SlideShare a Scribd company logo

Network Attack and Intrusion Prevention System

Deris Stiawan
Deris Stiawan

(1) The document discusses network attack and intrusion prevention systems. It describes how intrusion prevention systems (IPS) aim to detect and block threats in online traffic in real-time, beyond just detecting threats like intrusion detection systems (IDS). (2) Feature extraction from network traffic is important for IPS to analyze without being overwhelmed by raw data. The document examines relevant features to monitor and criteria for deciding what is important to track. (3) Experimental testing is needed to evaluate IPS performance. The document outlines stages for training systems, testing methodsologies, and resuming test results. This helps IPS avoid unexpected outcomes and ensures continuous monitoring.

Related slideshows

Intrusion detection using data mining
Intrusion detection using data miningIntrusion detection using data mining
Intrusion detection using data mining
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
1 of 42
Download to read offline
Network Attack and Intrusion Prevention System Deris Stiawan. Ph.D C|EH, C|HFI Computer Network & Information Security (COMNETS) Research Group Universitas Sriwijaya 2017
David, S. (2012). "The state of network security." Network Security 2012(2): 14-20.
Dlamini, M. T., J. H. P. Eloff, et al. (2009). "Information security: The moving target." Computers & Security 28(3–4): 189-198.
Network Attack and Intrusion Prevention System
Hansman, S. and R. Hunt (2005). "A taxonomy of network and computer attacks." Computers & Security 24: 31-43.
Reported increasing numbers of types, methods and volume of attacks There are explosion of security threats in recent years: Trojan, virus, worms, adware, spyware and DoS are continuing to grow, multiply, evolve and toward future in the cyber war. New method / trend of attack, and cyber attack challenging described According to; (CSI/FBI 2011), (CERT-IST, 2012) (Kenneth, 2010b), (Mansfield- Devine, 2011) and (David, 2012) (Kenneth, 2010a), (Amoroso, 2011), (Sommer, 2012) and (Chen et al., 2012)
Intrusion Prevention System IPS are considered to be an extension of IDSs, although IPS and IDS both examine network traffic searching for attacks. They both detect malicious or unwanted traffic but IPS able to eliminate the threats traffic. (Patel A et al., 2010; Patel A et al., 2013) Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. IDS inform of a potential attack, whereas, IPS makes attempts to stop it. IPS is designed and developed for more active protection to improve upon the IDS and Firewall
Detection Prevention Reaction Response Firewall Features Access Control Policy Management Alarm Accuracy Sensor Reporting Readiness Early prevent Prediction Abstracted by; (Manikopoulos 2003), (Zou & Towsley 2005), (Stakhanova et al. 2007), (Debar et al. 2008), (Anuar et al. 2010), (Patel et al. 2010), (Mu et al. 2010), (K. Salah & Kahtani 2010), (Elshoush & Osman 2011), (Patel et al. 2013)
CSI/FBI (2010) : Satisfaction With Security Technology
Patel, A., Q. Qassim, et al. (2010). "A survey of intrusion detection and prevention systems.“ Information Management & Computer Security 18(4): 277 - 290. Comparison IDS & IPS
IDS design just only identify and examined to produce alarm IPS design is to enhance data processing ability, intelligent, accurate of it self. - Simple pattern matching - Stateful pattern matching -Protocol decode-based analysis - Heuristic-based analysis - Recognize attack pattern - Blocking action - Stateful pattern matching - Protocol decode-based analysis - Heuristic-based analysis - A passive security solution - Detect attack only after they have entered the network, and do nothing to stop attacks only just attacks traffic and send alert to trigger. - Active response security solution - Early Detection, proactive technique, early prevent the attack, when an attack is identified then blocks the offending data - Commonly collected in source sensors - Multisensory architectures - Enable to integrated with other platform - Have the ability to integrate with heterogeneous sensor Usefulness Signatures Action Activity / Response Sensor I D S I P S
The Problem & Issues IDPS Active Reaction Passive Reaction On-line / Off-line Detection Speed / Accuracy Response Time of Detection Sniffing Packet Features Identification Testing / Comparing Data Sets Identify threat Simulation Live Environment Live attack Pentest DARPA MIT ISCX ITD UTM HighHumanInteraction ResourceConsumption TrafficData
ITD UTM Data set
Attack Pattern (sample) ScanningBruteForceDoS Windows Server 2003 Freebsd Linux Redhat (www.pcrg-utm.org/dataset)
