Collection%20of%20general%20data%20mining%20briefings - PowerPoint PPT Presentation

View by Category
About This Presentation



Title: No Slide Title Subject: Collection of general data mining briefings Author: Chris Clifton Description: Presented to: Olin Howard, AFMC/SC, 1/31/96 Walt Shafer ... – PowerPoint PPT presentation

Number of Views:174
Avg rating:3.0/5.0
Slides: 51
Provided by: ChrisC228
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Collection%20of%20general%20data%20mining%20briefings

Cyber Security Lecture for July 16,
2010 Network Security
Dr. Bhavani Thuraisingham

  • Introduction to Network Security
  • Types of Secure Network Systems
  • Secure Network Protocols

What is Network Security
  • Network security consists of the provisions made
    in an underlying computer network infrastructure,
    policies adopted by the network administrator to
    protect the network and the network-accessible
    resources from unauthorized access, and
    consistent and continuous monitoring and
    measurement of its effectiveness
  • The terms network security and information
    security are often used interchangeably. Network
    security is generally taken as providing
    protection at the boundaries of an organization
    by keeping out intruders (hackers).
  • Information security, however, explicitly
    focuses on protecting data resources from malware
    attack or simple mistakes by people within an
    organization by use of data loss prevention (DLP)

What is Network Security
  • Network security starts from authenticating the
    user, commonly with a username and a password.
  • Once authenticated, a firewall enforces access
    policies such as what services are allowed to be
    accessed by the network users.
  • Though effective to prevent unauthorized access,
    this component may fail to check potentially
    harmful content such as computer worms or Trojans
    being transmitted over the network.
  • Anti-virus software or an intrusion prevention
    system (IPS) help detect and inhibit the action
    of such malware. An anomaly-based intrusion
    detection system may also monitor the network and
    traffic for unexpected (i.e. suspicious) content
    or behavior and other anomalies to protect
    resources, e.g. from denial of service attacks or
    an employee accessing files at strange times.
    Individual events occurring on the network may be
    logged for audit purposes and for later high
    level analysis.

What is Network Security
  • Communication between two hosts using a network
    could be encrypted to maintain privacy.
  • Honeypots essentially decoy network-accessible
    resources, could be deployed in a network as
    surveillance and early-warning tools. Techniques
    used by the attackers that attempt to compromise
    these decoy resources are studied during and
    after an attack to keep an eye on new
    exploitation techniques. Such analysis could be
    used to further tighten security of the actual
    network being protected by the honeypot.
  • A Botnet is a collection of software agents, or
    robots, that run autonomously and automatically.
    The term is most commonly associated with
    malicious software, but it can also refer to a
    network of computers using distributed computing

Network Forensic
  • Network forensics is essentially about monitoring
    network traffic and determining if there is an
    attack and if so, determine the nature of the
  • Key tasks include traffic capture, analysis and
  • Many tools are now available
  • Works together with IDs, Firewalls and Honeynets
  • Expert systems solutions show promise

What is Network Forensics?
  • Network forensics is the capture, recording, and
    analysis of network events in order to discover
    the source of security attacks or other problem
  • Network forensics systems can be one of two
  • "Catch-it-as-you-can" systems, in which all
    packets passing through a certain traffic point
    are captured and written to storage with analysis
    being done subsequently in batch mode. This
    approach requires large amounts of storage,
    usually involving a RAID system.
  • "Stop, look and listen" systems, in which each
    packet is analyzed in a rudimentary way in memory
    and only certain information saved for future
    analysis. This approach requires less storage but
    may require a faster processor to keep up with
    incoming traffic.

