources unavailable for legitimate users which results in massive loss of data, resources and money.Significance of Intrusion detection system (IDS) in computer network security well proven. Intrusion Detection Systems (IDSs) have become an efficient defense tool against network attacks since they allow network administrator to detect policy violations. Mining approach can play very important role in developing intrusion detection system. Classification is identified as an important technique of data mining. This paper evaluates performance of well known classification algorithms for attack classification. The key ideas are to use data mining techniques efficiently for intrusion attack classification. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.
An IDS (Intrusion detection system) is a device or software application that monitors network or system
activities for malicious activities or policy violations and produces reports to a management station. IDS
come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways.
There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may
attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
This document summarizes various soft computing techniques that can be used for intrusion detection, including fuzzy logic, graph-based approaches, and neural networks. Fuzzy logic can be used to classify parameters and detect anomalies by comparing normal and new fuzzy association rule sets. Graph-based approaches model network traffic as graphs of nodes and edges and use clustering algorithms to detect anomalies. Neural networks can be trained on audit log data to recognize normal behavior and detect deviations that may indicate attacks. These soft computing methods aim to improve on signature-based detection by learning patterns of normal network activity and detecting anomalies.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET Journal
This document presents a review of a system called AI2 that uses machine learning and big data to defend against network attacks in real-time. The system has four key aspects: 1) a big data analytics platform to analyze network behavior, 2) an outlier detection system to identify abnormal behavior, 3) a mechanism for security analysts to provide feedback, and 4) a supervised learning module. It aims to overcome limitations of traditional rule-based security systems by combining machine learning and analyst intuition to more accurately detect new and unknown attacks.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
This document summarizes a technique for network threat detection and alarming using system statistics and support vector machines. It begins by introducing the importance of network security and common authentication and security mechanisms. It then provides an overview of threat detection systems and their purpose of identifying security incidents and producing reports. The rest of the document details various threat detection techniques, including expert systems, signature analysis, state-transition analysis, statistical analysis, user intention identification, machine learning, and data mining. It focuses on using statistical analysis of system variables like packet types, delay, drop rate, and buffer overflow to identify threat types like blackholes, wormholes, and flooding.
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMIJNSA Journal
Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have
become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion
Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99
benchmark dataset and obtained reasonable detection rate.
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
This document summarizes an extensive survey of intrusion detection systems. It discusses the general architecture of IDS, including host-based and network-based systems. It describes different types of attacks (e.g. DoS, probing, user-to-root) and defenses. It analyzes previous work applying data mining techniques like machine learning to improve detection rates and reduce false alarms. A key problem is the massive number of false alarms that overburden security managers; the document aims to investigate solutions to lower the false alarm rate so that real threats are not missed.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
A Study on Recent Trends and Developments in Intrusion Detection SystemIOSR Journals
This document discusses recent trends and developments in intrusion detection systems. It covers several topics:
- Artificial intelligence and machine learning techniques like neural networks, genetic algorithms, and fuzzy logic can be applied to intrusion detection to improve detection capabilities.
- There are different types of intrusion detection systems, including network-based, host-based, and wireless intrusion detection. Signature-based and anomaly-based detection are also discussed.
- Popular open source intrusion detection tools like Snort are discussed as alternatives to commercial intrusion prevention systems for some organizations.
- Intrusion prevention systems not only detect attacks but can also block attacks in real-time, providing an enhanced level of protection over intrusion
Intrusion detection systems aim to detect unauthorized access or activity in a computer system or network. There are two main types: network-based systems monitor network traffic to detect intrusions, while host-based systems monitor operating system logs and files on individual computers. Effective intrusion detection requires an incident response team to assess damage from intrusions and prevent future vulnerabilities, as well as securely storing logs as potential evidence.
Enchaning system effiency through process scanningsai kiran
this project is to find new processes in the system which are not shown in the task manager. it works greatly in the windows system. it compares system processes with user defined data base process(orginal processes of windows).
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detectionijsrd.com
In today's interconnected world, one of pervasive issue is how to protect system from intrusion based security attacks. It is an important issue to detect the intrusion attacks for the security of network communication.Denial of Service (DoS) attacks is evolving continuously. These attacks make network resources unavailable for legitimate users which results in massive loss of data, resources and money.Significance of Intrusion detection system (IDS) in computer network security well proven. Intrusion Detection Systems (IDSs) have become an efficient defense tool against network attacks since they allow network administrator to detect policy violations. Mining approach can play very important role in developing intrusion detection system. Classification is identified as an important technique of data mining. This paper evaluates performance of well known classification algorithms for attack classification. The key ideas are to use data mining techniques efficiently for intrusion attack classification. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.
An IDS (Intrusion detection system) is a device or software application that monitors network or system
activities for malicious activities or policy violations and produces reports to a management station. IDS
come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways.
There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may
attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
This document summarizes various soft computing techniques that can be used for intrusion detection, including fuzzy logic, graph-based approaches, and neural networks. Fuzzy logic can be used to classify parameters and detect anomalies by comparing normal and new fuzzy association rule sets. Graph-based approaches model network traffic as graphs of nodes and edges and use clustering algorithms to detect anomalies. Neural networks can be trained on audit log data to recognize normal behavior and detect deviations that may indicate attacks. These soft computing methods aim to improve on signature-based detection by learning patterns of normal network activity and detecting anomalies.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET Journal
This document presents a review of a system called AI2 that uses machine learning and big data to defend against network attacks in real-time. The system has four key aspects: 1) a big data analytics platform to analyze network behavior, 2) an outlier detection system to identify abnormal behavior, 3) a mechanism for security analysts to provide feedback, and 4) a supervised learning module. It aims to overcome limitations of traditional rule-based security systems by combining machine learning and analyst intuition to more accurately detect new and unknown attacks.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
This document summarizes a technique for network threat detection and alarming using system statistics and support vector machines. It begins by introducing the importance of network security and common authentication and security mechanisms. It then provides an overview of threat detection systems and their purpose of identifying security incidents and producing reports. The rest of the document details various threat detection techniques, including expert systems, signature analysis, state-transition analysis, statistical analysis, user intention identification, machine learning, and data mining. It focuses on using statistical analysis of system variables like packet types, delay, drop rate, and buffer overflow to identify threat types like blackholes, wormholes, and flooding.