10.10.10.15, 10.10.10.20 (Attacker’s) 10.10.10.10.5 (Redhat), 10.10.10.10 (FreeBsd), 10.10.10.25 (Windows Server 2003)
Normal & Attack Traffic DoS Normal / Attack ? Normal Access: Web 2.0 ( Video, Blog, Chat) Penetration Testing: Probe: Scanning, Network Mapping U2R: Rooting, Escalating Privilege R2L: Malware, SQL Injection, ARP Man in the Middle Attack DoS: ICMP Flooding
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
(1) How to capture, analyse the traffic and recognise threats in online traffic? The Research Question (2) How to feature extracts from the TCP/IP header of packets and decrease the dimensionality of the dataset by discarding any redundant or irrelevant features ? (3) What are the criteria to decide which features should be monitored (Niemelä, 2011); (Davis and Clark, 2011) ? (4) Is it possible for the intrusion prevention system to react automatically to certain problems to try to contain or stop the damage (Niemi , 2012; Stakhanova, 2007) ?
(1) Capture, analyze the traffic and recognize
(2) Feature extraction from raw data
(3) What the Relevant Parameter Features
Sensor Analyzer Reporting Event Response SniffingModule (4) Identify and Response Mechanism Allow Deny LogNotificationCapturing
Experimental Stages • Training the data • The methodology • Avoid some unexpected results • Testing (sequence / randomize) process and continuous – Standard stages of observations – Resume the results
Research: IPS Existing method: Static Parameters for update policy Naveed et al., (2010) Nicoletti , (2009) ; Zhou et al., (2010) abortion, ads, adult, banking, blog, chat, drug, ecommerce, Gambling, hacking, porn, warez, etc Wuu et al., 2007 The current methods of payload attacks have changed, modern attackers are able to change the information and content of packets Those solutions were only unable to identify traffic and can not detect or block threats occurring in real-time traffic Able to identify threats without any response method Detection threat based on src IP, Dst IP, Packet Length, TCP lags URL lookup & Content Filtering Able to block based on URL & content filtering IP Access List Able to block threat based on IP / Port
Wattanapongsakorn et al., (2012)Sangkatsanee et al., (2011)
Practical: IPS Hardware / Software based - Box devices, add on / module device for router (hardware based) - Applications running on operating system (software based) IPS Features from Firewall & IDS function with Unified Threat Management - Able to stop L7 (Application), L4 (Transport), L3 (Network), L2 (Data Link) - Firewall function: stop / reject the malicious - IDS function: detection, monitoring and deep packet inspections - One integration management system Engine for device knowledge - They have own knowledge / method or combined with Snort signature
Source: www.dtginc.net
Command Rules
Astaro Security Gateway 110/120 Astaro Security Gateway 220 Astaro Security Gateway 320 Astaro Security Gateway 425 Astaro Security Gateway 525/525F Environment Small office/ branch office Small to Medium business Medium business Medium business, enterprise division enterprise division Hardware specs 3 x 10/100 Base-TX ports integrated HD 8 x 10/100 Base-TX ports integrated HD 4 x 10/100 Base-TX ports 4 x Gigabit Base-TX port integrated HD 4 x Gigabit ports – PCI bus 4 x Gigabit ports – PCI Express bus Hardware acceleration card integrated HD Dual Intel Xeon CPU 10 x Gigabit ports – PCI Express bus - 525: 10 x Copper - 525F: 4 x Copper/6 x SFP Hardware acceleration card 2 integrated HD (RAID1) 1) 2 redundant Power supplies) Performance Firewall VPN IPS 100 Mbps 30 Mbps 55 Mbps 260 Mbps 150 Mbps 110 Mbps 420 Mbps 200 Mbps 180 Mbps 1,200 Mbps 265 Mbps 450 Mbps 3,000 Mbps 400 Mbps 750 Mbps 1) hot-swappable Sophos Astaro: Security Gateway Appliances
Screenshot Dashboard Sophos
Screenshot Dashboard Sophos
Screenshot Dashboard Sophos
2013:05:26-17:09:24 sophos ulogd*4673+: id="2001” severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="68:ef:bd:ab:13:7f" dstmac="e4:1f:13:69:44:14" srcip="115.239.210.27" dstip="202.9.69.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="47" srcport="80" dstport="29238" tcpflags="ACK SYN“ Sample Log Astaro drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"D WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; classtype:web-application-activity; sid:1101;) Sample Rule Astaro
Testbed & Pentest
Analysis and Results Traffic accuracy for inbound – outbound: (a) without policy, (b) Other method, (c) RT-IPS pitcher flow
Network Attack and Intrusion Prevention System
Thank You deris@ieee.org