Network Forensics Analysis Tools (NFAT)
Relationships between IDS, Firewalls and NFAT
  • IDS attempts to detect activity that violates an
    organizations security policy by implementing a
    set of rules describing preconfigures patterns of
  • Firewall allows or disallows traffic to or from
    specific networks, machine addresses and port
  • NFAT synergizes with IDSs and Firewalls.
  • Preserves long term record of network traffic
  • Allows quick analysis of trouble spots identified
    by IDSs and Firewalls
  • NFATs must do the following
  • Capture network traffic
  • Analyze network traffic according to user needs
  • Allow system users discover useful and
    interesting things about the analyzed traffic

NFAT Tasks
  • Traffic Capture
  • What is the policy?
  • What is the traffic of interest?
  • Intermal/Externasl?
  • Collect packets tcpdump
  • Traffic Analysis
  • Sessionizing captured traffic (organize)
  • Protocol Parsing and analysis
  • Check for strings, use expert systems for
  • Interacting with NFAT
  • Appropriate user interfaces, reports, examine
    large quantities of information and make it

  • Network Forensics and honeynet systems have the
    same features of collecting information about
    computer misuses
  • Honeynet system can lure attackers and gain
    information about new types of intrusions
  • Network forensics systems analyze and reconstruct
    he attack behaviors
  • These two systems integrated together build a
    active self learning and response system to
    profile the intrusion behavior features and
    investigate the original source of the attack.

Policies Computer Attack Taxonomy
  • Probing
  • Attackers reconnaissance
  • Attackers create a profile of an organization's
    structure, network capabilities and content,
    security posture
  • Attacker finds the targets and devices plans to
    circumvent the security mechanism
  • Penetration
  • Exploit System Configuration errors and
  • Install Trojans, record passwords, delete files,
  • Cover tracks
  • Configure event logging to a previous state
  • Clear event logs and hide files

Policies to enhance forensics
  • Retaining information
  • Planning the response
  • Training
  • Accelerating the investigation
  • Preventing anonymous activities
  • Protect the evidence

Example Prototype System Iowa State University
  • Network Forensics Analysis mechanisms should meet
    the following
  • Short response times User friendly interfaces
  • Questions addresses
  • How likely is a specific host relevant to the
    attack? What is the role the host played in the
    attack? How strong are two hosts connected to the
  • Features of the prototype
  • Preprocessing mechanism to reduce redundancy in
    intrusion alerts
  • Graph model for presenting and interacting with
    th3 evidence
  • Hierarchical reasoning framework for automated
    inference of attack group identification

Example Prototype System Modules
  • Evidence collection module
  • Evidence preprocessing module
  • Attack knowledge base
  • Assets knowledge base
  • Evidence graph generation module
  • Attack reasoning module
  • Analyst interface module

Some Popular Tools
  • Raytheons SilentRunner
  • Gives administrators help as they attempt to
    protect their companys assets
  • Collector, Analyzer and Visualize Modules
  • Sandstorm Enterprises NetIntercept
  • Hardware appliance focused on capturing network
  • Niksuns NetDetector
  • Its an appliance like NetIntercept
  • Has an alerting mechanism
  • Integrates with Cicso IDS for a complete forensic

Types of Secure Network Systems
  • Internet Security Systems
  • Intrusion Detection Systems
  • Firewall Security Systems
  • Storage Area Network Security Systems
  • Network disaster recovery systems
  • Public key infrastructure systems
  • Wireless network security systems
  • Satellite encryption security systems
  • Instant Messaging Security Systems
  • Net privacy systems
  • Identity management security systems
  • Identify theft prevention systems
  • Biometric security systems
  • Homeland security systems

Internet Security Systems
  • Security hierarchy
  • Public, Private and Mission Critical data
  • Unclassified, Confidential, Secret and TopSecret
  • Security Policy
  • Who gets access to what data
  • Bell LaPadula Security Policy, Noninterference
  • Access Control
  • Role-based access control, Usage control
  • Encryption
  • Public/private keys
  • Secret payment systems
  • Directions
  • Smart cards

Intrusion Detection Systems
  • An intrusion can be defined as any set of
    actions that attempt to compromise the integrity,
    confidentiality, or availability of a resource.
  • Attacks are
  • Host-based attacks
  • Network-based attacks
  • Intrusion detection systems are split into two
  • Anomaly detection systems
  • Misuse detection systems
  • Use audit logs
  • Capture all activities in network and hosts.
  • But the amount of data is huge!

