Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023 Neural Techniques IPS tools are based on static rules alone Neural Techniques seek to classify all new events and highlight those that appear most threatening Neural Techniques allow the security expert to be the final arbiter The Neural Security Layer Fuzzy Clustering Creates a baseline profile of the network in various states by “training” itself Establishes patterns and does not determine an exact profile of what a user does Uses algorithms that identify these patterns and separates clusters accordingly Kernel Classifier Determines which existing cluster a new event most likely belongs to Classifies events according to how far away they are from the norm (any existing cluster) Events farthest away bubble to the top where administrators take manual action Uses algorithms based on non-linear distribution laws, which use statistics to track what happens over extended periods of time Clusters A set of XML files that become model filters or knowledge base for the network resource being monitored The knowledge base is continually updated based on: Results of day-to-day activities Data from third-party sources, such as IDS signatures Six Steps to Producing Security Intelligence 1) 2) 3) 4) 5) 6) Designate Data: Data can be system log entries or any other raw or formatted measure of activity in the environment. Model Analyst Expertise: Variables, weights, centers and pertinent even knowledge comprise the analytic or data mining model are configured based on the specific analysis requirements and the unique attributes of the particular environment. Train Model: Process of organizing the designated security data into multi-dimensional “event vectors” within the context of the analytic models. This establishes the baseline activity. Generate Knowledge: Live or offline data is compared against the contents of the training baseline and classified accordingly. Teach Model: User-supervision and infusion of expert knowledge essential to accurate event classification and system base-lining and to filter out non-threatening anomalous activity. Leverage Knowledge: System output is invaluable for the real-time or offline analysis, detection and prevention of any type of potentially internal and external criminal activity or system misuse. Neural Security (NS) Tool Monitors activity on Microsoft Internet Information Server (IIS) Web servers Preconfigured to monitor activity on a single IIS server or an entire server farm In training mode, examines IIS logs to determine normal activity of the server and creates its clusters Comes with a knowledge base of known IIS exploits Unlike rule-based security systems, NS quickly adapts to each unique installation and will continue to adapt as more information is added to its knowledge base Neural Security (NS) Tool Training Mode Organize IIS-specific data into clusters that reflect normal use patterns (both trusted and untrusted) within the server environment Process or organizing clusters guided through the use of a builtin knowledge base of published attack signatures Monitor Mode Compare all incoming requests to IIS against the Training Database to determine whether it falls within acceptable distance of trusted activity Within limits of trusted activity: Process Continues Outside limits of trusted activity: Initiate whatever action has been configured e.g. post an on-screen alert, block untrusted connection or shut down IIS Neural Security (NS) Tool Maintenance Proper classification of events is essential Maintain as Security Alerts are displayed, or Review Security Alert Log periodically After re-classification of events, “Re-Train” database NS remembers correct classification and characteristics of events, which is then applicable to the analysis of subsequent events