More Related Content

Network Attack and Intrusion Prevention System

  • 1. Network Attack and Intrusion Prevention System Deris Stiawan. Ph.D C|EH, C|HFI Computer Network & Information Security (COMNETS) Research Group Universitas Sriwijaya 2017
  • 2. David, S. (2012). "The state of network security." Network Security 2012(2): 14-20.
  • 3. Dlamini, M. T., J. H. P. Eloff, et al. (2009). "Information security: The moving target." Computers & Security 28(3–4): 189-198.
  • 5. Hansman, S. and R. Hunt (2005). "A taxonomy of network and computer attacks." Computers & Security 24: 31-43.
  • 6. Reported increasing numbers of types, methods and volume of attacks There are explosion of security threats in recent years: Trojan, virus, worms, adware, spyware and DoS are continuing to grow, multiply, evolve and toward future in the cyber war. New method / trend of attack, and cyber attack challenging described According to; (CSI/FBI 2011), (CERT-IST, 2012) (Kenneth, 2010b), (Mansfield- Devine, 2011) and (David, 2012) (Kenneth, 2010a), (Amoroso, 2011), (Sommer, 2012) and (Chen et al., 2012)
  • 7. Intrusion Prevention System IPS are considered to be an extension of IDSs, although IPS and IDS both examine network traffic searching for attacks. They both detect malicious or unwanted traffic but IPS able to eliminate the threats traffic. (Patel A et al., 2010; Patel A et al., 2013) Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. IDS inform of a potential attack, whereas, IPS makes attempts to stop it. IPS is designed and developed for more active protection to improve upon the IDS and Firewall
  • 8. Detection Prevention Reaction Response Firewall Features Access Control Policy Management Alarm Accuracy Sensor Reporting Readiness Early prevent Prediction Abstracted by; (Manikopoulos 2003), (Zou & Towsley 2005), (Stakhanova et al. 2007), (Debar et al. 2008), (Anuar et al. 2010), (Patel et al. 2010), (Mu et al. 2010), (K. Salah & Kahtani 2010), (Elshoush & Osman 2011), (Patel et al. 2013)
  • 9. CSI/FBI (2010) : Satisfaction With Security Technology
  • 10. Patel, A., Q. Qassim, et al. (2010). "A survey of intrusion detection and prevention systems.“ Information Management & Computer Security 18(4): 277 - 290. Comparison IDS & IPS
  • 11. IDS design just only identify and examined to produce alarm IPS design is to enhance data processing ability, intelligent, accurate of it self. - Simple pattern matching - Stateful pattern matching -Protocol decode-based analysis - Heuristic-based analysis - Recognize attack pattern - Blocking action - Stateful pattern matching - Protocol decode-based analysis - Heuristic-based analysis - A passive security solution - Detect attack only after they have entered the network, and do nothing to stop attacks only just attacks traffic and send alert to trigger. - Active response security solution - Early Detection, proactive technique, early prevent the attack, when an attack is identified then blocks the offending data - Commonly collected in source sensors - Multisensory architectures - Enable to integrated with other platform - Have the ability to integrate with heterogeneous sensor Usefulness Signatures Action Activity / Response Sensor I D S I P S
  • 12. The Problem & Issues IDPS Active Reaction Passive Reaction On-line / Off-line Detection Speed / Accuracy Response Time of Detection Sniffing Packet Features Identification Testing / Comparing Data Sets Identify threat Simulation Live Environment Live attack Pentest DARPA MIT ISCX ITD UTM HighHumanInteraction ResourceConsumption TrafficData
  • 14. Attack Pattern (sample) ScanningBruteForceDoS Windows Server 2003 Freebsd Linux Redhat (www.pcrg-utm.org/dataset)
  • 15. 10.10.10.15, 10.10.10.20 (Attacker’s) 10.10.10.10.5 (Redhat), 10.10.10.10 (FreeBsd), 10.10.10.25 (Windows Server 2003)
  • 16. Normal & Attack Traffic DoS Normal / Attack ? Normal Access: Web 2.0 ( Video, Blog, Chat) Penetration Testing: Probe: Scanning, Network Mapping U2R: Rooting, Escalating Privilege R2L: Malware, SQL Injection, ARP Man in the Middle Attack DoS: ICMP Flooding
