ࡱ> X)&DTimes New RomanPsX)& DCourierw RomanPsX)&10DWingdingsRomanPsX)& ` .  @n?" dd@  @@``  8` w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( 3E4u&k'Z.O݌rQɮ[ Y9-n'{U.IjγB ufUkg~%^"M?\v,Ors87՜7MZӦot kMeW]CG+RW.,o. syH_NX4)c ٥t~&%$z _ ?Rc} C^Ы8tB(((((((((((((((() v>Xb~k|!SxJͰٗ.Y)qfff$$N{M۩Ji:fLq8^<`Vhvj)Y4F|Agiyx&'5wQU<`]%vU}{+̰V]JQnژW7I=m61 cҲ嶑d9[ohN׀GԗRb,gn)rƩԖ u$: 9=5K6dpjKA0'VZ!F2@=ڴ6vy^OҾ]J+){yWrȇ " ӜנW #Y%m ?_~>#扵x9Q4s:nڹ?0'U)E^6 tyWv;[no5A1+I^cb9~}zRjOΧeisIk|grs8 :9c Qo?'ykra34ygj'niLgbXrOֻ]5bR @pj\w1iwZk::4:nu,}eefkට=M4_|X1{(\+uq h1ڼ㮹=ZI Jʝ0:v;^']vڞ7J.>=E!p=?:gToj\G2j7{`31sV+}ikZ4 { 'JjJwWRnnm4m(\K kbr:o?oOs v>=:]_lꇏ+_H|+ծu/ -˗1FJfrVvݖK{~ugJ-P^ʒkγJ CĤc{44}wT[B\#mizW-V}PMeVv: +#P(wTMI|i8'K w5#T#vLO5Sieb[J+\-j~gN]NõAOHJ_4xY^^Ug/- >k0nŴr)"#5^*3:I:`Z'VfQG;?LVPJ.RVlX{3Gfύwg{,@71Eם|C,yQnlKTߺ<'Q^8zJ`R?zw{|4uedPBk]p??z+'?Fo;a/8KqJGV8_]J͇sOZLWZj.9`+j$#Ԏ>lϩ !>ۏ+I wQ:j$sK׫Mr#ΛbV+GaoOZvNG_5_hFћ-+n|_T/efQҾ^@&yfJO ]A? "8aWS)诜}+߃-/(/.%/Pp\]/)zsEZޏj|lN/+ ȿgU6!;O|3"W&/GVfEtQ@ Y8a]Ƀ5).4Ht*Iޔ wh [;ֺwqi#tvrc2ݚNmlqltPM^+rh c8qP'3hⶦgMtŘ4Cp>{vS]4|s$sRubo=(@a^m-A><~52V@xs_G!&K{ כRgu 'c>0X5\$s/U?tƕ|2Гzh08]tex#m&t .<D:yJV+?7삹xAFO 0>65^8%4F#Z["u`3m+AXCݹWV/O^?83fW7^Oadn~iس.G/&myyޮi0kh`\JOj& 㿧f4y#_ [AɬZGps6kEg cQ^gn/ TyElC$&PNG  IHDR:]ÔPLTE̙si`fMYC@0& ~}tjagNZDYCuN;M:A14(N;&( 6-)#-* icPli`|sVM93&sgM[DuXhN4'b3&'YC5(YCfMYC6)3&)@0&YC&]ISF VL0M9M9i` YC 3&̙|ssV M9fM @0cCV9I0=&0S0F&P&Y&CM@IS3 F = |si`VMC9 00@@PP``pp̀ҏٟ߯濿Ͽppp```PPP@@@000 PXbKGDH cmPPJCmp0712Hs IDATXGXέ`_mR5KѦ[Hr&7R$Ҋ7$BP $ yBsf\O;?$w;y̙qcw~z]y }AUz/R:aDto 8 |Ʊcn&^zUtjh7'Nq_T}9-x#u}{/RH];8ι8yq_յ{:  P󇋎Jկ3]A5&Y y *6@_(ށn`J(FJ'Ϟ?)z eNt讠LO/_xew?Bb8卾i BAQ!1<$!I RCa=c`]HGfN %-Fj[]@(RR?*%ÔTô+\P22C42?h⻩,鉕ƒح^&5]h[1D '!h(Sșx ɛ^yܑB+5#DQE4 |Ó>N=ĪDؑ>e5L3/:zqV:x1aloR4웮QhB]Cg7JY @!Ք6@cبeLCҦTf: (xzAdIYS:K@xQd n92ڕQ]G/_95dJ|4n>|"۷] /u(5TM~q,~THلu2G" U@yaIO k]MgEVUfM;~ ]gaοكM QMDNB%8魞. u s@Wtҩ)T}X|YgșD@~6"E]ר%@,cd ^vQK1>.cudr~Z8!C?7%cLJ#%PlBO@+I`G`G(~]&JNuG_ab*.Rul\@Id}"UN䕼UTPLò9p*S^(PY@0SGN#rrll9pxh47f$S'q5=>6%zsQ;mX:A252oҝBVA2U%g6hMM =:l65%xaE=X`SXf|讇far|1]P<CiXLFH #ͧ[erۈE/p %#`nR2 ]t=o6[K SCl>b6i8eېDqB1F*g `ԮMk> >sa,D)\Z|y NRR\ņg-2f|t]uz|ʛy&M,,f s Ҽ=Z@ϥ}25DQźKG1XpqdL!&*) -z|&686]+IJ B2nFE<ՉcND Su`> 3?jCH{XyR4_b]č4Qt_aꚍx ^Cm^5xŶwCQ V:#<*Sf/HNڞKm]7B+ L]jܤqXS6 qVMKq:Z[bAR^vRB"q3׾ : ". b 3/R]2Gi xz0u| q5 I%Yqu~o.]*[ s> t;vʿl @#:Rp&q?Q0ٸ0m{8im5]=![ KYK<1 PCf_D& CCN4UΑVP5[l/N8!9 v'י#FG\pqyr򲽑GoB딠n-Ϻ>!go AljYyp1RiAyF8s  z3.njPl ;͝clV/PX$kseIENDB`n,Q6Oo5>06PNG  IHDRsrPLTE  """222333@@@DDDPPPRRRUUUXXX```dddfffhhhpppwww .&""a332288kt v"DDUUXXffhhwwˀ3ЋDԕUؠfءiܪwۈۊᵈ⹎㹏忙㣣媪껻ʪͯԻ׿ibKGDSzg=tEXtComment Image generated by AFPL Ghostscript (device=pnmraw) Vd_ cmPPJCmp0712Hs*IDATx^]o:r0|;{z yMۍ뫻ۗm& 'ߥ3CR"%J$ے(j!5#&)o,K*ċ\.W]_P/]|alËq%$.W/.~鏋+Z%|,e޼|5WE\X$t.[ %S)ocx# X$N^ͷ<~ 0<^ Wѫ%Jcxx%d6X%xbF<^LK˔kt*nrxŀ<[3<^w^a\2cb0zZjF"&%0wC)/Ȑ*YCIa(} 0<^E@v:GZ/0z.1JaZ 3{WJ^L;m}o1yM{^_L.{݅ck&/`"]q7|-&iɅy/|GrLw%<|jX2HGR~rO.Z~<z\ Bk}-C[1}~y*;4}^& UԤ>MIM>=_ LnƏ_}}<||L_ݮ?!j%1Ԥҟb#=}y{;ízHxly?<<,P͆'xaÇ9o|ÃUe)(~mJbpxPRYjD1ԁ T*pJRo~j(pάZi:yӹXr XEzPxA]6]{OρMia0-5#l+Wo@smDx'ޯҗ WT>L{^fgދOq}v>ފ}R!Ә%;Kӳo +:Cn6;JH4Y$}&M-L0Kpv(*O.>>#*WBBӦ(T'HVE(-sϒYQ>MxaE?_U!w8>@74OT,Q#(0|Q[qBZ8_K)Dxp0^ <QYTA% Q𑛣ؔu& :j[ "ٱt1KxΌQ]AAG#zZ`{DSERY283?ԝC^]CK{F?`r{F%֏/PX+֭?}D04'#Ci4J#q"t^c܏=%NXNsZS=I+6]OCEG|<@ TA R?r{m;C9,(&'˿a L5Ԥ24 2>A;NgNlqQCkNxhŽMӃOMv1Da`6:Eo^p(>s s{J\ҍ:#f<4$Zel#<=Bت:pM{?̩-3_1Kfanzx9111T\-P VM"΄t [<=>B{] ,X)R\ٴs ࡶ Yf_+x80x>Ɋnɣ鴔,JHCE7"=l`Q ĤfcABCJBkNZ-($q" 8Lm-157ă >kEZJ&IB4-.t꣞.2$ݩAv>m@Tڎnfd.qad5cڗIjuEx8F+B i6}[>ó Yךm{ß˵}.D(*bL!X/^fFxE<.:x>m0Jm{XutU }9ziF]{Pvi.,F ,x $w =VwWRB3*3.Hb#{N 3ӌ\s=T≡^(RK^ Xa)`|6YN&!35Ûl_w]W[JbD{.̈v6R uF! j"S"qÔp]4{?e#2?l%K ?cWEh/( @ts/@] ?gAPmcimՠShn3bIx.5#4xF{LXlSlZh ʄ@xe\ʊ${JqAkJI-H&Д:4fDJ5ZxN6%nC=3~yUT2=J#Kđp0Km+@^챣>J<*Xfh /cžWk5̛`G섀 E&hx.5I^Sс]?مۄiuG]+n֖9<'o-ѻ6QmW0;t~"Uvp-ʙe#J90.="  e0OFÚ߻I&Q{ʸf50#ISXFE5:ģ34Y:H/3 <# ko~C5ZڜʷE/Hz0O-$|ՙ um 9VljژDͨPfM aRȸ:SNxgh}I͔<͆~jPgyOUif/HJ y "H?qKޜTIoPexQYZQ [Up)DO!