Worm Detection Introduction
  • What are worms?
  • Self-replicating program Exploits software
    vulnerability on a victim Remotely infects other
  • Evil worms
  • Severe effect Code Red epidemic cost 2.6
  • Automatic signature generation possible
  • EarlyBird System (S. Singh. -UCSD) Autograph (H.
    Ah-Kim. - CMU)
  • Goals of worm detection
  • Real-time detection
  • Issues
  • Substantial Volume of Identical Traffic, Random
  • Methods for worm detection
  • Count number of sources/destinations Count
    number of failed connection attempts
  • Worm Types
  • Email worms, Instant Messaging worms, Internet
    worms, IRC worms, File-sharing Networks worms

Email Worm Detection using Data Mining
Task given some training instances of both
normal and viral emails, induce a hypothesis
to detect viral emails.
We used Naïve Bayes SVM
Outgoing Emails
The Model
Test data
Feature extraction
Machine Learning
Training data
Clean or Infected ?
Firewall Security Systems
  • Firewall is a system or groups of systems that
    enforces an access control policy between two
  • Benefits
  • Implements access control across networks
  • Maintains logs that can be analyzed
  • Data mining for analyzing firewall logs and
    ensuring policy consistency
  • Limitatations
  • No security within the network
  • Difficult to implement content based policies
  • Difficult to protect against malicious code
  • Data driven attacks

Traffic Mining
  • To bridge the gap between what is written in the
    firewall policy rules and what is being observed
    in the network is to analyze traffic and log of
    the packets traffic mining
  • Network traffic trend may show that some rules
    are out-dated or not used recently

Firewall Policy Rule
Storage Area Network Security Systems
  • High performance networks that connects all the
    storage systems
  • After as disaster such as terrorism or natural
    disaster (9/11 or Katrina), the data has to be
  • Database systems is a special kind of storage
  • Benefits include centralized management,
    scalability reliability, performance
  • Security attacks on multiple storage devices
  • Secure storage is being investigated

Network Disaster Recovery Systems
  • Network disaster recovery is the ability to
    respond to an interruption in network services by
    implementing a disaster recovery palm
  • Policies and procedures have to be defined and
    subsequently enforced
  • Which machines to shut down, determine which
    backup servers to use, When should law
    enforcement be notified

Public Key Infrastructure Systems
  • A certificate authority that issues and verifies
    digital certificates
  • A registration authority that acts as a verifier
    for the certificate authority before a digital
    certificate is issued to a requester
  • One or more directories where the certificates
    with their public keys are held
  • A certificate management systems

Digital Identity Management
  • Digital identity is the identity that a user has
    to access an electronic resource
  • A person could have multiple identities
  • A physician could have an identity to access
    medical resources and another to access his bank
  • Digital identity management is about managing the
    multiple identities
  • Manage databases that store and retrieve
  • Resolve conflicts and heterogeneity
  • Make associations
  • Provide security
  • Ontology management for identity management is an
    emerging research area

Digital Identity Management - II
  • Federated Identity Management
  • Corporations work with each other across
    organizational boundaries with the concept of
    federated identity
  • Each corporation has its own identity and may
    belong to multiple federations
  • Individual identity management within an
    organization and federated identity management
    across organizations
  • Technologies for identity management
  • Database management, data mining, ontology
    management, federated computing

Identity Theft Management
  • Need for secure identity management
  • Ease the burden of managing numerous identities
  • Prevent misuse of identity preventing identity
  • Identity theft is stealing another persons
    digital identity
  • Techniques for preventing identity thefts include
  • Access control, Encryption, Digital Signatures
  • A merchant encrypts the data and signs with the
    public key of the recipient
  • Recipient decrypts with his private key

