Neural Technology and Neural Technology and Fuzzy Systems Fuzzy Systems

in Network Securityin Network Security

Project Progress 2Project Progress 2

Group 2:Group 2:Omar Ehtisham Anwar 2005-02-0129Omar Ehtisham Anwar 2005-02-0129

Aneela Laeeq Aneela Laeeq 2005-02-0023 2005-02-0023

Neural TechniquesNeural Techniques

IPS tools are based on static rules IPS tools are based on static rules alonealone

Neural Techniques seek to classify all Neural Techniques seek to classify all new events and new events and highlighthighlight those that those that appear most threateningappear most threatening

Neural Techniques allow the security Neural Techniques allow the security expert to be the final arbiterexpert to be the final arbiter

Fuzzy ClusteringFuzzy Clustering Creates a baseline profile of the network in various states by Creates a baseline profile of the network in various states by

“training” itself“training” itself Establishes Establishes patternspatterns and and does notdoes not determine an exact profile of determine an exact profile of

what a user doeswhat a user does Uses algorithms that identify these patterns and separates Uses algorithms that identify these patterns and separates

clusters accordinglyclusters accordingly Kernel ClassifierKernel Classifier

Determines which Determines which existingexisting cluster a cluster a newnew event most likely event most likely belongs tobelongs to

Classifies events according to how far away they are from the Classifies events according to how far away they are from the norm (any existing cluster)norm (any existing cluster)

Events farthest away bubble to the top where administrators Events farthest away bubble to the top where administrators take manual actiontake manual action

Uses algorithms based on non-linear distribution laws, which Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of use statistics to track what happens over extended periods of timetime

The Neural Security LayerThe Neural Security Layer

ClustersClusters A set of XML files that become model A set of XML files that become model

filters or knowledge base for the filters or knowledge base for the network resource being monitorednetwork resource being monitored

The knowledge base is continually The knowledge base is continually updated based on: updated based on:

Results of day-to-day activitiesResults of day-to-day activities Data from third-party sources, such as IDS Data from third-party sources, such as IDS

signaturessignatures

Six Steps to Producing Security Six Steps to Producing Security IntelligenceIntelligence

1)1) Designate Data:Designate Data: Data can be system log entries or any other Data can be system log entries or any other raw or formatted measure of activity in the environment.raw or formatted measure of activity in the environment.

2)2) Model Analyst Expertise:Model Analyst Expertise: Variables, weights, centers and Variables, weights, centers and pertinent even knowledge comprise the analytic or data mining pertinent even knowledge comprise the analytic or data mining model are configured based on the specific analysis model are configured based on the specific analysis requirements and the unique attributes of the particular requirements and the unique attributes of the particular environment.environment.

3)3) Train Model:Train Model: Process of organizing the designated security data Process of organizing the designated security data into multi-dimensional “event vectors” within the context of the into multi-dimensional “event vectors” within the context of the analytic models. This establishes the baseline activity.analytic models. This establishes the baseline activity.

4)4) Generate Knowledge:Generate Knowledge: Live or offline data is compared against Live or offline data is compared against the contents of the training baseline and classified accordingly.the contents of the training baseline and classified accordingly.

5)5) Teach Model:Teach Model: User-supervision and infusion of expert knowledge User-supervision and infusion of expert knowledge essential to accurate event classification and system base-lining essential to accurate event classification and system base-lining and to filter out non-threatening anomalous activity.and to filter out non-threatening anomalous activity.

6)6) Leverage Knowledge:Leverage Knowledge: System output is invaluable for the real- System output is invaluable for the real-time or offline analysis, detection and prevention of any type of time or offline analysis, detection and prevention of any type of potentially internal and external criminal activity or system potentially internal and external criminal activity or system misuse.misuse.

Neural Security (NS) ToolNeural Security (NS) Tool

Monitors activity on Microsoft Internet Information Monitors activity on Microsoft Internet Information Server (IIS) Web serversServer (IIS) Web servers

Preconfigured to monitor activity on a single IIS Preconfigured to monitor activity on a single IIS server or an entire server farmserver or an entire server farm

In training mode, examines IIS logs to determine In training mode, examines IIS logs to determine normal activity of the server and creates its clustersnormal activity of the server and creates its clusters

Comes with a knowledge base of known IIS exploitsComes with a knowledge base of known IIS exploits Unlike rule-based security systems, NS quickly adapts Unlike rule-based security systems, NS quickly adapts

to each unique installation and will continue to adapt to each unique installation and will continue to adapt as more information is added to its knowledge baseas more information is added to its knowledge base

Neural Security (NS) ToolNeural Security (NS) Tool

Training ModeTraining Mode Organize IIS-specific data into clusters that reflect Organize IIS-specific data into clusters that reflect

normal use patterns (both trusted and untrusted) within normal use patterns (both trusted and untrusted) within the server environmentthe server environment

Process or organizing clusters guided through the use of Process or organizing clusters guided through the use of a built-in knowledge base of published attack signaturesa built-in knowledge base of published attack signatures

Monitor ModeMonitor Mode Compare all incoming requests to IIS against the Compare all incoming requests to IIS against the

Training Database to determine whether it falls within Training Database to determine whether it falls within acceptable distance of trusted activityacceptable distance of trusted activity

Within limits of trusted activity: Process ContinuesWithin limits of trusted activity: Process Continues Outside limits of trusted activity: Initiate whatever action Outside limits of trusted activity: Initiate whatever action

has been configured e.g. post an on-screen alert, block has been configured e.g. post an on-screen alert, block untrusted connection or shut down IISuntrusted connection or shut down IIS

Neural Security (NS) ToolNeural Security (NS) Tool

MaintenanceMaintenance Proper classification of events is essentialProper classification of events is essential Maintain as Security Alerts are displayed, orMaintain as Security Alerts are displayed, or Review Security Alert Log periodicallyReview Security Alert Log periodically After re-classification of events, After re-classification of events, “Re-Train” “Re-Train”

databasedatabase NS remembers correct classification and NS remembers correct classification and

characteristics of events, which is then characteristics of events, which is then applicable to the analysis of subsequent eventsapplicable to the analysis of subsequent events