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMIJNSA Journal
Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have
become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion
Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99
benchmark dataset and obtained reasonable detection rate.
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
This document summarizes an extensive survey of intrusion detection systems. It discusses the general architecture of IDS, including host-based and network-based systems. It describes different types of attacks (e.g. DoS, probing, user-to-root) and defenses. It analyzes previous work applying data mining techniques like machine learning to improve detection rates and reduce false alarms. A key problem is the massive number of false alarms that overburden security managers; the document aims to investigate solutions to lower the false alarm rate so that real threats are not missed.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
Fortalecimiento de la seguridad combinando las capacidades de analíticos sobre logs y paquetes de red, además de las capacidades avanzadas de detección de malware,
Intrusion Detection System using AI and Machine Learning AlgorithmIRJET Journal
This document discusses using artificial intelligence and machine learning algorithms to develop an intrusion detection system (IDS). It begins with an abstract that outlines using AI to act as a virtual analyst to concurrently monitor network traffic and defend against threats. It then provides background on IDS and the need for more effective automated threat detection. The document discusses classifying attacks, different types of IDS (host-based and network-based), and detection methods like signature-based and anomaly-based. It aims to develop an IDS using machine learning algorithms that can learn patterns to provide automatic intrusion detection without extensive manual maintenance.
A Comprehensive Review On Intrusion Detection System And TechniquesKelly Taylor
This document discusses machine learning techniques for intrusion detection systems (IDS). It provides an overview of the research progress using machine learning to improve intrusion detection in networks. Machine learning and data mining techniques have been widely used to automatically detect network traffic anomalies. The goal is to summarize and compare research contributions of IDS using machine learning, define existing challenges, and discuss anticipated solutions. Commonly used machine learning techniques for IDS are reviewed along with some existing machine learning-based IDS proposed by researchers.
Passive monitoring to build Situational AwarenessDavid Sweigert
Passive network monitoring techniques can provide valuable situational awareness for network security professionals. The document describes techniques for passively discovering information about nodes on a network, including operating systems, roles, services, and configurations. This contextual information helps analysts by reducing false positives and focusing resources. The passive approach does not disrupt networks and can operate continuously, in contrast to active scanning tools. A network monitoring prototype is being developed to test these passive discovery techniques.
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET Journal
This document proposes a local security enhancement and intrusion prevention system for Android devices. It summarizes existing host-based intrusion detection systems and behavior-based intrusion prevention systems for Android smartphones. The proposed system uses net flow based clustering to identify anomalies and correlates with host-based features to detect malware intrusions. The goal is to provide versatile security for Android smartphones by detecting a wide range of attacks, including denial of service attacks and probing. The system aims to detect new attacks as well.
A Study On Recent Trends And Developments In Intrusion Detection SystemLindsey Sais
This document discusses recent trends and developments in intrusion detection systems. It covers several topics:
- Artificial intelligence and machine learning techniques like neural networks, genetic algorithms, and fuzzy logic can be applied to intrusion detection to identify patterns and anomalies.
- There are different types of intrusion detection systems, including network-based, host-based, and wireless intrusion detection. Signature-based and anomaly-based detection are also discussed.
- Popular open source intrusion detection tools like Snort are discussed as alternatives to commercial intrusion prevention systems for some organizations.
- Intrusion prevention systems not only detect intrusions but can also automatically block attacks in real-time.
Systematic Review Automation in Cyber SecurityYogeshIJTSRD
Many aspects of cyber security are carried by automation systems and service applications. The initial steps of cyber chain mainly focus on different automation tools with almost same task objective. Automation operations are carried only after detail study on particular task pre engagement phase , the tool is going to perform, measurement of dataset handling of tool produced output. The algorithm is going to make use of after comparing the existing tools efficiency, the throughput time, output format for reusable input and mainly the resource’s consumption. In this paper we are going to study the existing methodology in application and system pen testing, automation tool’s efficiency over growing technology and their behaviour study on unintended platform assignment. Nitin | Dr. Lakshmi J. V. N "Systematic Review: Automation in Cyber Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd41315.pdf Paper URL: https://www.ijtsrd.comcomputer-science/computer-security/41315/systematic-review-automation-in-cyber-security/nitin
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
After tightening up network perimeter for dealing with external threats, organizations have woken up to the
threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design
and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby
protecting them from malicious access and insider attacks. Banking Financial Services and Insurance
(BFSI) industry is one such segment that faces increased risks and security challenges. The typical
architecture of this segment includes several thousands of users connecting from various branches over
Wide Area Network (WAN) links crossing national and international boundaries with varying network
speed to access data center resources. The objective of this work is to deploy LAN security solution to
protect the data center located at headquarters from the end user machines. A LAN security solution should
ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it.
Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly
detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data
center such that the traffic from end-user machines necessarily passes through it so that it can enforce
security. The goal of this system is to enhance the security features of a LANenforcer security system with
Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is
plugged into the packet path based on the configuration in such a way that the entire traffic passes through
the IPS on LE.
