open in new window

Download Report

Transcript open in new window

Neural Technology and
Fuzzy Systems
in Network Security
Project Progress 2
Group 2:
Omar Ehtisham Anwar 2005-02-0129
Aneela Laeeq
2005-02-0023
Neural Techniques



IPS tools are based on static rules alone
Neural Techniques seek to classify all new
events and highlight those that appear
most threatening
Neural Techniques allow the security
expert to be the final arbiter
The Neural Security Layer

Fuzzy Clustering




Creates a baseline profile of the network in various states by “training”
itself
Establishes patterns and does not determine an exact profile of what a
user does
Uses algorithms that identify these patterns and separates clusters
accordingly
Kernel Classifier




Determines which existing cluster a new event most likely belongs to
Classifies events according to how far away they are from the norm
(any existing cluster)
Events farthest away bubble to the top where administrators take
manual action
Uses algorithms based on non-linear distribution laws, which use
statistics to track what happens over extended periods of time

Clusters


A set of XML files that become model filters or
knowledge base for the network resource
being monitored
The knowledge base is continually updated
based on:
Results of day-to-day activities
 Data from third-party sources, such as IDS
signatures

Six Steps to Producing Security Intelligence
1)
2)
3)
4)
5)
6)
Designate Data: Data can be system log entries or any other raw or
formatted measure of activity in the environment.
Model Analyst Expertise: Variables, weights, centers and pertinent even
knowledge comprise the analytic or data mining model are configured
based on the specific analysis requirements and the unique attributes of
the particular environment.
Train Model: Process of organizing the designated security data into
multi-dimensional “event vectors” within the context of the analytic
models. This establishes the baseline activity.
Generate Knowledge: Live or offline data is compared against the
contents of the training baseline and classified accordingly.
Teach Model: User-supervision and infusion of expert knowledge
essential to accurate event classification and system base-lining and to
filter out non-threatening anomalous activity.
Leverage Knowledge: System output is invaluable for the real-time or
offline analysis, detection and prevention of any type of potentially
internal and external criminal activity or system misuse.
Neural Security (NS) Tool





Monitors activity on Microsoft Internet Information
Server (IIS) Web servers
Preconfigured to monitor activity on a single IIS server
or an entire server farm
In training mode, examines IIS logs to determine normal
activity of the server and creates its clusters
Comes with a knowledge base of known IIS exploits
Unlike rule-based security systems, NS quickly adapts to
each unique installation and will continue to adapt as
more information is added to its knowledge base
Neural Security (NS) Tool

Training Mode



Organize IIS-specific data into clusters that reflect normal use
patterns (both trusted and untrusted) within the server
environment
Process or organizing clusters guided through the use of a builtin knowledge base of published attack signatures
Monitor Mode



Compare all incoming requests to IIS against the Training
Database to determine whether it falls within acceptable
distance of trusted activity
Within limits of trusted activity: Process Continues
Outside limits of trusted activity: Initiate whatever action has
been configured e.g. post an on-screen alert, block untrusted
connection or shut down IIS
Neural Security (NS) Tool

Maintenance





Proper classification of events is essential
Maintain as Security Alerts are displayed, or
Review Security Alert Log periodically
After re-classification of events, “Re-Train” database
NS remembers correct classification and
characteristics of events, which is then applicable to
the analysis of subsequent events