Neural Technology and Neural Technology and Fuzzy Systems Fuzzy Systems
in Network Securityin Network Security
Project Progress 2Project Progress 2
Group 2:Group 2:Omar Ehtisham Anwar 2005-02-0129Omar Ehtisham Anwar 2005-02-0129
Aneela Laeeq Aneela Laeeq 2005-02-0023 2005-02-0023
Neural TechniquesNeural Techniques
IPS tools are based on static rules IPS tools are based on static rules alonealone
Neural Techniques seek to classify all Neural Techniques seek to classify all new events and new events and highlighthighlight those that those that appear most threateningappear most threatening
Neural Techniques allow the security Neural Techniques allow the security expert to be the final arbiterexpert to be the final arbiter
Fuzzy ClusteringFuzzy Clustering Creates a baseline profile of the network in various states by Creates a baseline profile of the network in various states by
“training” itself“training” itself Establishes Establishes patternspatterns and and does notdoes not determine an exact profile of determine an exact profile of
what a user doeswhat a user does Uses algorithms that identify these patterns and separates Uses algorithms that identify these patterns and separates
clusters accordinglyclusters accordingly Kernel ClassifierKernel Classifier
Determines which Determines which existingexisting cluster a cluster a newnew event most likely event most likely belongs tobelongs to
Classifies events according to how far away they are from the Classifies events according to how far away they are from the norm (any existing cluster)norm (any existing cluster)
Events farthest away bubble to the top where administrators Events farthest away bubble to the top where administrators take manual actiontake manual action
Uses algorithms based on non-linear distribution laws, which Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of use statistics to track what happens over extended periods of timetime
The Neural Security LayerThe Neural Security Layer
ClustersClusters A set of XML files that become model A set of XML files that become model
filters or knowledge base for the filters or knowledge base for the network resource being monitorednetwork resource being monitored
The knowledge base is continually The knowledge base is continually updated based on: updated based on:
Results of day-to-day activitiesResults of day-to-day activities Data from third-party sources, such as IDS Data from third-party sources, such as IDS
signaturessignatures
Six Steps to Producing Security Six Steps to Producing Security IntelligenceIntelligence
1)1) Designate Data:Designate Data: Data can be system log entries or any other Data can be system log entries or any other raw or formatted measure of activity in the environment.raw or formatted measure of activity in the environment.
2)2) Model Analyst Expertise:Model Analyst Expertise: Variables, weights, centers and Variables, weights, centers and pertinent even knowledge comprise the analytic or data mining pertinent even knowledge comprise the analytic or data mining model are configured based on the specific analysis model are configured based on the specific analysis requirements and the unique attributes of the particular requirements and the unique attributes of the particular environment.environment.
3)3) Train Model:Train Model: Process of organizing the designated security data Process of organizing the designated security data into multi-dimensional “event vectors” within the context of the into multi-dimensional “event vectors” within the context of the analytic models. This establishes the baseline activity.analytic models. This establishes the baseline activity.
4)4) Generate Knowledge:Generate Knowledge: Live or offline data is compared against Live or offline data is compared against the contents of the training baseline and classified accordingly.the contents of the training baseline and classified accordingly.
5)5) Teach Model:Teach Model: User-supervision and infusion of expert knowledge User-supervision and infusion of expert knowledge essential to accurate event classification and system base-lining essential to accurate event classification and system base-lining and to filter out non-threatening anomalous activity.and to filter out non-threatening anomalous activity.
6)6) Leverage Knowledge:Leverage Knowledge: System output is invaluable for the real- System output is invaluable for the real-time or offline analysis, detection and prevention of any type of time or offline analysis, detection and prevention of any type of potentially internal and external criminal activity or system potentially internal and external criminal activity or system misuse.misuse.
Neural Security (NS) ToolNeural Security (NS) Tool
Monitors activity on Microsoft Internet Information Monitors activity on Microsoft Internet Information Server (IIS) Web serversServer (IIS) Web servers
Preconfigured to monitor activity on a single IIS Preconfigured to monitor activity on a single IIS server or an entire server farmserver or an entire server farm
In training mode, examines IIS logs to determine In training mode, examines IIS logs to determine normal activity of the server and creates its clustersnormal activity of the server and creates its clusters
Comes with a knowledge base of known IIS exploitsComes with a knowledge base of known IIS exploits Unlike rule-based security systems, NS quickly adapts Unlike rule-based security systems, NS quickly adapts
to each unique installation and will continue to adapt to each unique installation and will continue to adapt as more information is added to its knowledge baseas more information is added to its knowledge base
Neural Security (NS) ToolNeural Security (NS) Tool
Training ModeTraining Mode Organize IIS-specific data into clusters that reflect Organize IIS-specific data into clusters that reflect
normal use patterns (both trusted and untrusted) within normal use patterns (both trusted and untrusted) within the server environmentthe server environment
Process or organizing clusters guided through the use of Process or organizing clusters guided through the use of a built-in knowledge base of published attack signaturesa built-in knowledge base of published attack signatures
Monitor ModeMonitor Mode Compare all incoming requests to IIS against the Compare all incoming requests to IIS against the
Training Database to determine whether it falls within Training Database to determine whether it falls within acceptable distance of trusted activityacceptable distance of trusted activity
Within limits of trusted activity: Process ContinuesWithin limits of trusted activity: Process Continues Outside limits of trusted activity: Initiate whatever action Outside limits of trusted activity: Initiate whatever action
has been configured e.g. post an on-screen alert, block has been configured e.g. post an on-screen alert, block untrusted connection or shut down IISuntrusted connection or shut down IIS
Neural Security (NS) ToolNeural Security (NS) Tool
MaintenanceMaintenance Proper classification of events is essentialProper classification of events is essential Maintain as Security Alerts are displayed, orMaintain as Security Alerts are displayed, or Review Security Alert Log periodicallyReview Security Alert Log periodically After re-classification of events, After re-classification of events, “Re-Train” “Re-Train”
databasedatabase NS remembers correct classification and NS remembers correct classification and
characteristics of events, which is then characteristics of events, which is then applicable to the analysis of subsequent eventsapplicable to the analysis of subsequent events