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.IRJET Journal
This document discusses machine learning and deep learning models for detecting IoT botnet attacks. It begins with an abstract that outlines the challenges of securing the growing number of IoT devices and describes how machine learning and deep learning techniques like LSTM RNN can be used to develop effective detection systems. The introduction provides background on botnets, distributed denial of service attacks, and the need for detection systems. The literature review then summarizes several previous works that used techniques such as Bayesian classifiers, random neural networks, decision trees, and other machine learning algorithms for attack detection. The methodology section outlines the general approach of anomaly-based intrusion detection systems and different learning methods. The experimental setup describes collecting and preprocessing data, feature extraction, model training and evaluation
Team research paper and project on network vulnerabilities with multiple attacks and defesnses:
Cybersecurity
-For this project, our class was paired with teams to attempt to find vulnerabilities in other teams networks and to successfully beach their network.
-My role in this group was to help breach other team vulnerabilities through different attacks like responder attacks, honeypots, etc.
-The main challenges of this project were trying to find the vulnerabilities successfully, as the whole team had troubles with each of our different attacks and defenses.
-We learned how to use cybersecurity tools to help find vulnerabilities in networks and how to protect against them better. For example, in the honeypot we used we deployed it to port 80, when the attacker tried to access our fake server we were notified. We also deployed palto alto firewall to create our private and secure network. For an attack, we also used password crackers like john the ripper. This project taught us how to breach networks as a team.
Network security involves implementing multiple layers of defenses to protect a network from threats. It includes technologies like firewalls, antivirus software, and intrusion detection systems to manage access and detect malware and exploits. As networks increasingly face hacking threats, strong network security tools are essential for organizations to protect their systems, data, and reputation. Network security strategies aim to authorize only legitimate users while blocking malicious actors from harming the network.
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
IntroSpect User and Entity Behavior Analytics (UEBA) uses AI-based machine learning to spot changes in user behavior that often indicate inside attacks that have evaded perimeter defenses. Security teams are armed with insights into malicious, compromised or negligent users, systems and devices – cutting off the threat before it does damage.
Detect Network Threat Using SNORT Intrusion Detection SystemIRJET Journal
This document discusses using the Snort intrusion detection system to detect network threats. It begins with an abstract that introduces Snort and the shift from intrusion detection to prevention. The document then covers Snort components, configuration, implementation and testing on a network. Snort rules were created and tested to detect ICMP ping requests from an attacking machine. Network traffic was analyzed using Snort logs and Wireshark to identify the attacking packets. The conclusion is that Snort is an effective lightweight intrusion detection system that can detect network threats using its built-in and customized rules.
Similar to UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS (20)
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
1. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
DOI: 10.5121/ijnsa.2018.10201 1
UNCONSTRAINED ENDPOINT SECURITY SYSTEM:
UEPTSS
Fatema Bannat Wala1,2
and Chase Cotton1
1
Department of Electrical & Computer Engineering, University of Delaware, Newark
2
University of Delaware, Newark, USA
ABSTRACT
Modern information security management best practices dictate that an enterprise assumes full
configuration control of end user computer systems (laptops, deskside computers, etc.). The benefit of this
explicit control yields lower support costs since there are less variation of machines, operating systems,
and applications to provide support on, but more importantly today, dictating specifically what software,
hardware, and security configurations exist on an end user's machine can help reduce the occurrence of
infection by malicious software significantly. If the data pertaining to end user systems is organized and
catalogued as part of normal information security logging activities, an extended picture of what the end
system actually is may be available to the investigator at a moment's notice to enhance incident response
and mitigation. The purpose of this research is to provide a way of cataloguing this data by using and
augmenting existing tools and open source software deployed in an enterprise network.
KEYWORDS
Endpoint security, device fingerprinting, scanning, inventory, BRO IDS, exploit.
1. INTRODUCTION
Some organizations cannot control some or all of their end user computer systems. Example
organizations include universities, shared offices and start-up spaces, sites offering public
Internet access (e.g. restaurants), and conferences. It is still assumed the enterprise is still
responsible for the protection of infrastructure (servers, routers, switches, security devices, etc.)
as well as end user computers used by staff performing critical business functions (e.g. human
resources, financial records, personal information, etc.).
As such, the enterprise will be running modern external perimeter and internal protections
strategies. Part of this security infrastructure will include the collection, logging, and analysis of
sensor data inside and on the perimeter of the enterprise network.
Parts of this data will contain important information about end user systems in the enterprise
including the systems not managed by the central organization. We call these unmanaged end
user systems "unconstrained" systems. Part of the job of incident response in this enterprise will
be to detect, triage, and investigate anomalous security events seen in the enterprise. In many
cases these events will likely involve unconstrained systems.
The Unconstrained Endpoint Security System (UEPtSS) is a software system to fingerprint
‘Unconstrained’ end user computer systems/devices connected to the enterprise network, and is
especially useful for the organizations with a bring your own device (BYOD) policy [1]. The
reason it is important to fingerprint as much data as possible for an unmanaged device is it gives a
complete picture to an organization of what kinds of devices are being used on the enterprise
network and what services are running on those devices. Having this information pertaining to the
devices also helps in malware incident response, as one of the most vulnerable security controls
in an enterprise network which supports a BYOD policy, is the potentially untrusted software
2. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
2
running on the end user’s device, as the enterprise has the least control on patching and keeping
that software up to date so as to mitigate the risk of exploitation of latent vulnerabilities. A
successful exploitation on one of these devices can help the attacker to pivot into the network and
to use a chain of exploits against the crucial enterprise controlled and managed systems, as it is
usually for the enterprise to ‘trust’ internal network and devices connecting to their network, often
with additional firewall leniency provided to those systems as well. Hence, a vulnerable endpoint
could potentially be low hanging fruit for the attacker to get a foothold inside the enterprise
network and to pivot into the network to target next to the crown jewels of an enterprise. Hence,
it’s critical to keep track of all devices that connect to the enterprise network.
