Dragan on Security

Paper Reduction of False Positive Intrusions by using Neural Nets, which I worked on with colleagues, is now available at IEEE Digital Library.

Abstract

The main idea of this paper is to propose a new solution for a Wireless Intrusion Detection Prevention System (WIDPS). The proposed WIDPS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. Our focus was the reduction of detected false positive intrusion by implementing adaptive self-learning neural net in the system. Once it is fully developed and tested, this WIDPS would enable real-time response against threats, even to zero-day attacks.

Remark: Subscription to IEEE Digital Library required to download full paper in PDF format.

8th IEEE International Conference - TELSIKS 2007 will take place from September 26 - 28, 2007 in Nis, Serbia. Visit conference site here. Paper titled “Reduction of False Positive Intrusions by Using Neural Nets” which I worked on with couple of associates will be presented on this conference. It is scheduled for Wednesday, September 26th, 2007 in session Wireless Communications I as invited paper. Integral conference program document is here.

My paper Network Systems Intrusion: Concept, Detection, Decision, and Prevention is published here, go to page 40.

Abstract:

This paper analyzes concepts for intrusion detection processes; building decision making (DM) criteria on the bases of intrusion detection, and prevention based on DM as a last level of protection in computer systems and networks. The second part of the paper discusses a practical implementation for Intrusion Detection and Prevention Systems (IDPS), based on Wireless technology (WIDPS). Basically paper concentrates on the problems/answers of how to differentiate between legal and illegal access, i.e. intrusion and what are the key and root causes of this difference. Two issues are differenced: finding the set of concepts needed for detection and a set of criteria for DM in IDPS. Paper concludes with achieved results and future goals related to automated DM process in wireless technology.

If you want to reference or cite this paper, here are data:

• Dragan Pleskonjic, Sanida Omerovic, Saso Tomazic, “Network Systems Intrusion: Concept, Detection, Decision, and Prevention”, IPSI BgD Transactions on Internet Research, January 2007, Volume 3, Number 1, ISSN 1820-4503, pages 40-49.

One of my research interests for last couple years are Intrusion Detection and Prevention Systems (IDS/IPS), especially wireless and mobile. I call them (WIDS/WIPS and MIDS/MIPS). My work on research in this area is also considering usage of artificial intelligence to make better IDS/IPS systems. At 19th Annual Computer Security Applications Conference (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with next components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published papers on this topic. More about this work you can see here and here. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS systems unnoticed.

Stefano Zanero from Dipartmento di Elettronica e Informazione Politecnico di Milano Technical University presented paper “360° Anomaly-Based Unsupervised Intrusion Detection” at Black Hat conference. In Youtube video he provides an overview of his research into the subject by illustrating how he worked trying to find ways to detect intruders without relying on signatures.  See his whitepaper and his presentation from Black Hat Europe 2007.

Availability of new version of OSSEC (Open Source Host-based Intrusion Detection System) has been announced today at SecurityFocus mail list dedicated to intrusion detection systems.

OSSEC performs log analysis, file integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This new version comes with lots of new features, including:

• Support for OpenBSD PF logs.
• Support for compiled (c-based) decoders.
• New options for composite rules.
• Additional granular e-mail options: http://www.ossec.net/dcid/?p=75
• Option of SMS format in the e-mail output. 
• Support for Zeus WebServer logs.
• Support for daily/chained checksum of alert logs: http://www.ossec.net/wiki/index.php/Know_How:LogSign

A large re-design of the internal architecture of analysisd (ossec process responsible for decoding and analysis) has been completed, greatly improving performance and organization.

• More information at: http://www.ossec.net/wiki/index.php/News
• Changelog: http://www.ossec.net/announcements/v1.2-2007-05-16.txt
• Download the new version: http://www.ossec.net/en/downloads.html

A week ago, Neel Mehta from IBM Internet Security Systems X-Force has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent over a network that is monitored by Snort .

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly affects the following versions:

• Snort 2.6.1, 2.6.1.1, and 2.6.1.2
• Snort 2.7.0 beta 1

Solution is to update to version 2.6.1.3. The vendor recommends that beta users disable the DCE/RPC preprocessor.

This problem has been reported on Snort web site (here) and on Slashdot (here). Sourcefire has not received any reports that this vulnerability has been exploited.

10th International Symposium on Recent Advances in Intrusion Detection 2007 (RAID 2007) will be held on September 5-7, 2007 in Crowne Plaza Hotel, Gold Coast, Queensland, Australia. Symposium is hosted by Information Security Institute, Queensland University of Technology, Brisbane, Australia.

This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

• Intrusion detection and prevention techniques
• High-performance intrusion detection
• Intrusion detection in special environments (e.g., mobile networks)
• IDS cooperation and event correlation
• Formal models and analysis
• Attack response, countermeasures, and intrusion tolerance
• Survivability and self-protection
• Attacks against IDS and evasion
• Insider threat detection and mitigation
• Deception systems and honeypots
• Malicious code detection and containment
• Visualization techniques
• Intrusion detection assessment and benchmarking
• IDS interoperability standards and standardization
• Vulnerability analysis and risk assessment
• Legal and social issues

Visit RAID 2007 website here.