  • Early Identication and Authentication (IA)
    systems, were based on passwords
  • Recently physical characteristics of a person are
    being used for identification
  • Fingerprinting
  • Facial features
  • Iris scans
  • Voice recognition
  • Facial expressions
  • Biometrics techniques will provide access not
    only to computers but also to building and homes
  • Systems are vulnerable to attack e.g., Fake

Homeland Security Systems
  • Border and Transportation Security
  • RFID technologies?
  • Emergency preparedness
  • After an attack happens what actions are to be
  • Chemical, Biological, Radiological and Nuclear
  • Sensor technologies
  • Information analysis and Infrastructure
  • Data mining, security technologies

Other Types of Systems
  • Wireless security systems
  • Protecting PDAs and phones against denial of
    service and related attacks
  • Satellite encryption systems
  • Pretty Good Privacy PGP that uses RSA security
  • Instant messaging
  • Deployment of instant messaging is usually not
  • Should IM be blocked?
  • Net Privacy
  • Can we ensure privacy on the networks and systems
  • Privacy preserving access?

OSI Model
  • The Open Systems Interconnection model (OSI
    model) is a product of the Open Systems
    Interconnection effort at the International
    Organization for Standardization.
  • It is a way of sub-dividing a communications
    system into smaller parts called layers. A layer
    is a collection of conceptually similar functions
    that provide services to the layer above it and
    receives services from the layer below it.
  • On each layer an instance provides services to
    the instances at the layer above and requests
    service from the layer below.

OSI Model
  • The Physical Layer defines the electrical and
    physical specifications for devices. In
    particular, it defines the relationship between a
    device and a physical medium.
  • This includes the layout of pins, voltages, cable
    specifications, hubs, repeaters, network
    adapters, host bus adapters (HBAs used in storage
    area networks) and more.
  • The Data Link Layer provides the functional and
    procedural means to transfer data between network
    entities and to detect and possibly correct
    errors that may occur in the Physical Layer.
  • The Network Layer provides the functional and
    procedural means of transferring variable length
    data sequences from a source to a destination via
    one or more networks, while maintaining the
    quality of service requested by the Transport
    Layer. The Network Layer performs network routing
    functions, and might also perform fragmentation
    and reassembly, and report delivery errors.
    Routers operate at this layersending data
    throughout the extended network and making the
    Internet possible.

OSI Model
  • The Transport Layer provides transparent transfer
    of data between end users, providing reliable
    data transfer services to the upper layers. The
    Transport Layer controls the reliability of a
    given link through flow control,
    segmentation/desegmentation, and error control.
  • Some protocols are state and connection oriented.
    This means that the Transport Layer can keep
    track of the segments and retransmit those that
  • Although not developed under the OSI Reference
    Model and not strictly conforming to the OSI
    definition of the Transport Layer, typical
    examples of Layer 4 are the Transmission Control
    Protocol (TCP) and User Datagram Protocol (UDP).

OSI Model
  • The Session Layer controls the dialogues
    (connections) between computers. It establishes,
    manages and terminates the connections between
    the local and remote application. It provides for
    full-duplex, half-duplex, or simplex operation,
    and establishes checkpointing, adjournment,
    termination, and restart procedures.
  • Presentation layer provides independence from
    differences in data representation (e.g.,
    encryption) by translating from application to
    network format, and vice versa.
  • The presentation layer works to transform data
    into the form that the application layer can
    accept. This layer formats and encrypts data to
    be sent across a network, providing freedom from
    compatibility problems. It is sometimes called
    the syntax layer.