>(յ, u D0rnYW~۳Tb&YDθPGc) K]{YZX*&n0xI~2)OP*w O1`J1B  Z8h-ąL^% jQ( \\JIayZޟE~+33;牜6WGrC(]w x3@{2. ( `}gM*`{!?D*e4 @t|aF9̳rl @u1W2221KAM[49ŋgLD-Ľ=4޼JxPI>yZMʨo:LW Gu <' &oy2Snvn :9fPrnYx*zJ:FlO䡘UH1C9hi%œ=;M%fV&rn!c.9(+n,UitT[xD]=K':6jrn ҁzSnރM] \Jy6ぇArmRmԳ^ϛ`+3TK``x)c3I`52<WiLvzUudꧪ]IM1f{hn7* !.B}n=dJ>}"r W* xU`iZJ==Q<+%Rҷ.e4%V{N-6eqU#u tcM<5GepTcf%~#J`񆖅 rٌxs WyM@h16ZH7=5GʩIz#b\@ΠG0J$lzxj| @9ѳU+ ` ~x&vXPR8Ƴ^XyXdǭḃ4jv@GWZPT#DpyeFJlٌ*'u6LKmfkkG\u )x}s\ bC; " ZY+)'x.F""г^E=&T:*xpyWK2 ֺ+=!6xx V)ZhOD4w`ˑ%xQIENDB`Fb-u BˇJFIFZ CREATOR: XV Version 3.10a Rev: 12/29/94 (PNG patch 1.2) Quality = 75, Smoothing = 0 C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222o" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzt(IsJ vc]{gK}dqҽT޸ƀq*шZSv3)r:EM4?jA1ҧh3㡭#AҠxps޶M4+sôq*X|M3S[BVgaWB2pE.TgŲLçS3맵2; wVC(=+Oh;Yl}qRGҳP5:td s̨$AW5:oHJ}K2EmTR^ML s&%y%#5-e%+.Ö |\c8NP+~'Ɩbw,$t^)L΄Z>a0㚛\wp8ʯ RGZV.ŏRsZ"팋+<1t^=žnxFG4=ڭ㬢/6,k)O>N9 <|P븟RNzRbsbm9\|60M'y%&N:W_:GVuJ>cz ??nb[ZBG_cl5K].wFdf3Ҽ~x,RkF(+L7!'{_|;Oy3ڝh {W|)]Lkҽ3_G;-NmG-rdD 'ڶ+A71a4m }ʼ(mR?p*ѵdqҊJ+(B+ S{zުpБG"vW2"",FG:QƛbHɖ!EQ5kΣ͝z"Y,j-]8Y3?+bjvQ=K&;5fl5{k"ѷg'IVIQa6]6*%irNky7+sΣmiN=nHvk-R(.Ȳ>~.次8M*1vPQϙؼ<,Cy[dպ)<὿yqk.hP#KJ|kxv6?zNMeUCjqrmt{G܌ԊiCNyAp?3S 0G9nڡtuKb&ڡO ִu,B̟JOJ_/mB>A:Lwn7g-+Ǘ '[deP9#ՄLZV| N:Wc<Z~yhk{eڕ7d9 }$#{V߀cj+3:j/6??X_dĶf;c!Y?d#/u֧?5$ 9+^em K2x+ ㎔}LkcFNW _GH5>#&@e<)xY%b2Mu5Š(e;|LzFrCYzzSBdSI9gέG 8R}j^%'dCvw3Jfϧ3ɒy<|Ēp >1l9Mrr,һ(-iqgG[E`.D /@)Uj*wBqSG={UIYSi: 7WEF34xnŚv6i?^~ԼM~-caq,|>~͇tQI)4TTcX՗3عiVFoad;xP"qH-pv-4<ďw5[:BIJ"vpn?6Ə53ϔ(*qrϊ5 ^ Ut?Z/󬥏+פm,,{bq%-n8*ҀGgtQU|.{bMv" <:kٴKhEޔlt Uc.W)+&"G/ސ{B6ƻ:vIJCT??ʚ'3hHIZ<ٙ}2ks#|?UhZepJ8ԥČH,~uT7D́(N^OLlKB6x53ϔأt`0'mߘgNnA?]:&OvȨ@jFt?ʎp9Oi|/i&F 3e9gַ3qUvOBфғƕw_0C~\KJam;vy_L VM7 Α?ʫA8rm#ghnA?]g#:GGQΑ>QTstQ{P?I]_#:GGQΑ>Q(sQ!6q"b(()1KEFc۟/ MsZwhŚW3]F(? iM\YH85B{1}+Ӯ4+ѷ˟Lđmnd/5 I?.3i% +0CFR9hOC`SOҔ%dx:u6IfbrDV:ͭ;r[݇^@"GeP<8]WӭtT cCEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEnY ׳]XPNG  IHDR9xДPLTE 00@@PP``ppҏٟ߯忿Ͽppp```PPP@@@000 ObKGDH cmPPJCmp0712HsIDAThCZۖ8 4M VItN>;T*]l0{nU-͹K}q.3^9r|Ra,׺*wE4dO'j qE(@W9= pXut(R YDc#jF$+6:MMd$]g0ܡ̷U >^U>t^DEI)fqN[bf"GËo!7JX)z{.HEӁ R`r ^vV.^R}Y"Fc.L:U}i ԤFHBG}wB)\r@yH׏pdXQ tJ  a4$ HF`tl`Z8L2NDF<.=$4Al>G2o\fRdR#2;ƁX 1@IP+ =Y *84Nf)\pdp˅( @qP )3ȭXl6 V"<|[`ЫݧR>aPiԓ\aO `lx;8ݵi1^T!JԎpdU3(>o%ij+œcbzpB eZepn&_#~ ۞Kp޻?ʫaZֽ]'X_U]I쀗{/wކxq}u {} F= / l*\CEE$Fn=v\X}`7(}˺Տ 1ak3pEu3mE!35.U?uZHҦ\Ώ~|ڟ9#Ĝ-}9IENDB`n0B&Lig=!t?( / 00DArialngsRomaXPsXs&DTimes New RomanPsXs& DCourierw RomanPsXs&10DWingdingsRomanPsXs& ` .  @n?" dd@  @@``  7\T    : /-K/ E--#$%(*,- .L$$$$$$$$b$ TyElC$&7 $$$b$Q6Oo5>06,7 $$$$R$b-u Bˇ:$$$$$$b$ ׳]Xa X 0e0e     A@ A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||c"$` f3f@g4TdTdsi00pQm Pppp@ g4.d.dsi00pQm pgp+  ʚ;ʚ;<4dddd`ʚ;<4!d!d`ʚ;<4BdBd`ʚ;0___PPT10 h___PPT2001D<4X? =O  =(]A(Toward Self-directed Intrusion Detection)(LPaul Barford Assistant Professor Computer Science University of Wisconsin VKPPI gMotivation - the good0Network security analysts have many tasks Abuse monitoring Audit and forensic analysis Firewall/ACL configuration Vulnerability testing Policy Liaison Network management End host management h*m')m&cMotivation - the bad2(Adversaries are smart Vulnerabilities and threats are significant Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al.  04) Scans Billions per day Internet-wide and growing (Yegneswaran et al.  03) Viruses No longer clearly defined (eg. Agobot) DDos Bot-nets consisting of hundreds of thousands of drones@BZZlZZDZZ'ZZ7Z+lC    '  6tZ w /4hMotivation - the ugly (sort of)DNetwork intrusion detection systems (NIDS) Static signatures - hard to tune and maintain Lots of alarms Scalability problems Firewalls and intrusion prevention systems Limited capability Bulletin boards and commercial services May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) A step in the right direction+ZRZ+ZZ(ZZ+ZZ+R+(+  >  d Objective (Network situational awareness based on self-directed network intrusion detection  The degree of consistency between one s perception of their situation and reality  An accurate set of information about one s environment scaled to a specific level of interest Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic Front-end for firewalls/IPSXQPQ5 Mechanisms (*Data sharing between networks Eg. DOMINO (Yegneswaran et al., NDSS  04) Monitoring unused address space Eg. iSink (Yegneswaran et al., RAID  04) Eg. BroSA (Yegneswaran et al.  05) Automatic generation of resilient signatures Eg. Nemean (Yegneswaran et al., USENIX Security  05)* L-5) K-5   2  : W;DOMINO architecture ( Hierarchical overlay network Descending order of security and trust Data sharing XML-based schema Summary exchange protocol extends IDMEF Push or pulling periodically Alert merging and clustering Subject of on-going research (eg, Barford et al. Allerton,  04) ' VA& V@    ,_BUnused address monitoringPackets are (nearly) all malicious There have been some very weird misconfigurations Enables active responses Key for understanding details Widely available We monitor four class B s and one class A Useful in large and small Easier to share this data#P2PPPPDPP#2DCdEiSink architecture Passive component: Argus libpcap-based monitoring tool Active component: based on Click modular router Library of stateless responders to collect details of intrusions NAT filter Source/destination filter that blocks (redundant) traffic before it gets to iSink1A R1  , Q    H) kReal-time honeynet reports Bro plug-in for situational summary generation Periodic reports New events High variance events Low variance events Top profiles Adaptive NetSA in depth Identify large events quickly On-goingv/A '/A ', ~1qQSemantics-aware signatures 8 Objective: automated generation of resilient NIDS signatures Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data Session and application protocol semantic awareness (Sommer & Paxson,  03)>Z-ZMZ#ZfZKZ 1,M#fJ    PO;rRNemean architecture&  Data abstraction Transport normalizer Aggregation Service normalizer Clustering Group sessions/connections using similarity metric Signature generation Machine learning to build finite state automataZ4Z Z3ZZ0Z3 3/    ,  jSignature example (Welchia)0  Multistage attack (3 steps) GET / 200 OK SEARCH / 411 Length Required SEARCH /AAAA& P<5iSummaryXMalicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection Distributed data sharing Unused address space monitoring Automated semantics-aware signature generation&hh/8^|  ` 33` Sf3f` 33g` f` www3PP` ZXdbmo` \ғ3y`Ӣ` 3f3ff` 3f3FKf` hk]wwwfܹ` ff>>\`Y{ff` R>&- {p_/̴>?" dd@,~?" dd@  " @ ` n?" ddV %%KKppPR    @ ` ` p>>  8(    6~ " `}  T Click to edit Master title style! !$  0`~ " `  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0 ~ "^ `  >*  0~ "^   `"*wail.cs.wisc.edu  0~ "^ `  @*d  C .Alogo_small"0H  0޽h ? 3380___PPT10.I  1_Default DesignJ PZ(    T:JJ ?e#   t*   S##HHkk  T:JJ ? #  v*   S##HHkkp  01 ?15  :  T :kk ? G  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  Zp :JJ ?e   t*   S##HHkk  Z!:JJ ?   v*   S##HHkkH  0i? ? ̙3380___PPT10. N @0(  H  0i ? 3380___PPT10.h  08*(  8 8  ZЋ1gֳgֳ ?   8  Zp1gֳgֳ ? @  "~ 8 H1?"` XB 8 0Ԕ? 8  `011?7v 1 < June, 2005 R 8 C *A wcrest  \ 8 C 4Awordmark160  Pf H 8 0޽h ? sd&̙33___PPT10i.1ӝ+D=' = @B +  (  l  C p `}   l  C 0P  H  0޽h ? 33   0(     `0Dgֳgֳ ? `      Z 1Dgֳgֳ ?0P  H  0޽h ? _f3̙33___PPT10i.`ם+D=' = @B +  (  l  C   `}   l  C  `  H  0޽h ? 330  P0(  x  c $5D `}   x  c $4D`0P  H  0޽h ? 3380___PPT10.5`i$  `$(  r  S &: `}   r  S p&:``  H  0޽h ? 3380___PPT10.5`i$  $(  r  S ` `}   r  S    H  0޽h ? 3380___PPT10.K5-R/  H0(  Hx H c $@}   x H c $  H H 0޽h ? 33___PPT10i.00-+D=' = @B +  X(  Xl X C ` `}   l X C   `  H X 0޽h ? 33  (  l  C mP}   l  C  uP``  H  0޽h ? 33  (  l  C }   l  C `P  H  0޽h ? 33  bZ( %:+@ ~  s * `}   ~  s *0`P~     fA  isieve-archP + H  0޽h ? gg3___PPT10.SP^+bɸDs' = @B D.' = @BA?%,( < +O%,( < +De' =%(D ' =%(D' =A@BBBB0B%(E' =1B B`BPB1:Bhidden*3>+B#style.visibility= `B<* (D' =1:Bvisible*o3>+B#style.visibility<* (%(+8+0+ ( +'  >6(  ~  s *`?}   ~  s *?  0    Z@?1?@ 5Start2  T 1?#" `2   T 1?#" ``P2   T 1?#" ` P@ 2   N1?#" ` ` P B  @ ZD1?#" `@pB   ZD1?#" `@B  ZD1?#" `@ B @ ZD1?#" `   S T0e0e    B CDEF A@  A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||p0 @  c"$`` p  S D0e0e    BC@DEF A@  A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E|| @@ c"$` `   Z ? 1?#" `\ 9 Get / 200    Z? 1?#" `@T < Search / 411    S T0e0e    BC DEF A@  A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||h``0 @  c"$`   Z`? 1?#" `0  < Search / 411    Z? 1?#" `\  9 Get / 200    Z0e 1?#" `   GSearch /AAAAA[more] 400  Z ? 1?#" ` , 0p  GSearch /AAAAA[more] 400  Z ? 1?