Browsing by Subject "intrusion detection"
Now showing 1 - 10 of 10
Results Per Page
ItemA Collaborative Approach to Situational Awareness for CyberSecurity(IEEE, 2012-10-14) Mathews, M. Lisa; Halvorsen, Paul; Joshi, Anupam; Finin, TimTraditional intrusion detection and prevention systems have well known limitations that decrease their utility against many kinds of attacks. Creating a new system that collaboratively combines information from traditional and nontraditional sensors to produce new, relevant signatures is one way to deal with these limitations. In this paper, we present a framework that uses this collaborative approach, as well as the details for a network traffic based classifier that shows promise for detecting malicious traffic. ItemCreating a Collaborative Situational-Aware IDS(2017-01-01) Mathews, Mary Lisa; Joshi, Anupam; Computer Science and Electrical Engineering; Computer ScienceAn Intrusion Detection System (IDS) is a set of tools that runs passively in the background to determine if components of a system, as reflected in the network or host monitoring data, are behaving maliciously . Traditional IDSs have well known limitations that decrease their utility against many kinds of attacks. Current state-of-the-art IDSs are point based solutions that perform a simple analysis of host or network data and then flag an alert. Only known attacks whose characteristics are captured and represented as signatures that have been stored in some form can be discovered by most of these systems. IDS elements of this type cannot detect zero-day type attacks or attacks that use "low-and-slow" vectors. Many times an attack, exploitation, or infection event is only revealed by post facto forensics after some damage has already been done. To address these issues, a semantic approach to intrusion detection was taken that uses traditional as well non-traditional sensors, collaboratively. Tim Berner's Lee defined the Semantic Web as "not a separate Web but an extension of the current one, in which information is given well-defined meaning, better enabling computers and people to work in cooperation. " Traditional sensors include hardware or software such as network scanners, host scanners, and IDSs like Snort and Norton AntiVirus. Potential non-traditional sensors include open sources of information such as online forums, blogs, and vulnerability databases which contain textual descriptions of proposed attacks or discovered exploits. Exploits are vulnerabilities or weaknesses that can be used to attack a system. After analyzing the data streams from these sensors, the information extracted is added as facts to a knowledge base using a World Wide Web Consortium(W3C)  standards based ontology that our group has developed. The W3C is a consortium of different people and organizations that work together to establish standards for the Web. In addition to the ontology and facts stored in the knowledge base, rules/policies were developed that can reason over the facts to identify the situation or context in which an attack can occur. Attacks characterized as low-and-slow aim to stealthily perform their malicious activity so that they remain unnoticed instead of causing as much damage as quickly as possible. By having different sources collaborate to discover potential security threats and create additional rules/policies, the resulting situational-aware IDS is better equipped to stop creative attacks such as those that follow a "low-and-slow" intrusion pattern. Leveraging information from these heterogeneous sources leads to a more robust, situational-aware IDS that is better equipped to detect complicated attacks. This will allow for detection in soft real time, meaning that the alerts indicating the presence of an attack might not come the instant an attack starts. This allows for the creation of rules that can detect the complicated attacks. Prototypes of various components of this system were created and tested for efficiency and the accuracy of their ability to detect complex malware including botnets. ItemCross-layer Analysis for Detecting Wireless Misbehaviour(IEEE, 2006-01-06) Parker, Jim; Patwardhan, Anand; Joshi, AnupamIntrusion detections systems (IDSs) in ad hoc networks monitor other devices for significant deviation from protocol -- misbehavior. This process is complicated due to limited radio range and mobility of nodes. Unlike conventional IDSs, it is not possible to monitor nodes for long durations. As a result IDSs suffer from a large number of false positives. Moreover other environmental conditions like radio interference and congestion increase false positives, complicating classification of legitimate nodes and attackers. We present a scheme that helps in accurate diagnosis of malicious attacks in ad hoc networks. Our scheme employs cross-layer interactions based on observations at various networking layers to decrease the number of false positives. Our simulations show that our scheme is more effective and accurate than those based on isolated observations from any single layer. ItemA Knowledge-Based Approach To Intrusion Detection Modeling(IEEE, 2012-05-24) More, Sumit; Mathews, M. Lisa; Joshi, Anupam; Finin, TimCurrent state of the art intrusion detection and prevention systems (IDPS) are signature-based systems that detect threats and vulnerabilities by cross-referencing the threat or vulnerability signatures in their databases. These systems are incapable of taking advantage of heterogeneous data sources for analysis of system activities for threat detection. This work presents a situation-aware intrusion detection model that integrates these heterogeneous data sources and build a semantically rich knowledge-base to detect cyber threats/vulnerabilities. ItemOn intrusion detection and response for mobile ad hoc networks(IEEE, 2004-04-16) Parker, James; Undercoffer, Jeffrey; Pinkston, John; Joshi, AnupamWe present network intrusion detection mechanisms that rely upon packet snooping to detect aberrant behavior in mobile ad hoc networks. Our extensions, which are applicable to several mobile ad hoc routing protocols, offer two response mechanisms, passive -- to singularly determine if a node is intrusive and act to protect itself from attacks, or active -- to collaboratively determine if a node is intrusive and act to protect all of the