There are two commonly known solutions available to fingerprint these unconstrained endpoints
that join the network:
Active Scanning: As the name suggest, the active scanning technique is the method to scan the
devices currently connected on a network segment by actively sending different packets to the IPs
in the given range and then analysing the responses to make a best guess of what the endpoint
device could be and what kind of services it could potentially be running. This method is very
common in especially determining the operating systems on various devices connected to the
network. There are numerous open source tools such as Nmap[2], Nessus[3], etc. that provide the
feature of active scanning of subset of the network segments.
● Pros: Active scanning can be accurate when using custom scripts to determine the software
or service running on a device, but these capabilities might only be available for
commercial scanning products.
● Cons: The main drawback of the active scanning is that the device must be active on the
network, i.e. connected to the network when scanning is performed, which is very difficult
in case of unconstrained devices, as they join and leave the network on random times. Thus
to fingerprint the endpoints, the scanning must be run frequently (or even continuously) to
catch all the devices that join and leave the network. And that on-going scanning can act as
an unintentional DOS attack[4] on the network users, yielding a major drawback associated
with this type of continuous active scanning.
Passive Scanning: On the other hand, the method opposite of active scanning is passive
scanning. In this technique, normal traffic generated by devices on the networkis collected and
analysed. Inspection of this traffic allows one to make a best guess of what kind systems and
services that are connected to the network.
This technique is very commonly used by the IDS (Intrusion Detection Systems) [5] typically
found running on the perimeter of the network. There are various open source tools that can be
leveraged to fingerprint the endpoints by sniffing the traffic, like BRO IDS[6], Snort IDS[7],
Suricata[8], etc.
● Pros: One of the main advantages of the passive scanning is that it is plug and play, i.e. no
knowledge of when and where the devices will be connecting to the network is required,
since as soon as any device connects to the network, it will start generating the network
traffic to communicate on and use the network, which can then be sniffed to determine the
presence on the device. Unlike active scanning, it is non-intrusive, i.e. and there is no threat
of DOSing any legitimate user or services on the network.
● Cons: Since it is dependent on observed traffic patterns, all the cons can be applicable to
passive scanning exist, specifically the reliance on (known) signatures. A potential
attacking end user device can easily modify the traffic pattern to fool the passive scanning
fingerprinting.
3. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
3
We will be focusing on the passive scanning technique to build an inventory of the unconstrained
endpoint systems connecting, or ever connected, to the enterprise network, detecting, but not
limited to, and following information pertaining the devices:
● Machine type (PC, Mac, smartphone, access point, printers, odd stuff, etc.)
● Operating system and version (Windows 7, OS X, etc.)
● Browsers in use (User Agent strings)
● Open ports (services)
● Applications and versions
● Dangerous behaviour history (prior loads of known malware)
● Different Plugins (Flash, OpenSSH)
What information is required for the fingerprinting and how to analyse this information to
fingerprint the device will be discussed in next sections.
2. RELATED WORK
Various researches has been done in an effort to draw attention to how crucial it is to have
knowledge of one’s network, especially in terms of endpoints and IoT devices present on the
network, and on an efficient way to detect those end points running in the environment. Rugg and
DeLeeuw in “Increasing Security by Focusing on Endpoints” [9], point out that one of the most
vulnerable targets that an attacker can leverage is the internal endpoints of a network, and that
securing them is one of the key challenges faced by educational organizations, and especially for
those environments where the organization doesn’t have the full control of all the endpoints
connecting to the network. This research, however, is more focused on system hardening and
securing the individual endpoints, by various methods such as encrypting the laptops, deploying
centrally managed anti-virus software, and making sure that the systems are in compliance with
their PCI policy etc. Our research addresses a more realistic approach of cataloguing endpoints,
by passively collecting all the relevant logs that can help identify endpoints in the network for use
in the follow-up incident handling after an attack has been identified, when that kind of
information is required the most, rather than by the almost impossible task of managing or
hardening them individually in an uncontrolled environment.
Yang, et. al. [10] focus on the secure authentication and data communication between IoT devices
by using an RFID-enabled solution aimed at protecting endpoints in the IoT supply chain. The
research mainly focuses on how authentication can be secured in IoT supply chain management
by focusing on the part of the application that can connect and talk to the network. The majority
of the work is focused on mitigating the risk in a limited set of use cases, which is more
applicable in an environment or organizations that share similar use cases and have resources to
implement effective mitigation steps. A more generic approach introduced by Tokuyoshi [11],
helps users understand what the implications are for BYOD policy supporting organizations and
describes the security challenges of monitoring, vetting, and auditing these BYOD devices, and
further highlights the measures for securing the network from un-managed BYOD devices. The
work focuses on important points like enforcing application policy, device policy, and protecting
data on the device that can help mitigate the risk. But again, the authors conclude that these are
very limited measures, and securing the network in the first place and providing means to connect
securely to it are required next generation security measures for BYOD devices. The research
described in our paper closely relates to and extends the ideas suggested by Tokuyoshi, by
providing means of collecting and cataloguing the information available to the security analysts to
take a deeper look at the un-managed devices and to be able to take actions accordingly.
4. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
4
3. BUILDING THE UEPTSS
When working on this research, we primarily focused on BRO IDS system to gather the majority
of information required to build an inventory for UEPtSS. The reason behind utilizing BRO IDS
is it is open source and free software that can be easily deployed and installed for a proof of
concept (POC) experiment. Also, it comes with built-in scripts deployed with the software to
detect various software and services running on the systems. It also has strong scripting [12] and
logging [13] frameworks which support the writing of custom scripts to determine various
patterns in the traffic, and to generate user friendly logs. More information on BRO IDS can be
found at their site [14].
Other than BRO IDS, there are other various passive scanning tools that can be used for gathering
information for fingerprinting devices, such as Snort, Suricata, etc. Apart from open source and
free tools, if the enterprise already has commercial IDS/IPS systems deployed for network
security monitoring and control, then the logs from those security systems can also be potentially
used to determine the software and services running on enterprise endpoints, such as the logs
from a network based firewall, or web application firewall, or logs from the endpoint
management system.
For the convenience and implementation perspective, BRO was chosen to do the POC of this
research, as it is free and open source project, and hence can be used with minimum deployment
cost in the enterprise.
3.1. LEVERAGE BRO IDS SCRIPTING FRAMEWORK
As mentioned earlier, the BRO IDS has a strong scripting framework. Leveraging it for detecting
various software and operating system versions can be highly useful. BRO comes with some
built-in scripts that detect various kind of software by analysing traffic patterns, which are
enabled by default in the nominal configuration. Apart from these default scripts, we have written
some custom scripts to detect the Mac operating system, and OSX for iPhone. There are few
scripts that are available in custom written package (called Scan-NG package), that we have used
to determine open ports on hosts. Details on which scripts have been used for fingerprinting are
shown in Table 1.
3.2. LEVERAGE BRO IDS LOGGING FRAMEWORK
There are various logs that get generated whenever BRO determines any particular network
traffic pattern, and that information related to the pattern is written in the ASCII log files. When
additional or custom the scripts of interest are loading or enabled in the BRO IDS system, they
also generate logs for the corresponding detections and write them to various log files. Hence, it
is important to know which log files to look at while gathering information for UEPtSS. As the
scripts themselves will do no good if they are not writing the correct information in corresponding
log files. Details on which log files to analyse for fingerprinting are shown in Table 1.
5. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
5
Table 1. BRO IDS Scripts and Logs
Scripts to load Logs generated in file Information logged
Windows-version-detection.bro
[15] (built-in)
software.log Operating system and
version
Mac-version-detection.bro[16]
(custom)
software.log Operating system and
version
iPhone-detection.bro[17] (custom) software.log Operating system and
version
Host-profiling.bro[18] (Scan-NG
package)
site_host_open_ports.lo
g
Open ports on a host
Software-browser-plugins.bro[19]
(built-in)
software.log Different browsers and
plugins
Known-services.bro[20] (built-in) known_services.log Known services
Software.bro[21] (built-in) software.log Various
servers/applications
and versions
4. AN INVENTORY OF UNCONSTRAINED ENDPOINTS
Once the above mentioned scripts are loaded and running in the BRO IDS, and the sensors are
placed at a point in network site to be able to observe a majority of the overall traffic, or even the
complete traffic of the enterprise, then the logs will start getting generated and useful information
can then be extracted from the log files, to build an inventory of endpoints and their
characteristics. Furthermore, it is important to note that the key, e.g. as in a database index, in the
log files used to identify a given software or a service corresponding to a device, is the device’s
IP address. And as we know that an IP address can be reused and mapped to many devices during
a period of time on most enterprise networks implementing dynamic addressing (e.g. DHCP), it is
important to know the MAC address of the device that was using that particular IP during the
time of fingerprinting in order to actually pinpoint the device that was running the software or
service at given point in time. Hence, to get the information regarding the MAC address, the best
place to look at is the enterprise DHCP logs. We have used the logs from the DHCP servers, to
map the MAC addresses to the corresponding IP addresses while fingerprint the network.
Also, to collaborate with the detected OS version by the scripts, we have used the freely available
MAC OUI vendor listing from IEEE Standards Public listing (MA-L) from their website [22], to
determine the machine type (manufacturer) for the system i.e. Apple, Dell, etc.
A discussion of the information gathered from the various log files to build the inventory follows.
4.1. GATHERING INFORMATION REGARDING OS AND VERSION
When the Operating System detection scripts are loaded, they start generating the logs in the
software.log file corresponding to the network traffic patterns seen by the device. This
information is useful, as most exploits are targeted towards very specific OS type and do not
unlock themselves when the underlying OS detected is not same as the target OS for the
vulnerability exploitation. Figure 1 is a screenshot showing some of the OS detected by the script.
6. International Journal of Network
Note the extraction command line at
column in these figures is the time of the observation
Figure 1
4.2. GATHERING INFORMATION
There are many vulnerabilities found
was using during the incident response
can be further narrowed down, specifically in the case of browser specific vulnerabilities.
2is a screenshot showing some of the browsers detected by the scripts.
4.3. GATHERING INFORMATION
It is also very crucial to know whether the endpoint is running
versions of applications. This information can then be used for the policy enforcement by the
International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
Note the extraction command line at the top of this and other figures (1-5). Note also the left
column in these figures is the time of the observation in Linux epoch time [23].
Figure 1. Operating System Detection
NFORMATION REGARDING BROWSERS IN USE
found in different browsers. Hence if the browsers that the device
was using during the incident response is known, the scope of the infection or potential exploit
can be further narrowed down, specifically in the case of browser specific vulnerabilities.
a screenshot showing some of the browsers detected by the scripts.
