Anton Chuvakin points to this funny link about visualization. Especially the statement:
"Chart-based encryption -- data goes in, no information comes out" is funny. This is worth keeping in mind when thinking about what to visualize in a security setting. In my work we want to visualize potential intrusion activities and attacks at a network level. We want to give the user a situational picture ("Lägesbild " in Swedish) of the activities at different nodes in the network. In order to do that, we have to use visualization to communicate in an understandable way.
Monday, June 25, 2007
Visualization
Sunday, May 20, 2007
IDS is dead, long live the IDS!
Richard at TaoSecurity has as usual some insightful remarks on the death of the IDS
TaoSecurity: It's Only a Flesh Wound
His remarks are quit interesting to me since my research is most on the intrusion detection and alert analysis part. Not that much about active response or prevention.
TaoSecurity: It's Only a Flesh Wound
His remarks are quit interesting to me since my research is most on the intrusion detection and alert analysis part. Not that much about active response or prevention.
Friday, April 20, 2007
SecViz | Security Visualization
This seems to be an interesting blog about visualization for security
SecViz | Security Visualization
SecViz | Security Visualization
Powered by ScribeFire.
Wednesday, April 18, 2007
TaoSecurity: Fight to Your Strengths
In an interesting blog entry by Richard Bejtlich, TaoSecurity: Fight to Your Strengths, he suggests that sometimes security through obscurity might be suitable. He uses an example where he lets OpenSSH use another port than the default port and thus he gets less number of attacks against sshd. I have added a question at his blog that would be interesting to investigate:
Would it be possible to let a firewall or inline IDS automatically block incoming ssh traffic to the default port and then make ssh communication going out using the default port appear to be using a different port?The idea would be to automatically make a temporarily obfuscation until it is possible to switch port on the server. In this way it might be possible to not interfere with the running service but still stop automated attacks. Is there anybody out there who can tell me if this would work in reality?
Powered by ScribeFire.
Monday, April 16, 2007
About: Open-Source Security Tools Abound
An interesting article about open source security tools that also commercial actors should investigate:
Linux/Open Source - Open-Source Security Tools Abound
Linux/Open Source - Open-Source Security Tools Abound
Powered by ScribeFire.
Tuesday, April 10, 2007
Other paper: Remodeling and Simulation of Intrusion Detection Evaluation Dataset
In proceedings of the 2006 International Conference on Security & Managment (SAM'06) I have found this paper: Remodeling and Simulation of Intrusion Detection Evaluation Dataset
In the paper, the authors describe how they simulate network traffic (both innocent and malicious traffic) for testing intrusion detection systems.
They want to improve on the MIT LL dataset that is widely thought to have major drawbacks. The drawbacks make it less useful for testing intrusion detection systems.
The paper's main contribution is to create personalized simulations of users' web browsing behavior while MIT's dataset had only rough distribution of the overall behavior. They model real users' behavior as probabilistic transition diagrams for sessions of browsing that are complemented with daily connection distributions, daily connection cumulative densities and session length distributions. Then browsing traffic is generated from the collection user models either with a one to one mapping from a user model to a simulated user or by generating more simulated users than there are user models
Email traffic is simulated using a public corpus of emails while the MIT dataset used a combination of filtered real emails and automatically generated emails. The emails are clustered into four classes but it is not clear what the classes are used for. It is neither clear if the class in the cluster relates to the classes created from the source and destination addresses mentioned earlier. As well, it is not quite clear how the emails are used in the simulation.
Then they claim to have a larger set of attacks than in the MIT datset, such as DDoS, probes, WWW attacks, RPC, etc.
Finally they show that their simulated web browser behavior more resembles their reference network than the MIT dataset simulation that lacks certain characteristics.
Comment: I would like to be able to use the generated traffic as basis for my research - too bad there is no link to a public data set.
Tuesday, April 3, 2007
"Signatures are usually based on vulnerabilities rather than exploits"
This is interesting, when I started to read about signature-based intrusion detection systems, I thought that signatures were created by using patterns from the exploit. However, as I noticed in a previous entry and learned from the post below (that I found via TaoSecurity), this is not the case.
Errata Security: ANI 0day vs. intrusion detection providers
Errata Security: ANI 0day vs. intrusion detection providers
signatures are usually based on vulnerabilities rather than exploitsThis means that learning systems, like Polygraph, that generates signatures from exploits are not automating the signature generation properly. Though, they are able to block worms exploiting unknown vulnerabilities.
Subscribe to:
Posts (Atom)
