Camp 2007 - 1.01

Chaos Communication Camp 2007
To infinity and beyond

Luke Gotszling
Day 2
Room Shelter Bar
Start time 12:30
Duration 01:00
ID 1944
Event type Lecture
Track Hacking
Language English

Enhancing Network Defense

Supplementing firewall and intrusion detection systems through intelligent anomaly detection

This event will showcase a novel method for hostile traffic detection. Current methods are either insecure against new threats and too slow or ineffective. Stateless systems are insecure due to data being split across packets and a reconstructed scan is too slow to analyze networks with large throughput. Unlike current signature or rule based systems, this method is unique in that it analyzes and learns from prior events to provide suggestions for future attempts that may not match a rule. The event will culminate with the details of tools prototyped in Perl for enhancing network security.

System administrators are better equipped to handle some intrusion attempts while automatic systems work best on others. This system utilizes neural or Bayesian network techniques--supplementing the rule based systems currently in use for deciding which traffic is allowed. Neural and Bayesian networks have been used in similar fields for some time: IBM's boot sector virus detection and defense against email spam are two examples. A decision making classifier will learn from existing IDS and/or firewall rules and traffic logs. This has the advantage in that it doesn't require human intervention and is easily adapted to a particular network topology. The system is then used to enhance existing network security and provide detection of possible attacks and prioritization of alerts. Both options are based on this intelligent classification of prior events. There is a general framework that can easily be adapted to work with any input data. Once categorized, the data is fed into a neural or Bayesian network. From there it is sent to the classifier for rule generation and alert prioritization. The key lies in the system learning which events should then be sent to the administrator to minimize the possibility of intrusion given finite administrator time. It works in real time and makes decisions on whether network events that indicate a perceived level of risk should be handled automatically or sent to the system administrator: the prioritization component of the system. The techniques are used to supplement and enhance an IDS and/or firewall. A possible expansion is to include temporal correlation to prevent attack progress. Further work can be done in optimizing the training algorithm and classifier so as to maximize accuracy with the evolution of threats.

Archived page - Impressum/Datenschutz