Скачать презентацию Developing Anomaly Detection Model for Security Auditing Service Скачать презентацию Developing Anomaly Detection Model for Security Auditing Service

a7ed28c878ce7b95125afee5d73c821d.ppt

  • Количество слайдов: 13

Developing Anomaly Detection Model for Security Auditing Service Daisuke Mashima (with Professor Mustaque Ahamad) Developing Anomaly Detection Model for Security Auditing Service Daisuke Mashima (with Professor Mustaque Ahamad)

Motivation and Scope Online identity theft is going to be more serious Prevention of Motivation and Scope Online identity theft is going to be more serious Prevention of identity theft is never perfect. Emergence of novel Internet devices Diversity of Internet users Social engineering etc. We have to do detection in addition to prevention. The system must be transparent not only to users but also to existing applications  We focus on detecting suspicious login to web applications.

Abstract Image Abstract Image

Identity-usage Monitoring System Architecture Centralized Monitoring Service Decentralized Reverse Proxy Conduct anomaly detection Send Identity-usage Monitoring System Architecture Centralized Monitoring Service Decentralized Reverse Proxy Conduct anomaly detection Send login information to Monitoring Service Web Bug Make user send information automatically

System Architecture On the same LAN System Architecture On the same LAN

Process and Flow Process and Flow

Dummy Application (/logintest/login. html, /logintest/login. Demo) Monitoring Service (/gtim/Security. Service) Tomcat 5. 5 (Port: Dummy Application (/logintest/login. html, /logintest/login. Demo) Monitoring Service (/gtim/Security. Service) Tomcat 5. 5 (Port: 8080) http: //192. 168. 245. 128: 8080/logintest/* user. ID, password, etc. Anomaly Detection user. ID, IP Address Asp. ID, user. Agent Compare User. Agent in Web Bug request and that in profile DB Dummy image request (Web Bug) IP Address, ASP ID, user. Agent, etc. Reverse Proxy Java application (Port: 80) VMWare(192. 168. 245. 128) http: //192. 168. 245. 128/logintest/* user. ID, password, IP Address user. Agent etc. OVERVIEW OF DEMO SYSTEM User (192. 168. 245. 1)

Detail of Anomaly Detection Process Periodic Detection Main purpose is creating blacklist • Frequency Detail of Anomaly Detection Process Periodic Detection Main purpose is creating blacklist • Frequency of the source IP address Total number of access Per-request Detection Based on blacklist and user's individual profile Define user’s individual profile for time category Ex. Weekdays and weekends Calendar Schema Utilize Delay-based IP Geolocation technique Higher availability and precision Can detect IP Spoofing “to a certain extent. ”

Individual Profile Defined under each pair of user ID and Web App ID By Individual Profile Defined under each pair of user ID and Web App ID By categorizing wisely, the number of tuples can be reduced. Calendar Schema

Rule-Based Detection Search by User ID and Web App ID NG result OK Time Rule-Based Detection Search by User ID and Web App ID NG result OK Time tuple frequency Check Notification OK NG Device and Location Check Profile-Based Detection Suspicious Abnormal Feedback result OK Notification NG Feedback OK Normal Abnormal

Interaction between Monitoring Service and Users Must be independent of the Internet Automated phone Interaction between Monitoring Service and Users Must be independent of the Internet Automated phone call to users' cell phones is a strong candidate. Most people have cell phones. As long as phone companies are trustworthy, the channel is regarded as secure.

Future work includes Improve anomaly detection model User Profiling Intrusion Detection Evaluation System Architecture Future work includes Improve anomaly detection model User Profiling Intrusion Detection Evaluation System Architecture Security Performance Precision of detection

Thank you very much for your attention. Thank you very much for your attention.