1 a network security monitor paper by: heberlein et. al. presentation by: eric hawkins
TRANSCRIPT
1
A Network Security Monitor
Paper By: Heberlein et. al.
Presentation By: Eric Hawkins
2
Paper Background
Authors (Heberlein, Dias, Levitt, Mukherjee, Wood, and Wolber) all from CSC at UC Davis– One of the leading research institutions for
security
Published in 1990 One of the seminal papers in intrusion
detection / network security
3
The Problem
How to keep computer networks secure against network attacks and intrustions?
Computer systems and networks were designed around trusted users
Cannot simply close off the network – need interconnection with “outside world”
Encryption, private keys, etc. cannot protect against all threats– e.g. legitimate users misusing privileges
4
The Idea
A network security monitor that compares current network activity to historical behavior in order to detect usage anomalies– Capture network traffic– Analyze traffic based on historical activity
patterns and/or pre-defined rules
5
Discussion of Attacks
Preparation Phase– More prepared attackers are more difficult to
defend against
Attack Phase– Target offers service that Attacker exploits– Target seeks to use service offered by Attacker
Post-Attack Phase
6
Concept of the N.S.M.
4-D matrix, axes are:– Source
– Destination
– Service
– Connection ID
Each cell in matrix represents a unique connection Each cell contains:
– Number of packets passed on the connection
– Cumulative sum of the data carried by those packets
7
Concept of the N.S.M. (2)
The traffic matrix can be compared against particular patterns to match types of attacks– Patterns must be generated for such attacks
– Use probability distributions to determine which measurements are likely to indicate attacks
Rules can also be employed to develop patterns– e.g. rule looking for a login connection that only
exchanges a few packets and terminates
– Difficult to apply hierarchically
8
N.S.M. Architecture
Packet catcher – captures all packets Parser – extracts protocol info (addressing,
service, etc.) Matrix Generator – creates cells or increments
counts in 4-D matrix constructed of linked-lists Matrix Analyzer – examines matrix representing
current traffic against “normal traffic” (masking) or by applying rules
Matrix Archiver – saves traffic matrix
9
Results
Identified problems which were actually just abuse of network privileges– Full backups using FTP– Programs continually executing finger
Thrown off when a network file server went down
Detected several consecutive failed log-ins
10
Difficulties
How do you train the monitor for a “normal” usage pattern? Who’s to say a security breach isn’t occurring while training?
Defining rules for non-trivial attacks will be difficult
Network traffic is not accessible when networks use non-broadcast media (think: switches vs. hubs)