Application Layer
  • APPC, Advanced Program-to-Program Communication
  • DNS, Domain Name System (Service) Protocol
  • FTAM, File Transfer Access and Management
  • FTP, File Transfer Protocol
  • Gopher, Gopher protocol
  • HL7, Health Level Seven
  • HTTP, Hypertext Transfer Protocol
  • IMAP, IMAP4, Internet Message Access Protocol
  • IRCP, Internet Relay Chat Protocol
  • LDAP, Lightweight Directory Access Protocol
  • LPD, Line Printer Daemon Protocol
  • MIME (S-MIME), Multipurpose Internet Mail
    Extensions and Secure MIME

Application Layer
  • NFS, Network File System
  • NIS, Network Information Service
  • NTP, Network Time Protocol
  • POP, POP3, Post Office Protocol (version 3)
  • SIP, Session Initiation Protocol
  • SMTP, Simple Mail Transfer Protocol
  • SNMP, Simple Network Management Protocol
  • SSH, Secure Shell
  • TELNET, Terminal Emulation Protocol of TCP/IP
  • VTP, Virtual Terminal Protocol
  • X.400, Message Handling Service Protocol
  • X.500, Directory Access Protocol (DAP)

Network Protocols Technologies
  • Token Bus
  • Token Ring
  • X.25
  • Routing protocols
  • IEEE 802 Standards

  • In the TCP/IP model of the Internet, protocols
    are not as rigidly designed into strict layers as
    the OSI model.
  • TCP/IP does recognize four broad layers of
    functionality which are derived from the
    operating scope of their contained protocols,
    namely the scope of the software application, the
    end-to-end transport connection, the
    internetworking range, and lastly the scope of
    the direct links to other nodes on the local
  • The Internet Application Layer includes the OSI
    Application Layer, Presentation Layer, and most
    of the Session Layer. Its end-to-end Transport
    Layer includes the graceful close function of the
    OSI Session Layer as well as the OSI Transport
    Layer. The internetworking layer is a subset of
    the OSI Network Layer (see above), while the Link
    Layer includes the OSI Data Link and Physical
    Layers, as well as parts of OSI's Network Layer.

  • Internet Protocol version 4 (IPv4) is the fourth
    revision in the development of the Internet
    Protocol (IP) and it is the first version of the
    protocol to be widely deployed. Together with
    IPv6, it is at the core of standards-based
    internetworking methods of the Internet. IPv4 is
    still by far the most widely deployed Internet
    Layer protocol.
  • IPv4 is a connectionless protocol for use on
    packet-switched Link Layer networks (e.g.,
    Ethernet). It operates on a best effort delivery
    model, in that it does not guarantee delivery,
    nor does it assure proper sequencing, or avoid
    duplicate delivery. These aspects, including data
    integrity, are addressed by an upper layer
    transport protocol (e.g., Transmission Control

  • Internet Protocol Security (IPsec) is a protocol
    suite for securing Internet Protocol (IP)
    communications by authenticating and encrypting
    each IP packet of a data stream. IPsec also
    includes protocols for establishing mutual
    authentication between agents at the beginning of
    the session and negotiation of cryptographic keys
    to be used during the session. IPsec can be used
    to protect data flows between a pair of hosts
    (e.g. computer users or servers), between a pair
    of security gateways (e.g. routers or firewalls),
    or between a security gateway and a host
  • IPsec is a dual mode, end-to-end, security scheme
    operating at the Internet Layer of the Internet
    Protocol Suite or OSI model Layer 3. Some other
    Internet security systems in widespread use, such
    as Secure Sockets Layer (SSL), Transport Layer
    Security (TLS) and Secure Shell (SSH), operate in
    the upper layers of these models. Hence, IPsec
    can be used for protecting any application
    traffic across the Internet.

  • Transport Layer Security (TLS) and its
    predecessor, Secure Socket Layer (SSL), are
    cryptographic protocols that provide security for
    communications over networks such as the
    Internet. TLS and SSL encrypt the segments of
    network connections at the Application Layer to
    ensure secure end-to-end transit at the Transport
  • Several versions of the protocols are in
    widespread use in applications like web browsing,
    electronic mail, Internet faxing, instant
    messaging and voice-over-IP (VoIP).
  • The TLS protocol allows client/server
    applications to communicate across a network in a
    way designed to prevent eavesdropping and
    tampering. TLS provides endpoint authentication
    and communications confidentiality over the
    Internet using cryptography. TLS provides RSA

  • In typical end-user/browser usage, TLS
    authentication is unilateral only the server is
    authenticated (the client knows the server's
    identity), but not vice versa (the client remains
    unauthenticated or anonymous).
  • TLS also supports the more secure bilateral
    connection mode (typically used in enterprise
    applications), in which both ends of the
    "conversation" can be assured with whom they are
    communicating (provided they diligently
    scrutinize the identity information in the other
    party's certificate). This is known as mutual
    authentication, or 2SSL. Mutual authentication
    requires that the TLS client-side also hold a
    certificate (which is not usually the case in the
    end-user/browser scenario).