#" `<   GSearch /AAAAA[more] 400  S T0e0e    B@CDEF A@  A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||HxD@@  c"$`P H  0޽h ? gg3___PPT10i.qHZK+D=' = @B +  (  l  C ` `}   l  C @ߑT  `  H  0޽h ? 33$A @<4(  <d <c $15    <s *p#: G    H < 0i ? ̙3380___PPT10.ݼdc @(    N1 ?15     ` 4Dr.r. ? G    H  0i ? ̙3380___PPT10.`/cxp^RЀ3ÿ lHbP  @AL G@;b `B&VZ!_`ޖ^XA]Ғu"jAՙՀLA( / 00DArialngsRomaXPsXG'&DTimes New RomanPsXG'& DCourierw RomanPsXG'&10DWingdingsRomanPsXG'&   : /-K Oh+'0\+ px   ( 4 @LT';Internet Intrusions: Global Characteristics and PrevalencecVinodetino Paul Barfordusi248Microsoft PowerPointGlo@< @@rϼz@FxjfQG)PICT) HH HH  * #Ӂc33>3P3x3I33333c33>3P3x3I33333͙ў͙͙ͬu3 33|336~33333ͬu3 33|336~33333̳ ͙Ͷ͙͙=3_=gnNOLCuNBUTs35nEG3a3>UTs3MNBϠEG MD~g3AEG6UTs33NNEg3ANBNWIOM_=gNNE=3_=gnNOLCuNBUTs35nEG3a3>UTs3MNBϠEG MD~g3AEG6UTs33NNEg3ANBNWIOM_=gNNE=͙߯ϦǥĠ٪ϢȮ٪ĠϢ ٦Ϣ6٪ЦĦĠͫ㯞Ц3;dKKF_33Q33S3v@333Q3333k3v@333S338v93u333v@333ZQE3u3S3<9a3;dKK3ZQE3;dKKF_33Q33S3v@333Q3333k3v@333S338v93u333v@333ZQE3u3S3<9a3;dKK3ZQEәƢɡ쯙ۙᙦȞÙՙȞܙҙțԙ̙ȞߙץՙÙŝٜƬ蝰Ƣ虩ץ&33336Mv~Wݕi333y3rJ34;{33oo3y3334;{334;{3y3337333<3A|33337&33336Mv~Wݕi333y3rJ34;{33oo3y3334;{334;{3y3337333<3A|33337&әҙΙК²ۙ֙麙r޷Йɝ̷ə麙ۙǙɝۙřɝؙ麙ߙәŝ왞̙Ι333D`w3U36l|57p33\?>w333|57pL6eQ3{57p?>w3336Q3{3q3Fu;e8w3U36l|57p33\?>w333|57pL6eQ3{57p?>w3336Q3{3q3Fu;e8lIDATx^흋qE[Ԕ6n,Yʝr{[Z(il!ǐ^B%݆ @-3HdX:>ќzΜkRH B,P8, ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   , ` b`B   H`L,PUXv.KuIF;p쾃Ma}X쓬<֋Dx0X[,,I*VՆ9`)Y$*ӋPx45-a'@0,IG}e K|UuUZ >a >3PoOY'ua w \wBcmv_eKn&^1|A"X>ن;rU f3,)s$?)xts__/#w<6N[_HJ*Kh"J,!Y^t^X$S{ø©yTHjWHLO9,EiVUN;2`N4 oat v|Wf,YYѦ X g9Z iFT|Kp]7,d\X gX `,U%C_ |®?Kr_77CoGkM߿K-!ov)+~ ^II[r'cv3KX~M_b~EPgf-,_ ~]"5S"3V\uJ Xk9YX `,d2fa2gA3LRyh dF,?,#,h X,!gA"@J(bFrY4o,k+XuYw$4nC~ _m6K>X Y~ب_nSGAeK5?fT¯kt`ȳ ƻF,%k3S>Fh Gup=21$ߜ`';7˿ZYsGDiך&'4υl vd# Ө9VP:?F,p9c"e<6Mw?\-۳XP2IB :9k-ZU.qdڥ;N(`AȲuIxRpݦ̯2\W dX rLWN,[e0hY7Öy.u\)`)W䱟=a'm `ȑeOؔ_XĦ: F,`Kf؀:2궰`e@Lr ``vna߰`Mu"F$/|֪X+ g1w%uqח[R! ܱ0KX/ZJ (A O36,dSV{:ȕzݗ{Ȣ LN$Tլ4[Xj)c12҈,Ƒe@Lq ``uX\oO`,>'NXj <>*WXĐ 0"qd?}Ӧoz?8Atd/`,=9|Z,WֳeBW3{bn'YJ'ɒvOX"L`%ij˞˫ÒvwEdi~v]YUfXݶXBGKk^xd #9?X)l=caXϲKl[CR8Rk [Pmr䶫"ˣ#aFerrц0rOR,s,}YlEHh 3"gH}+o= [$;:{W# H8 JӺ/3^'t8ޞN1FoX HLwVu9Ge,jN M7e^; X.w氘^ǀްӓ `2XrjXRO6w \EY 5,)gWEVds@.w %%]e Mkyg "UF,V pdu-Yqƕ;sXYN22,G?oS̟k?YX2ť}`W5w; 2A Y;ggOx|2fr?\x槏,"eXrgZ8L-<1aY 96 7/*S5HB?uԸyE8]ы*\& p{=m,ۅ;y(T,x:^ J\]ǝw `r> -9kti`ٰE}z;sX",Y$E&%g*RWo馻6`~>KyqHjDIyaWg]dy$,J3Edgo=[J|ZV^eEa,"7U߾`Ad0VS,,B,}z-XYE*,-XY2rd_,_svŭ,n !/@+FhN ޫ_ 6?vӅ HF_3:~tֳT[w%u7R#BsΧ4`eI?4栓Z8v7(=F O,,AZȑ7o~;]lr# ח~=z=˚iCc^,=*SsX0"4{E3:7JyldISV gSto&]Zc`){MY^ 0-Ìm&-Cүo0 sk6sXY0v3E hiBT3"74o`ɚa_XGgb gVĖ^Xnfyy[`|ױ.aAdVذX+V3[? xmfT}zB&EX7WaAdV谘y@{yFl҄C[?wW * c]Bj?yW0#66N rٱfUMCdy0Ħr0AMoe-rC$爙Â%fPuCnƋT6 Ƒ2|=oFYjM,hXv\6A-0gsXYX xX'f zÄX " `ZYZP-a_Xb,XrfkY* Jaoih3*#GgV媑lmwe=S[ޭ5Oc,oƮg KEX?]_ϢA韑cBS=3=t!fb ׳n?\n%m՚䴹1?"8B3G%65$NL/O"a1Jz͋ -a1BVdkr=KI`YyYw o:D%w:QUyrMm'6:zYf iu",;>YbhӈoNӭaYPNeҜwSz˘bĠ%6kXY3GwaaYu\lxX<#P7uh#Yҳ+gůSËοG*X,&y7Yz3*Тg(fYJ,ڋNJ{^%Ђ?wͪJA9} mMzZpGX9i=p @v=1%b{ M{xXno/r;Ó]zsXL{`T1RU|ժ71!,z"K{gd1 2Oz9j>VpcaôwWid1EaK_  .;+S-eK,1e6lK,Ӹ~>>m\ bKŦx,~;%ŀid z4,7;;DAX$2O#y3d%eܾ# @h;侊Kd|X,~tJh^DǍ}caya@eghTo}AxȒ)%T9Ƚ2}s эb?uōaÒ&nsc2 ,dgG{ Q;fXMm>O4îyO3 zDD_WYpc(,!~C9ؐ,AElK%q,U'IܑrET՛ % ."(ɝK+,Z0*(A2ث Ng/:N?`9Tf. yEoAdAd%AdZ*:9DALd"4Ll$w.] C9yV Gp{ʔ8s}q1,͆e`/{N "K_b: _{Aye2Eb'{X$zEF "`c01yNETLEb'{X":&/RX x}\QE "}袔,),qFf08]UCd|a蘼HaA"ea蘼Ha3ga- 591y‚aԐdY$|袰Y$,+/Bd_CH+RNI H0RJeKE-eYY{X#bS&2Gd Иw-,aeNvR>fzÂa>쒄h98c,zDd ,K:łfp5XYPNrȒ$h7 ,Je 7L`嶿_ ,,_+9K,^n=,k:>YTf.0D`ψD"MtT" ?U\`3gaUŊ:^R,,q`-y%`M2,CDJuK)2sE(ocM`|Q*3XY YY3Zg^DD%DmjEwlɝ8MLǘ~TER2Y$Sg$R0gv[nPd!mqS*3XY$?ohy) *VՆyTf.ęy YC~9q4e"D8y" D5$*)aA7f6T`4 Hj9`+)]rҲ<9y)RaZWְw;9<1vwXe_Trwt+y%ifuU-[s^uu>_a{ppmn\ 094E&g kpfZ21;S*es&1?o E`s9vw) ,,όPF} ~Z5,^f-:DD%vװtg9}3&( ,,όPF韽6xXx#K`}?]oXye'd`+ ,,J˒FoR c%=,,`Ad1\b˚Pc+ 5x#rviJXt.Jr vx JJLO?Q*3X Cd , i.yX(|dKyc[ŠRD0s NKT8( ,,an?`q`JeK9>_a#g,X0J1"Kh({afT*n ,)]#wdR2d\`aq\JeYB ~#>oA"YXНJpս,Y=# uoR 19tJ1"32seop?Kp%:X),gX" ;a2)'G)2s%"YJt;`9]_9 oUd9 [Y"x%si7L#S^ϾG<ٯ^oAd ,Nt~!r}dYf&ɂQ r`7`0ٻ%#Z{.hk d>P $AdZ*"97B]d>/\ 6RX +\Oc.ax]q*g(fb +hDrhQ*eױrJl<~?( ,,c˔ٓ,6I\`3ga'Yk)ẁtB2t ax0ftZc""ub`8Kbe)K3,ΜEY"pV \`A΢)/U~cClX.eoV.rX|?X{X,q,g =,Y:e޾{V:rXY=,Su|8s%u|u8a-ðF'  }uJe0/~lX!1?{n)Tf.