nodes of an ad-hoc cluster. We have implemented our extensions using the GloMoSim simulator and detail their efficacy under a variety of operational conditions. Based upon our positive simulation results, we are currently implementing our extensions in laptop computers and PDA's and constructing a testbed that use IEEE 802.11 with mobile ad hoc extensions. ItemOn Web, Semantics, and Data Mining: Intrusion Detection as a Case Study(2003-05-01) Joshi, Anupam; Undercoffer, JeffreyWe examine the intersection of data mining and semantic web in this paper. We briefly identify some points where they can impact one another, and then develop a specific example of intrusion detection, an application of distributed data mining. We have produced an ontology specifying a model of computer attacks. Our model is based upon an analysis of over 4,000 classes of computer attacks and their corresponding attack strategies using data derived from CERT/CC advisories and NIST’s ICAT meta-base. We present our attack model first as a taxonomy and convert it to a target-centric ontology that will be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies for the classification of computer attacks and intrusions, in favor of ontologies. We illustrate the benefits of utilizing an ontology by comparing a use case scenario of our ontology and the IETF’s Intrusion Detection Exchange Message Format Data Model. ItemQuerying in Packs: Trustworthy Data Management in Ad Hoc Networks(Springer Nature Switzerland AG., 2006-06-09) Patwardhan, Anand; Perich, Filip; Joshi, Anupam; Finin, Tim; Yesha, YelenaWe describe a trust-based data management framework enabling mobile devices to access the distributed computation, storage, and sensory resources available in pervasive computing environments. Available resources include those in the fixed surrounding infrastructure as well as services offered by other nearby mobile devices. We take a holistic approach that considers data trust, security, and privacy and focus on the collaborative mechanisms providing a trustworthy data management platform in an ad hoc network. The framework is based on a pack formation mechanism that enables collaborative peer interactions using context information and landmarks. A pack provides a routing substrate allowing devices to find reliable information sources and coordinated pro-active and reactive mechanisms to detect and respond to malicious activity. Consequently, a pack forms a foundation for distributed trust management and data intensive interactions. We describe our data management framework with an emphasis on pack formation in mobile ad-hoc networks and present preliminary results from simulation experiments. ItemSecure Routing and Intrusion Detection in Ad Hoc Networks(IEEE, 2005-03-21) Patwardhan, A.; Parker, J.; Iorga, M.; Karygiannis, T.Numerous schemes have been proposed for secure routing and Intrusion Detection for ad hoc networks. Yet, little work exists in actually implementing such schemes on small handheld devices. In this paper, we present a proof-of-concept implementation of a secure routing protocol based on AODV over IPv6, further reinforced by a routing protocol independent Intrusion Detection System (IDS) for ad hoc networks. Security features in the routing protocol include mechanisms for non-repudiation and authentication, without relying on the availability of a Certificate Authority (CA) or a Key Distribution Center (KDC). We present the design and implementation details of our system, the practical considerations involved, and how these mechanisms can be used to detect and thwart malicious attacks. We discuss several scenarios where the secure routing and intrusion detection mechanisms isolate and deny network resources to nodes deemed malicious.We also discuss shortcomings in our approach, and conclude with lessons learned and ideas for future work. ItemA Semantic Approach to Situational Awareness for Intrusion Detection(National Coordination Office for Networking and Information Technology Research and Development, 2012-06-11) More, Sumit; Mathews, M. Lisa; Joshi, Anupam; Finin, TimWe describe a situation-aware intrusion detection system that integrates heterogeneous sources of information to build and maintain a semantically rich knowledge-base about cyber threats and vulnerabilities. Most current intrusion detection and prevention systems rely on signature-based approaches to detect attacks. When an attack signature is not available, such as for a new exploit or a significantly modified known one, such systems are much less effective. Moreover, these intrusion detection systems are point-based solutions which do not make effective use of heterogeneous data sources, which can provide important information related to intrusions which are not yet available as signature patterns. This information can also help detect low-and-slow attacks in which small intrusions that are spatially and temporally apart combine to build a more elaborate attack. ItemSHOMAR: An Open Architecture for Distributed Intrusion Detection Services(2002-09-12) Undercoffer, Jeffrey; Perich, Filip; Nicholas, CharlesDistributed Intrusion Detection Systems (DIDS) offer an alternative to centralized intrusion detection. Current research indicates that a distributed intrusion detection paradigm may afford greater coverage, consequently providing an increase in security. In some cases, DIDS offer an alternative to centralized analysis, consequently improving scalabity. SHOMAR, the distributed architecture presented in this paper, provides an open framework that enables secure access to heterogeneous software and hardware components of a distributed intrusion detection system. SHOMAR is built upon a simplified Public Key Infrastructure that provides for authentication, non-repudiation, anti-playback, and access control. This framework supports a broad spectrum of approaches, ranging from hierarchical to peer-to-peer. The system topology and rules governing access to intrusion detection services is based solely upon policy, which is enforced through the use of a capability manager. The protoype system uses Java. The Extensible Markup Language is the sole medium for data exchange between intrusion detection components. SHOMAR provides a distributed service infrastructure independent of the underlying communications network.