Visible to the public Preemptive Intrusion Detection – Practical Experience and Detection FrameworkConflict Detection Enabled

TitlePreemptive Intrusion Detection – Practical Experience and Detection Framework
Publication TypePresentation
Year of Publication2016
AuthorsPhuong Cao, University of Illinois at Urbana-Champaign, Ravishankar Iyer, University of Illinois at Urbana-Champaign, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Eric Badger, University of Illinois at Urbana-Champaign, Surya Bakshi, University of Illinois at Urbana-Champaign, Simon Kim, University of Illinois at Urbana-Champaign, Adam Slagell, University of Illinois at Urbana-Champaign, Alex Withers, University of Illinois at Urbana-Champaign
Keywordsattack detection, Data Driven Security Models and Analysis, NSA SoS Lablets Materials, science of security, UIUC
Abstract

Using stolen or weak credentials to bypass authentication is one of the top 10 network threats, as shown in recent studies. Disguising as legitimate users, attackers use stealthy techniques such as rootkits and covert channels to gain persistent access to a target system. However, such attacks are often detected after the system misuse stage, i.e., the attackers have already executed attack payloads such as: i) stealing secrets, ii) tampering with system services, and ii) disrupting the availability of production services.

In this talk, we analyze a real-world credential stealing attack observed at the National Center for Supercomputing Applications. We show the disadvantages of traditional detection techniques such as signature-based and anomaly-based detection for such attacks. Our approach is a complement to existing detection techniques. We investigate the use of Probabilistic Graphical Model, specifically Factor Graphs, to integrate security logs from multiple sources for a more accurate detection. Finally, we propose a security testbed architecture to: i) simulate variants of known attacks that may happen in the future, ii) replay such attack variants in an isolated environment, and iii) collect and share security logs of such replays for the security research community.

Notes

Pesented at the Illinois Information Trust Institute Joint Trust and Security and Science of Security Seminar, May 3, 2016.

URLhttps://recordings.engineering.illinois.edu:8443/ess/echo/presentation/81613b8e-24e4-4856-99e9-386e8...
Citation Keynode-29906

Other available formats:

05032016 Cao