ę`./J<-+Je r2uJ4Gy "EdIt"YTd[UK5,k "9Ǽ?őЊEr];2v{תaYbY=ɲ^}E`AdC9),,=4xWvSaX}ȢWž.Z.1:\B`)dA-0]XVS%RXY;e%?=,4mn~p3,Yz'|6hͰ^r4:PrNEU#Hk%RYr ;vw) ,F}ނr:1,f`*hf=;^,e)el(Ftk2, 0)E˫",Y rܹׄ4YD? R 6Y,a,xe|X0褱aAd,od tq7LE;`wCc{+DD8 cEdAd1Cd14渷BdAdŦ x "1ǽ" ")DDo0DCc{+DDŦ|wQ? K#wC*ꟿ1ae|X"o)~qwO,adyZJ |/(׳,6b KņXLa1gW\lBrW8(Y7XzA9M_X%,1,S`,Ę`EPg8 YhwLE/1rG&Μ,DdAd,wq,c΂qOy@3L`YM,, 8H2>,g8f" ˟?W .0QILDʿϨm*ڟ# ֳ#KJE",6="\#Yj Kņ2cXlla84 G&0#Yg:ͺ(#-e}=o~~"-e,X>RZ5UUV}" 8˭:.c~:Wܰ-T*.~ϪU+,1,gY瘋`)sfni †c017 E,O>O|C?T?9X9 "KHԑ 7__ӢO"=ma,E J@-ma)TT81`k3la1r$>Q~2WX+HEY$zf[b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1sb営X!,_ "P [b~2,C=7,Vni ’ H ܰX-,VKW("1$]rwJe.laBXRBDH>+O._v)-maAd (PXVɶ6;2,] Eb:ejvwJeY$5+Eb:%q$׮N%,0>xORB26O?R_Yߞ~gʅޥ|S}&Z HO}P V]sⶰV= ,0]'`kTŰ@Y|!~Xh h,0{Î]wUp-,RfsuX`,վzŽ4jZX ~ e\b *3m- ,,d)=<;},֮4$GŇ>o>sXu~:Aw۵Yh>Yrgu6vnFSCQ&iyrOps3t`Yyyw.ѥLyp~,dwy5l휥,nVgw [Wu`:L'gyN6^nѪcO\8+yj+_׃Drr#գ/{â:NkS~gW`[^cs(y}m}L.lF^rszrA8p6qT\#J-shV8_۱+2槹atSF|?/]?>]8Mj-tK^=|VmG/weUϲΩ(`˭:z X2|N|g^ܿ)=HWMSRCëwbXݕ,MI`W6R nl>ptl3/iN ~|งYM[X)rEVtJz=RNZrU4Fz|qTl,v{o`p7/poNӠV4Gh!NRwJyjEv.[yqRl|ƬϚ,y3pvlM_[c nrO#ʐwc+jqOpMi `I(?fy*,i-qt )Y߱ 5ߝɽh)6f k~x]԰M/9+ Y[ڷc+jהB/ڰ)c+,dM;y ,53ZܫR҂MJ<xJGէFVӓ/ڊٸv0@W' ENe#m'& oWl:ԊЗɶ6{Vll \`[\ZoBgGΣ*)Tn&cQg~nxEO-Fl<`~\\S_`q0riʌM(_r喔WQ%Ҽ8)6f#׌Kv,e^|( 2jlj":I5n>p~Tύr3NN)&+_35#!,%`\/ a.Dm\pGa;Q=D-NLejIsEPm%+[Z.[GV˻{gSREg]3.w$)4ٰ(RSxTL;qx=жal{6zjqDluU  csFu;b\)\g ~Nk1ڴ?xqY+,fx,XT滼鮠7kmQpE},ǭCTR<%Gj"ባzeN_w&2,?Ϊk?,ix.5,10? OBv񆼐EQX(wiw<Pnܦ/_yt=kF)9P9va5 /ԱUdZifǝnǑʺ,J_ޅeB'n_ZuI}]$-dtӎtbǻx_‘ΖV#@flЈnX+ bڿ8~r&+z{:9Ÿ[a>ˡø`9عaXwYvŸ|iIGXZ|2鴦r[IwVX7yhh-xvѽ); R}m*.t Xxom%l`ĝLÄ_Ohɾ/ܮSpڨft(83ՊXCV;4]* ξYj~BŸ<,6,"F>pc|2tGHv"٭"c.UpoogKrsE/Ea0^ߥݹaÄg.^G4"Nnyy9/̟t1K|2Eck $yqB#_5 q}?cى7YOxmj, ?kmvK͘8OTI,;1`?q;֧,=s c †U*}9[D^eft>GZޥLEg?\B,/TxT~,X^: p YPeQu,:lX IENDB` ` .  @n?" dd@  @@``  8`T    : /-K/ E--#$%(*,- ./Lb$&Lig=!t18Ba$$$$$$$b$ TyElC$&7 $$$b$Q6Oo5>06,7 $$$$R$b-u Bˇ:$$$$$$b$ ׳]Xa X 0e0e     A@ A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||c"$` f3f@g4TdTdsi00pQm Pppp@ g4.d.dsi00pQm pgp+  ʚ;ʚ;<4dddd`ʚ;<4!d!d`ʚ;<4BdBd`ʚ;0___PPT10 h___PPT2001D<4X? =O  =4*]A(Toward Self-directed Intrusion Detection)(LPaul Barford Assistant Professor Computer Science University of Wisconsin VKPPI gMotivation - the good0Network security analysts have many tasks Abuse monitoring Audit and forensic analysis Firewall/ACL configuration Vulnerability testing Policy Liaison Network management End host management h*m')m&cMotivation - the bad2(Adversaries are smart Vulnerabilities and threats are significant Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al.  04) Scans Billions per day Internet-wide and growing (Yegneswaran et al.  03) Viruses No longer clearly defined (eg. Agobot) DDos Bot-nets consisting of hundreds of thousands of drones@BZZlZZDZZ'ZZ7Z+lC    '  6tZ w /4hMotivation - the ugly (sort of)DNetwork intrusion detection systems (NIDS) Static signatures - hard to tune and maintain Lots of alarms Scalability problems Firewalls and intrusion prevention systems Limited capability Bulletin boards and commercial services May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) A step in the right direction+ZRZ+ZZ(ZZ+ZZ+R+(+  >  d Objective (Network situational awareness based on self-directed network intrusion detection  The degree of consistency between one s perception of their situation and reality  An accurate set of information about one s environment scaled to a specific level of interest Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic Front-end for firewalls/IPSXQPQ5 Mechanisms (*Data sharing between networks Eg. DOMINO (Yegneswaran et al., NDSS  04) Monitoring unused address space Eg. iSink (Yegneswaran et al., RAID  04) Eg. BroSA (Yegneswaran et al.  05) Automatic generation of resilient signatures Eg. Nemean (Yegneswaran et al., USENIX Security  05)* L-5) K-5   2  : W;DOMINO architecture (Hierarchical overlay network Descending order of security and trust Data sharing XML-based schema Summary exchange protocol extends IDMEF Push or pulling periodically Data/alert fusion and filtering Subject of on-going research (eg, Barford et al. Allerton,  04) ' V!A& V @    ,_BUnused address monitoringPackets