Artwork

Konten disediakan oleh Black Hat and Jeff Moss. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Black Hat and Jeff Moss atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang diuraikan di sini https://id.player.fm/legal.
Player FM - Aplikasi Podcast
Offline dengan aplikasi Player FM !

Emmanuele Zambon: "NIDS, false positive reduction through anomaly detection"

48:40
 
Bagikan
 

Manage episode 153984312 series 1109074
Konten disediakan oleh Black Hat and Jeff Moss. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Black Hat and Jeff Moss atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang diuraikan di sini https://id.player.fm/legal.
The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management."
  continue reading

86 episode

Artwork
iconBagikan
 
Manage episode 153984312 series 1109074
Konten disediakan oleh Black Hat and Jeff Moss. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Black Hat and Jeff Moss atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang diuraikan di sini https://id.player.fm/legal.
The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management."
  continue reading

86 episode

Tüm bölümler

×
 
Loading …

Selamat datang di Player FM!

Player FM memindai web untuk mencari podcast berkualitas tinggi untuk Anda nikmati saat ini. Ini adalah aplikasi podcast terbaik dan bekerja untuk Android, iPhone, dan web. Daftar untuk menyinkronkan langganan di seluruh perangkat.

 

Panduan Referensi Cepat