Utvärdering av signaturdatabaser i systemet Snort / Evaluation of Signature Databases in the System Snort

Steinvall, Daniel

January 2019

Konstant uppkoppling till internet idag är en självklarhet för många världen över. Internet bidrar till en global förbindelse som aldrig tidigare varit möjligt, vilken kan tyckas vara underbart i många avseenden. Dessvärre kan denna digitala förbindelse missbrukas och användas för ondsinta ändamål vilket har lett till behov av säkerhetslösningar som bland annat nätverks-intrångsdetektionssystem. Ett av de mest omtalade verktygen som är ett exempel på ett sådant system är Snort som studeras i denna studie. Utöver analysering av Snort, evalueras även olika signaturdatabasers detektionsförmåga av angrepp. Totalt exekverades 1143 angrepp från 2008-2019 och dessa utvärderades av tre Snort-versioner daterade 2012, 2016 och 2018. Varje Snort-version analyserade angreppen med 18 signaturdatabaser daterade 2011-2019 från tre olika utgivare. Resultaten visar att det stor skillnad mellan de olika utgivarnas signaturdatabaser där den bästa detekterade runt 70% av angreppen medan den sämsta endast detekterade runt 1%. Även hur Snort konfigurerades hade stor inverkan på resultatet där Snort med för-processorn detekterade omkring 15% fler angrepp än utan den. / For many people all over the world being constantly connected to the Internet is taken for granted. The Internet connects people globally in a way that has never been possible before, which in many ways is a fantastic thing. Unfortunately, this global connection can be abused for malicious purposes which have led to the need for security solutions such as network intrusion detection systems. One prominent example of such a system is Snort which is the subject of evaluation in this thesis. This study investigates the ability of signature databases for Snort to detect cyberattacks. In total, we executed 1143 attacks released between 2008-2019 and recorded the network traffic. We then analyzed the network traffic using three versions of Snort released 2012, 2016, and 2018. For each version, we used 18 different signature databases dated 2011-2019 from three different publishers. Our results show that there are a significant difference between the different publishers’ signature databases, where the best signature database detected around 70% of the attacks and the worst only detected around 1%. The configuration of Snort also had a significant impact on the results, where Snort with the pre-processor detected about 15% more attacks than without it.

Snort

intrusion system

signature databases

exploits

payloads

Snort

intrångsdetektion

signaturdatabaser

angreppskoder

nyttolaster

Computer Sciences

Datavetenskap (datalogi)

Distributed deployment of Therminators in the network

Cheng, Kah Wai

12 1900

Approved for public release; distribution in unlimited. / The idea of deploying a distributed network intrusion system using Therminator is explored in this thesis. There are many advantages in having a distributed system compared to a standalone network intrusion system. The underlying principle of Therminator is modeling network traffic on conversation exchange models. Using Zippo, a new implementation of Therminator, the experimental setup consisted of multiple sensors reporting individual findings to a central server for aggregated analysis. Different scenarios of network attacks and intrusions were planned to investigate the effectiveness of the distributed system. The network attacks were taken from the M.I.T Lincoln Lab 1999 Data Sets. The distributed system was subjected to different combinations of network attacks in various parts of the network. The results were then analyzed to understand the behavior of the distributed system in response to the different attacks. In general, the distributed system detected all attacks under each scenario. Some surprising observations also indicated attack responses occurring in unanticipated scenarios. These results are subject to further investigation. / Defence Science & Technology Agency Singapore

Computer networks

Security measures

Computer security

Cyberterrorism

Prevention

Distributed

Network Intrusion System

Therminator

Zippo

Lincoln Lab Data

Taxonomia de técnicas furtivas e antiforenses utilizadas em ataques cibernéticos

Melo, Sandro Pereira de

19 March 2018

Submitted by Filipe dos Santos (fsantos@pucsp.br) on 2018-06-26T12:35:40Z No. of bitstreams: 1 Sandro Pereira de Melo.pdf: 2533198 bytes, checksum: d31cf0cd607774a7541de96797446970 (MD5) / Made available in DSpace on 2018-06-26T12:35:40Z (GMT). No. of bitstreams: 1 Sandro Pereira de Melo.pdf: 2533198 bytes, checksum: d31cf0cd607774a7541de96797446970 (MD5) Previous issue date: 2018-03-19 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPES / According to the current academic literature, numerous taxonomic proposals for the classification of cyber threats have been presented. The vast majority of these proposals focus on classifying the types of threats taking into account aspects related to their functionality, purpose and behavior. This thesis differs from others because it presents a taxonomic proposal to classify the Stealth Technique (SF) and Anti-forensics (AF) used by cyber threats to hide information, erase or cover up evidence, eliminate the track of the executed actions, obfuscate malicious codes, generate fake evidence, subvert security controls and perform attacks against their own forensic tools. Following the premise that a taxonomy must be cohesive, of simple maintenance, applicable, extensible and must encompass general types of SF and AF, the taxonomic proposal for classifying SF and AF techniques mentioned in this thesis takes into account factors related to the affected layer of a computer system, the moment of a cyber-attack using the techniques, the component of the operational system compromised, among others. This thesis also provides the following contributions: a brief index of threat indicators and their impact on organizations using data from different sources, prioritizing the CSIRT reports; some brief historical information of current SF and AF characteristics; an explanation of the forensic investigation process and the SF and AT techniques related to the affected forensic stage; and finally, the implementation of the taxonomic proposal to classify the SF and AF techniques / De acordo com a literatura acadêmica atual, inúmeras propostas taxonômicas de classificação de ameaças cibernéticas foram apresentadas. Em sua maioria, tais propostas taxonômicas têm o foco na classificação dos tipos de ameaças considerando aspectos relacionados ao funcionamento, finalidade e comportamento. Esta tese difere das demais por apresentar uma proposta de taxonomia para a classificação de Técnicas Furtivas (TF) e Antiforense (AF) utilizadas pelas ameaças cibernéticas para esconder informações, apagar ou ocultar evidências, eliminar a trilha das ações executadas, ofuscar códigos maliciosos, gerar falsas evidências, subverter controles de segurança e realizar ataques contra as próprias ferramentas forenses, impedindo e/ou prejudicando o processo de resposta a incidentes ou uma perícia forense. Seguindo a premissa de que uma taxonomia deve ser coesa, de simples manutenção, aplicável, extensível e deve englobar tipos gerais de TF e AF, a taxonomia proposta na classificação de técnicas TF e AF citada nesta tese leva em consideração fatores relacionados à camada afetada de um sistema computacional, o desdobramento de um ataque cibernético com o uso das técnicas, o componente do sistema operacional comprometido, entre outros. Outras contribuições provenientes desta tese incluem: uma breve sumarização de indicadores de ameaças e seus impactos em organizações a partir de dados tabulados de diferentes tipos de pesquisa, mas priorizando os relatórios de CSIRT, não exclusivamente; um sucinto histórico de informações sobre características de TF e AF correntes; uma explanação atrelada às fases do processo de perícia forense e das técnicas TF e AF relacionadas com a etapa forense afetada; e finalmente, a implementação da taxonomia proposta para classificar as TF e AF

Crime por computador

Computação Forense

Computer networks - Safety measures

Computer crimes

Intrusion System

CNPQ::ENGENHARIAS