are (nearly) all malicious There have been some very weird misconfigurations Enables active responses Key for understanding details Widely available We monitor four class B s and one class A Useful in large and small Easier to share this data#P2PPPPDPP#2DCdEiSink architecture Passive component: Argus libpcap-based monitoring tool Active component: based on Click modular router Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic Source/destination filtering1A*1  ,)    >) lActivities on ports (port 135)Distribution of exploits varies with network 170 byte requests on Class A Blaster, RPC-X1 all 3 networks Welchia LBL Empty connections UW NetworksP-Z[Z Z-[ j"kReal-time honeynet reports Bro plug-in for situational summary generation Periodic reports New events High variance events Low variance events Top profiles Adaptive NetSA in depth Identify large events quickly On-goingv/A '/A ', ~1qQSemantics-aware signatures 8 Objective: automated generation of resilient NIDS signatures Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data Session and application protocol semantic awareness (Sommer & Paxson,  03)>Z-ZMZ#ZfZKZ 1,M#fJ    PO;rRNemean architecture&  Data abstraction Transport normalizer Aggregation Service normalizer Clustering Group sessions/connections using similarity metric Signature generation Machine learning to build finite state automataZ4Z Z3ZZ0Z3 3/    ,  jSignature example (Welchia)0  Multistage attack (3 steps) GET / 200 OK SEARCH / 411 Length Required SEARCH /AAAA& P<5iSummaryXMalicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection Distributed data sharing Unused address space monitoring Automated semantics-aware signature generation&hh/8^$  $(  r  S ` `}   r  S    H  0޽h ? 3380___PPT10.K5-R/  X(  Xl X C ` `}   l X C   `  H X 0޽h ? 33#  6(  ~  s *0y> `}     s *p{>0 <$ <    ZA  sb1354 <$ < H  0޽h ? gg3  ___PPT10 ..fH@+{wD' = @B D' = @BA?%,( < +O%,( < +D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\-%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\-D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\-D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\-K%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\-KD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\-KD{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\Kj%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\KjD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\KjD{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\jv%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\jvD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\jvDN' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\v%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\vD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\vD' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\+p+0+\ ++0+\ +r yWdiUՀLA($$$$$b$ TyElC$&7 $$$b$Q6Oo5>06,7 $$ / 00DArialngsRomaXPsXG'&DTimes New RomanPsXG'& DCourierw RomanPsXG'&10DWingdingsRomanPsXG'& ` .  @n?" dd@  @@``  8`T    : /-K/ E--#$%(*,- ./Lb$&Lig=!t18Ba$$$$$$$b$ TyElC$&7 $$$b$Q6Oo5>06,7 $$$$R$b-u Bˇ:$$$$$$b$ ׳]Xa X 0e0e     A@ A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||c"$` f3f@g4FdFdsi00pQm ppp@ g4.d.dsi00pQm pgp+  ʚ;ʚ;<4dddd`ʚ;<4!d!d`ʚ;<4BdBd`ʚ;0___PPT10 h___PPT2001D<4X? =O  =4*]A(Toward Self-directed Intrusion Detection)(LPaul Barford Assistant Professor Computer Science University of Wisconsin VKPPI gMotivation - the good0Network security analysts have many tasks Abuse monitoring Audit and forensic analysis Firewall/ACL configuration Vulnerability testing Policy Liaison Network management End host management h*m')m&cMotivation - the bad2(Adversaries are smart Vulnerabilities and threats are significant Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al.  04) Scans Billions per day Internet-wide and growing (Yegneswaran et al.  03) Viruses No longer clearly defined (eg. Agobot) DDos Bot-nets consisting of hundreds of thousands of drones@BZZlZZDZZ'ZZ7Z+lC    '  6tZ w /4hMotivation - the ugly (sort of)DNetwork intrusion detection systems (NIDS) Static signatures - hard to tune and maintain Lots of alarms Scalability problems Firewalls and