Figure 2. Browser Detection
NFORMATION REGARDING APPLICATIONS AND VERSIONS
It is also very crucial to know whether the endpoint is running the most up to date and supported
versions of applications. This information can then be used for the policy enforcement by the
Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
6
Note also the left
in different browsers. Hence if the browsers that the device
, the scope of the infection or potential exploit
can be further narrowed down, specifically in the case of browser specific vulnerabilities. Figure
ERSIONS
up to date and supported
versions of applications. This information can then be used for the policy enforcement by the
7. International Journal of Network
enterprise security and policy compliance to make sure that there
versions of any software or application is running on the enterprise network. This use
policy enforcement will be discussed in more detail in the Usefulness sec
screenshot showing some of the applications detected running on the endpoints.
Figure 3
4.4. GATHERING INFORMATION
Sometimes when the user has installed various supporting browser plugins on their browsers, this
information gets advertised whenever the user connects to the network using the browser. Hence,
that information can be sniffed to determine what all browser plugins are available or in
the endpoint. Many times the vulnerabilities
be exploited and can cause harm to the enterprise network, hence this information, together with
other fingerprinting information can be used during a
shows some of the plugin information detected on the endpoints.
Figure 4
International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
terprise security and policy compliance to make sure that there are minimal
of any software or application is running on the enterprise network. This use
policy enforcement will be discussed in more detail in the Usefulness section. Figure 3
screenshot showing some of the applications detected running on the endpoints.
Figure 3. Software Version Detection
NFORMATION REGARDING DIFFERENT BROWSER PLUGINS
installed various supporting browser plugins on their browsers, this
information gets advertised whenever the user connects to the network using the browser. Hence,
that information can be sniffed to determine what all browser plugins are available or in
the vulnerabilities are present in various plugins that could potentially
be exploited and can cause harm to the enterprise network, hence this information, together with
other fingerprinting information can be used during an incident triage. Figure 4 is a
shows some of the plugin information detected on the endpoints.
Figure 4. Browser Plug-in Detection
Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
7
are minimal unsupported
of any software or application is running on the enterprise network. This use-case of
Figure 3 is a
LUGINS
installed various supporting browser plugins on their browsers, this
information gets advertised whenever the user connects to the network using the browser. Hence,
that information can be sniffed to determine what all browser plugins are available or in use by
in various plugins that could potentially
be exploited and can cause harm to the enterprise network, hence this information, together with
Figure 4 is a screenshot
8. International Journal of Network
4.5. GATHERING INFORMATION
One of the most important piece
open or the services it is running. This information helps in enumerating the types of services
available on the network and all
Also, it is not typically common
HTTP, or DNS. And hence this information could be useful to
the systems on a given subset of
services open to the internet or not
Again, this use case will be discussed in more detail in the Usefulness section
later. Figure 6 is a screenshot provides a view of the services running on some of the systems.
4.6. PUTTING EVERYTHING T
When the above mentioned component
machine manufacturer information and DHCP logs, a
corresponding the endpoints connecting to the network. Any log aggregation tool can be used to
glue all the information together, with IP address being the primary key in each type of log file to
get an inventory of unconstrained endpoints on the network.
an inventory of systems would look like.
International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
NFORMATION REGARDING OPEN PORTS (KNOWN SERVICES
One of the most important pieces of information regarding an endpoint is open network
open or the services it is running. This information helps in enumerating the types of services
all the systems or servers are advertising that service as available.
common for user end systems to be running any kind of services
HTTP, or DNS. And hence this information could be useful to assess what services are open on
the systems on a given subset of the network, and whether these systems should be running those
services open to the internet or not under the enterprise security or acceptable usage policy
Again, this use case will be discussed in more detail in the Usefulness section to be
rovides a view of the services running on some of the systems.
Figure 5. Service Discovery
TOGETHER
component information is recorded in the log files, together with the
machine manufacturer information and DHCP logs, a more complete picture can be realized
corresponding the endpoints connecting to the network. Any log aggregation tool can be used to
glue all the information together, with IP address being the primary key in each type of log file to
rained endpoints on the network. Figure 6 shows a screenshot of what
an inventory of systems would look like.
Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
8
ERVICES)
open network ports
open or the services it is running. This information helps in enumerating the types of services
systems or servers are advertising that service as available.
services like SSH,
services are open on
systems should be running those
under the enterprise security or acceptable usage policy.
to be discussed
rovides a view of the services running on some of the systems.
in the log files, together with the
complete picture can be realized
corresponding the endpoints connecting to the network. Any log aggregation tool can be used to
glue all the information together, with IP address being the primary key in each type of log file to
a screenshot of what
9. International Journal of Network
Figure 6
5. USEFULNESS OF UEPTSS
There are three main use-cases where the inventory of unconstrained endpoi
They are as follows:
5.1. POLICY ENFORCEMENT
As mentionedbefore, the inventory can be used to determine which applications and their versions
are detected on the enterprise network. This information can be used by the Security and
Compliance team of the enterprise to enforce any particular policy and to make sure that there is
no unsupported software or application is running on the network. For example, from the
inventory, a list of the systems running old OpenSSH[2
for ‘SSH::SERVER‘ keyword, and a notice can be sent to the owner of those devices to update
the software and comply with the policies with the enterprise. Another example could be
searching for OpenSSL[25] versions from the softwar
running old versions of OpenSSL library. Also, if the enterprise has any particular policy for
users to be running specific Operating Systems then policy enforcement can also be used to
ensure that the systems are running recommended operating system by the enterprise.
5.2. ENUMERATING SERVERS/S
Another big advantage of having an inventory of systems running various services, is whenever
somebody wants to know how many servers are on the network that a
service, then this can be quickly found out by searching the inventory for that particular service.