  • DMZ, or demilitarized zone is a physical or
    logical subnetwork that contains and exposes an
    organization's external services to a larger
    untrusted network, usually the Internet.
  • The term is normally referred to as a DMZ by IT
    professionals. It is sometimes referred to as a
    Perimeter Network.
  • The purpose of a DMZ is to add an additional
    layer of security to an organization's Local Area
    Network (LAN) an external attacker only has
    access to equipment in the DMZ, rather than any
    other part of the network.

  • In a network, the hosts most vulnerable to attack
    are those that provide services to users outside
    of the local area network, such as e-mail, web
    and DNS servers.
  • Because of the increased potential of these hosts
    being compromised, they are placed into their own
    sub-network in order to protect the rest of the
    network if an intruder were to succeed. Hosts in
    the DMZ have limited connectivity to specific
    hosts in the internal network, though
    communication with other hosts in the DMZ and to
    the external network is allowed.
  • This allows hosts in the DMZ to provide services
    to both the internal and external network, while
    an intervening firewall controls the traffic
    between the DMZ servers and the internal network

  • Wireless Application Protocol (WAP) is an open
    international standardfor application-layer
    network communications in a wireless-communication
    environment. Most use of WAP involves accessing
    the mobile web from a mobile phone or from a PDA.
  • A WAP browser provides all of the basic services
    of a computer-based web browser but simplified to
    operate within the restrictions of a mobile
    phone, such as its smaller view screen. Users can
    connect to WAP sites websites written in, or
    dynamically converted to, WML (Wireless Markup
    Language) and accessed via the WAP browser.

Instant Messaging
  • Instant messaging (IM) is a form of real-time
    direct text-based communication between two or
    more people using personal computers or other
    devices, along with shared software clients. The
    user's text is conveyed over a network, such as
    the Internet. More advanced instant messaging
    software clients also allow enhanced modes of
    communication, such as live voice or video
  • IM falls under the umbrella term online chat, as
    it is a real-time text-based networked
    communication system, but is distinct in that it
    is based on clients that facilitate connections
    between specified known users ("Contact List"),
    whereas online 'chat' also includes web-based
    applications that allow communication between
    (often anonymous) users in a multi-user

  • A virtual private network (VPN) is a network that
    uses a public telecommunication infrastructure,
    such as the Internet, to provide remote offices
    or individual users with secure access to their
    organization's network. It aims to avoid an
    expensive system of owned or leased lines that
    can only be used by one organization. The goal of
    a VPN is to provide the organization with the
    same, secure capabilities, but at a much lower
  • It encapsulates data transfers between two or
    more networked devices not on the same private
    network so as to keep the transferred data
    private from other devices on one or more
    intervening local or wide area networks. There
    are many different classifications,
    implementations, and uses for VPNs.

Next Steps
  • Cloud computing security (sometimes referred to
    simply as "cloud security") is an evolving
    sub-domain of computer security, network
    security, and, more broadly, information
    security. It refers to a broad set of policies,
    technologies, and controls deployed to protect
    data, applications, and the associated
    infrastructure of cloud computing.
  • Secuity issues fall into two broad categories
    Security issues faced by cloud providers
    (organizations providing Software-, Platform-, or
    Infrastructure-as-a-Service via the cloud) and
    security issues faced by their customers. In most
    cases, the provider must ensure that their
    infrastructure is secure and that their clients
    data and applications are protected while the
    customer must ensure that the provider has taken
    the proper security measures to protect their