  • 23. (1) How to capture, analyse the traffic and recognise threats in online traffic? The Research Question (2) How to feature extracts from the TCP/IP header of packets and decrease the dimensionality of the dataset by discarding any redundant or irrelevant features ? (3) What are the criteria to decide which features should be monitored (Niemelä, 2011); (Davis and Clark, 2011) ? (4) Is it possible for the intrusion prevention system to react automatically to certain problems to try to contain or stop the damage (Niemi , 2012; Stakhanova, 2007) ?
  • 24. (1) Capture, analyze the traffic and recognize
  • 25. (2) Feature extraction from raw data
  • 26. (3) What the Relevant Parameter Features
  • 27. Sensor Analyzer Reporting Event Response SniffingModule (4) Identify and Response Mechanism Allow Deny LogNotificationCapturing
  • 28. Experimental Stages • Training the data • The methodology • Avoid some unexpected results • Testing (sequence / randomize) process and continuous – Standard stages of observations – Resume the results
  • 29. Research: IPS Existing method: Static Parameters for update policy Naveed et al., (2010) Nicoletti , (2009) ; Zhou et al., (2010) abortion, ads, adult, banking, blog, chat, drug, ecommerce, Gambling, hacking, porn, warez, etc Wuu et al., 2007 The current methods of payload attacks have changed, modern attackers are able to change the information and content of packets Those solutions were only unable to identify traffic and can not detect or block threats occurring in real-time traffic Able to identify threats without any response method Detection threat based on src IP, Dst IP, Packet Length, TCP lags URL lookup & Content Filtering Able to block based on URL & content filtering IP Access List Able to block threat based on IP / Port
  • 30. Wattanapongsakorn et al., (2012)Sangkatsanee et al., (2011)
  • 31. Practical: IPS Hardware / Software based - Box devices, add on / module device for router (hardware based) - Applications running on operating system (software based) IPS Features from Firewall & IDS function with Unified Threat Management - Able to stop L7 (Application), L4 (Transport), L3 (Network), L2 (Data Link) - Firewall function: stop / reject the malicious - IDS function: detection, monitoring and deep packet inspections - One integration management system Engine for device knowledge - They have own knowledge / method or combined with Snort signature
  • 34. Astaro Security Gateway 110/120 Astaro Security Gateway 220 Astaro Security Gateway 320 Astaro Security Gateway 425 Astaro Security Gateway 525/525F Environment Small office/ branch office Small to Medium business Medium business Medium business, enterprise division enterprise division Hardware specs 3 x 10/100 Base-TX ports integrated HD 8 x 10/100 Base-TX ports integrated HD 4 x 10/100 Base-TX ports 4 x Gigabit Base-TX port integrated HD 4 x Gigabit ports – PCI bus 4 x Gigabit ports – PCI Express bus Hardware acceleration card integrated HD Dual Intel Xeon CPU 10 x Gigabit ports – PCI Express bus - 525: 10 x Copper - 525F: 4 x Copper/6 x SFP Hardware acceleration card 2 integrated HD (RAID1) 1) 2 redundant Power supplies) Performance Firewall VPN IPS 100 Mbps 30 Mbps 55 Mbps 260 Mbps 150 Mbps 110 Mbps 420 Mbps 200 Mbps 180 Mbps 1,200 Mbps 265 Mbps 450 Mbps 3,000 Mbps 400 Mbps 750 Mbps 1) hot-swappable Sophos Astaro: Security Gateway Appliances
  • 38. 2013:05:26-17:09:24 sophos ulogd*4673+: id="2001” severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="68:ef:bd:ab:13:7f" dstmac="e4:1f:13:69:44:14" srcip="115.239.210.27" dstip="202.9.69.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="47" srcport="80" dstport="29238" tcpflags="ACK SYN“ Sample Log Astaro drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"D WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; classtype:web-application-activity; sid:1101;) Sample Rule Astaro
  • 40. Analysis and Results Traffic accuracy for inbound – outbound: (a) without policy, (b) Other method, (c) RT-IPS pitcher flow