For example, if the security analysts want to know how many DNS servers are running on the
network, or how many HTTP servers are r
restrict the users from running well known services on their locally managed devices. This will be
quick and easy as compared to doing an active scan of the network for that service (like port 53
for DNS or port 80 for http), which could take hours of scanning and could potentially DOS, or
overload the network. This use
providing xyz service on the network, or what all systems have port xx open t
(where xyz and xx can be replaced by any service protocol or port).
International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
Figure 6. Endpoint Aggregate Fingerprint
EPTSS
cases where the inventory of unconstrained endpoints is
As mentionedbefore, the inventory can be used to determine which applications and their versions
are detected on the enterprise network. This information can be used by the Security and
Compliance team of the enterprise to enforce any particular policy and to make sure that there is
no unsupported software or application is running on the network. For example, from the
inventory, a list of the systems running old OpenSSH[24] can be easily determined by searching
for ‘SSH::SERVER‘ keyword, and a notice can be sent to the owner of those devices to update
the software and comply with the policies with the enterprise. Another example could be
] versions from the software.log file and can get a list of the endpoints
running old versions of OpenSSL library. Also, if the enterprise has any particular policy for
users to be running specific Operating Systems then policy enforcement can also be used to
are running recommended operating system by the enterprise.
/SERVICES
Another big advantage of having an inventory of systems running various services, is whenever
somebody wants to know how many servers are on the network that are running any particular
service, then this can be quickly found out by searching the inventory for that particular service.
For example, if the security analysts want to know how many DNS servers are running on the
network, or how many HTTP servers are running on the network for enumerating purposes, or to
restrict the users from running well known services on their locally managed devices. This will be
quick and easy as compared to doing an active scan of the network for that service (like port 53
S or port 80 for http), which could take hours of scanning and could potentially DOS, or
. This use-case helps answer the questions like: what all servers are
providing xyz service on the network, or what all systems have port xx open to the internet
(where xyz and xx can be replaced by any service protocol or port).
Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
9
is very useful.
As mentionedbefore, the inventory can be used to determine which applications and their versions
are detected on the enterprise network. This information can be used by the Security and
Compliance team of the enterprise to enforce any particular policy and to make sure that there is
no unsupported software or application is running on the network. For example, from the
determined by searching
for ‘SSH::SERVER‘ keyword, and a notice can be sent to the owner of those devices to update
the software and comply with the policies with the enterprise. Another example could be
e.log file and can get a list of the endpoints
running old versions of OpenSSL library. Also, if the enterprise has any particular policy for
users to be running specific Operating Systems then policy enforcement can also be used to
are running recommended operating system by the enterprise.
Another big advantage of having an inventory of systems running various services, is whenever
re running any particular
service, then this can be quickly found out by searching the inventory for that particular service.
For example, if the security analysts want to know how many DNS servers are running on the
unning on the network for enumerating purposes, or to
restrict the users from running well known services on their locally managed devices. This will be
quick and easy as compared to doing an active scan of the network for that service (like port 53
S or port 80 for http), which could take hours of scanning and could potentially DOS, or
case helps answer the questions like: what all servers are
o the internet
10. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
10
5.3. MALWARE INCIDENT RESPONSE
One of the main use-cases we were looking at when coming up with the idea of UEPtSS, is that if
the information pertaining to a particular system is saved as normal logging activity, then an
extended picture of what the system is and whether it can be affected by malware, can be used for
a preliminary analysis of the incident response. The majority of malware or exploits are targeted
towards a particular OS version, exploiting a particular vulnerability. Hence, if the OS is known
during the time of malware incident response, and what all services and versions were being run
on the system, it can quickly help in steering the investigation in the right direction. For example
one of the hyped ransomware infection, Petya, [26] is particularly targeted towards infecting
Windows systems, and Mac OS X are not affected by it. Hence just knowing what OS the system
is running can help in diagnosing the malware infection.
Apart from these three use cases, the inventory can be used for looking up information regarding
any endpoint for audit or any other purposes. Also, open ports information can be used to audit
the network firewall policies, to know whether the ports are seen open on the devices belonging
to a particular subset of the network that is behind the firewall and shouldn’t have any
communication going on those ports. Hence, to have this information logged in an inventory
would be very useful and help to investigate various network anomalies.
6. CONCLUSIONS
There are many commercial software systems available that provide for fingerprinting the
systems on an enterprise network. All of them require either an agent to be deployed on the client
systems (endpoints) or are based on active scanning. These solutions are targeted towards a
limited set of endpoints, and sometimes have their charging model based on the number of
endpoints that the enterprise wants to fingerprint or keep track of. Hence they work fine when the
number of endpoints in any organization is mostly constant or don’t change. Unlike organizations
like Universities, where students come and go, some graduate every semester and many come as
newly admitted. Hence, in this kind of environment where the number of end users and type
endpoints keep on changing drastically, it becomes harder to deploy any commercial solution to
keep track of the software/application running on almost all the devices that connect and leave the
network. That was the motivation towards starting UEPtSS, as students always come and go,
bring new devices to the University network. And more importantly a diversity of students bring
diverse types of applications local to the students’ native countries, which makes it even more
important to keep track of what all applications are seen on the network, and whether they are
kept up to date or not. Another challenge with any of the commercial solution is the consent of
from the user to agree to deploy any third party software on their devices. And sometimes the
user is not willing to agree to put any third party software on their system and hence an enterprise
can get a lot of resistance in deploying any commercial solution globally in the network. And
finally the last factor to consider in a commercially versus the open source UEPtSS solution is
cost, as some of the commercial solutions pricing is directly proportional to the number of
endpoints, and it becomes very expensive both regarding the pricing and amount of time and
effort required to deploy and maintain these solutions.
11. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
11
REFERENCES
[1] R Afreen, “Bring your own device (BYOD) in higher education: opportunities and challenges”,
IJETTCS Publishing, 2014.
[2] Nmap.[Online]. Available: https://nmap.org/
[3] J. Beale, R. Deraison, H. Meer, R. Temmingh, C.V.D. Walt, Nessus network auditing, Syngress
Publishing, 2004.
[4] H. Hasbullah, I. Ahmed Soomro, J.AbManan, “Denial of Service (DOS) Attack and Its Possible
Solutions in VANET”, World Academy of Science, Engineering and Technology, IJECE Publishing,
2010.
[5] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, E. Vazquez, “Anomaly-based network
intrusion detection: Techniques, systems and challenges”, Computers & Security, Elsevier, Vol. 28,
Issues 1-2, Pages 18-28, 2009.
[6] V. Paxson, “Bro: A system for detecting network intruders in real-time”,Computer Networks, vol.
31, no. 23-24, pp. 2435-2463, 1999.
[7] Snort IDS.[Online]. Available:https://www.snort.org/
[8] H. Jiang, G. Zhang, G. Xie, K. Salamatian, and L. Mathy, “Scalable high-performance parallel
design for network intrusion detection systems on many-core processors”, Proc. Ninth ACM/IEEE
symposium on Architectures for networking and communications systems (ANCS '13), IEEE Press,
137-146, 2013.
[9] B. Rugg, B. DeLeeuw, “Increasing Security by Focusing on Endpoints”, SIGUCCS’17, ACM
Annual Conference on SIGUCCS, Pages 145-148, 2017.
[10] K. Yang, D. Forte, M. Tehranipoor, “Protecting Endpoint Devices in IoT Supply Chain”,
ICCAD’15, IEEE/ACM International Conference on Computer-Aided Design, Pages 351-356, 2015.
[11] B. Tokuyoshi, “The security implications of BYOD”, Network Security, Elsevier, Vol. 2013, Issue
4, Pages 12-13, 2013.
[12] BRO Scripting Framework.[Online].Available:https://www.bro.org/sphinx/scripting/
[13] BRO Logging Framework.[Online]. Available:https://www.bro.org/sphinx-
git/frameworks/logging.html
[14] BRO Documentation.[Online]. Available: https://www.bro.org/documentation/index.html
[15] Windows version detection.[Online].Available:
https://www.bro.org/sphinx/scripts/policy/frameworks/software/windows-version-detection.bro.html
[16] Mac version detection.[Online]. Available: https://github.com/fatemabw/bro-
scripts/blob/master/Mac-version-detection.bro
[17] iPhone detection.[Online].Available: https://github.com/fatemabw/bro-scripts/blob/master/iPhone-
detection.bro
[18] Scan NG Package.[Online].Available: https://github.com/initconf/scan-NG/tree/master/scripts
[19] Software Browser Plugins.[Online].Available:
https://www.bro.org/sphinx/scripts/policy/protocols/http/software-browser-plugins.bro.html
[20] Known Services.[Online]. Available:
https://www.bro.org/sphinx/scripts/policy/protocols/conn/known-services.bro.html
[21] Software detection.[Online]. Available:
https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html
[22] IEEE MA-L listing.[Online]. Available:https://regauth.standards.ieee.org/standards-ra-
web/pub/view.html#registries
12. International Journal of Network Security & Its Applications (IJNSA) Vol. 10, No.2, March 2018
12
[23] Matthew Neil, Stones Richard,"The Linux Environment". Beginning Linux Programming.
Indianapolis, Indiana, US,Wiley. p. 148 (2008).
[24] M. Stahnke, Pro OpenSSH, Apress, 2006.
[25] J. Viega, M. Messier, P. Chandra, Network Security with Open SSL:Cryptography for Secure
Communications, O'Reilly, 2002.
[26] Alert (TA17-181A) Petya Ransomware, July 28, 2017, [Online].US-CERT, Available:
https://www.us-cert.gov/ncas/alerts/TA17-181A
AUTHORS
Ms. Fatema Bannat Wala(MS ECE, UD, 2015; BE Electronics &
Instrumentation Engineering, DAVV University, 2012;CISSP) is PhD candidate in
theDepartment of Electrical and Computer Engineering at the University of
Delaware researching cybersecurity issues. Ms. Bannat Wala, formerly a software
engineer with Accenture, is currently a Security Engineer in UD’s Technical
Security Group (TSG) where she is responsible for the University’s Intrusion
Detection Systems and SIEMs. Ms. Bannat Wala speaks often at security industry
forums and holds the CISSP and is a GIAC Certified Intrusion Analyst (GCIA)
and GIAC Certified Penetration Tester (GPEN).
Over the past 30 years, Dr.Chase Cotton (Ph.D. EE, UD, 1984; BS ME, UT
Austin, 1975; CISSP) has held a variety of research, development and engineering
roles, mostly in telecommunications. In both the corporate and academic worlds,
he has been involved in computer, communications, and security research in roles
including communication carrier executive, product manager, consultant, and
educator for the technologies used in Internet and data services.Since 2008, Dr.
Cotton has been at the University of Delaware in the Department of Electrical and
Computer Engineering. His research interests include cybersecurity and high-
availability software systems with funding drawn from the NSF, ARL, CERDEC, JPMorgan Chase, and
other industrial sponsors. He currently is involved in the ongoing development of a multi-faceted
educational initiative at UD where he is developing new security courses and degree programs including a
minor, graduate Master’s degree, and graduate Certificates in Cybersecurity. Dr. Cotton currently consults
on communications and Internet architectures, software, and security issues for many carriers and
equipment vendors worldwide.