intrusion prevention systems Limited capability Bulletin boards and commercial services May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) A step in the right direction+ZRZ+ZZ(ZZ+ZZ+R+(+  >  d Objective (Network situational awareness based on self-directed network intrusion detection  The degree of consistency between one s perception of their situation and reality  An accurate set of information about one s environment scaled to a specific level of interest Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic Front-end for firewalls/IPSXQPQ5 Mechanisms (*Data sharing between networks Eg. DOMINO (Yegneswaran et al., NDSS  04) Monitoring unused address space Eg. iSink (Yegneswaran et al., RAID  04) Eg. BroSA (Yegneswaran et al.  05) Automatic generation of resilient signatures Eg. Nemean (Yegneswaran et al., USENIX Security  05)* L-5) K-5   2  : W;DOMINO architecture (Hierarchical overlay network Descending order of security and trust Data sharing XML-based schema Summary exchange protocol extends IDMEF Push or pulling periodically Data/alert fusion and filtering Subject of on-going research (eg, Barford et al. Allerton,  04) ' V!A& V @    ,_BUnused address monitoringPackets are (nearly) all malicious There have been some very weird misconfigurations Enables active responses Key for understanding details Widely available We monitor four class B s and one class A Useful in large and small Easier to share this data#P2PPPPDPP#2DCdEiSink architecture Passive component: Argus libpcap-based monitoring tool Active component: based on Click modular router Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic Source/destination filtering1A*1  ,)    >) lActivities on ports (port 135)Distribution of exploits varies with network 170 byte requests on Class A Blaster, RPC-X1 all 3 networks Welchia LBL Empty connections UW NetworksP-Z[Z Z-[ j"kReal-time honeynet reports Bro plug-in for situational summary generation Periodic reports New events High variance events Low variance events Top profiles Adaptive NetSA in depth Identify large events quickly On-goingv/A '/A ', ~1qQSemantics-aware signatures 8 Objective: automated generation of resilient NIDS signatures Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data Session and application protocol semantic awareness (Sommer & Paxson,  03)>Z-ZMZ#ZfZKZ 1,M#fJ    PO;rRNemean architecture&  Data abstraction Transport normalizer Aggregation Service normalizer Clustering Group sessions/connections using similarity metric Signature generation Machine learning to build finite state automataZ4Z Z3ZZ0Z3 3/    ,  jSignature example (Welchia)0  Multistage attack (3 steps) GET / 200 OK SEARCH / 411 Length Required SEARCH /AAAA& P<5iSummaryXMalicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection Distributed data sharing Unused address space monitoring Automated semantics-aware signature generation&hh/8^rA:EՀ@( / 00DArialngsRomaXPsRdO)`4LgPictures $PowerPoint Document(4sSummaryInformation(+      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGDocumentSummaryInformation8Current User8~ (  !"#$%&')*+,-./012356789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} tp://www.snort.org/&http://www.icir.org/vern/bro-info.htm _Ot-msinght-msingh$$R$b-u Bˇ:$$$$$$b$ ׳]Xa X 0e0e     A@ A1 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||c"$` f3f@g4TdTdsi00pQm Pppp@ g4.d.dsi00pQm pgp+  ʚ;ʚ;<4dddd`ʚ;<4!d!d`ʚ;<4BdBd`ʚ;0___PPT10 h___PPT2001D<4X? =O  =)]A(Toward Self-directed Intrusion Detection)(LPaul Barford Assistant Professor Computer Science University of Wisconsin RKPPI gMotivation - the goodNetwork security analysts have many tasks Abuse monitoring Audit and forensic analysis Firewall/ACL configuration Vulnerability testing Policy Liaison Network management End host management h*m')m&cMotivation - the bad(Adversaries are smart Vulnerabilities and threats are significant Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al.  04) Scans Billions per day Internet-wide and growing (Yegneswaran et al.  03) Viruses No longer clearly defined (eg. Agobot) DDos Bot-nets consisting of hundreds of thousands of drones,BZZlZZDZZ'ZZ7Z+lC    '  6tZ w /4hMotivation - the ugly (sort of)DNetwork intrusion detection systems (NIDS) Static signatures - hard to tune and maintain Lots of alarms Scalability problems Firewalls and intrusion prevention systems Limited capability Bulletin boards and commercial services May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) A step in the right direction+ZRZ+ZZ(ZZ+ZZ+R+(+  >  d Objective (Network situational awareness based on self-directed network intrusion detection  The degree of consistency between one s perception of their situation and reality  An accurate set of information about one s environment scaled to a specific level of interest Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic Front-end for firewalls/IPSXQPQ5 Mechanisms (*Data sharing between networks Eg. DOMINO (Yegneswaran et al., NDSS  04) Monitoring unused address space Eg. iSink (Yegneswaran et al., RAID  04) Eg. BroSA (Yegneswaran et al.  05) Automatic generation of resilient signatures Eg. Nemean (Yegneswaran et al., USENIX Security  05)* L-5) K-5   2  9 W;DOMINO architecture(Hierarchical overlay network Descending order of security and trust Data sharing XML-based schema Summary exchange protocol extends IDMEF Push or pulling periodically Data/alert fusion and filtering Subject of on-going research (eg, Barford et al. Allerton,  04) ' V!A& V @    ,_BUnused address monitoringPackets are (nearly) all malicious There have been some very weird misconfigurations Enables active responses Key for understanding details Widely available We monitor four class B s and one class A Useful in large and small Easier to share this data#P2PPPPDPP#2DCdEiSink architecture Passive component: Argus libpcap-based monitoring tool Active component: based on Click modular router Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic Source/destination filtering1A*1  ,)    ,)lActivities on ports (port 135)Distribution of exploits varies with network 170 byte requests on Class A Blaster, RPC-X1 all 3 networks Welchia LBL Empty connections UW NetworksP-Z[Z Z-[ j"kReal-time honeynet reports Bro plug-in for situational summary generation Periodic reports New events High variance events Low variance events Top profiles Adaptive NetSA in depth Identify large events quickly On-goingv/A '/A '0qQSemantics-aware signatures $Objective: automated generation of resilient NIDS signatures Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data Session and application protocol semantic awareness (Sommer & Paxson,  03)>Z-ZMZ#ZfZKZ 1,M#fJ    PO:rRNemean architecture Data abstraction Transport normalizer Aggregation Service normalizer Clustering Group sessions/connections using similarity metric Signature generation Machine learning to build finite state automataZ4Z Z3ZZ0Z3 3/    ,  jSignature example (Welchia)Multistage attack (3 steps) GET / 200 OK SEARCH / 411 Length Required SEARCH /AAAA& N<5iSummaryXMalicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection Distributed data sharing Unused address space monitoring Automated semantics-aware signature generation&hh/8^$  (  ~  s * `}     s *P20 <$<    ZA  sb1354 $ PH___PPT2001$qH  0޽h ? gg3  ___PPT10 ..fH@+{wD' = @B D' = @BA?%,( < +O%,( < +D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\-%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\-D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\-D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\-K%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\-KD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\-KD{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\Kj%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\KjD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\KjD{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\jv%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\jvD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\jvDN' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\v%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\vD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\vD' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*\D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*\+p+0+\ ++0+\ +rnEAJE7Հ