Developing Anomaly Detection Model for Security Auditing Service - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Developing Anomaly Detection Model for Security Auditing Service

Description:

Conduct anomaly detection. Decentralized Reverse Proxy ... Detail of Anomaly Detection Process. Periodic Detection. Main purpose is creating blacklist ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 14
Provided by: ccGa
Category:

less

Transcript and Presenter's Notes

Title: Developing Anomaly Detection Model for Security Auditing Service


1
Developing Anomaly Detection Model for Security
Auditing Service
  • Daisuke Mashima
  • (with Professor Mustaque Ahamad)

2
Motivation and Scope
  • Online identity theft is going to be more serious
  • Emergence of novel Internet devices
  • Diversity of Internet users
  • Prevention of identity theft is never perfect.
  • Social engineering etc.
  • We have to do detection in addition to
    prevention.
  • The system must be transparent not only to users
    but also to existing applications
  • We focus on detecting suspicious login to web
    applications.

3
Abstract Image
4
Identity-usage Monitoring System
  • System Architecture
  • Centralized Monitoring Service
  • Conduct anomaly detection
  • Decentralized Reverse Proxy
  • Send login information to Monitoring Service
  • Web Bug
  • Make user send information automatically

5
System Architecture
On the same LAN
6
Process and Flow
7
Dummy Application (/logintest/login.html,
/logintest/loginDemo)
Monitoring Service (/gtim/SecurityService)
Compare UserAgent in Web Bug request and that in
profile DB
Dummy image request (Web Bug) IP Address, ASP
ID, userAgent, etc.
Tomcat 5.5 (Port 8080)
Anomaly Detection userID, IP Address AspID,
userAgent
http//192.168.245.1288080/logintest/ userID,
password, etc.
Reverse Proxy Java application (Port 80)
VMWare(192.168.245.128)
http//192.168.245.128/logintest/ userID,
password, IP Address userAgent etc.
User (192.168.245.1)
OVERVIEW OF DEMO SYSTEM
8
Detail of Anomaly Detection Process
  • Periodic Detection
  • Main purpose is creating blacklist
  • Frequency of the source IP address
  • Total number of access
  • Per-request Detection
  • Based on blacklist and user's individual profile
  • Define users individual profile for time
    category
  • Ex. Weekdays and weekends
  • Calendar Schema
  • Utilize Delay-based IP Geolocation technique
  • Higher availability and precision
  • Can detect IP Spoofing to a certain extent.

9
Individual Profile
  • Defined under each pair of user ID and Web App ID
  • By categorizing wisely, the number of tuples can
    be reduced.

Calendar Schema
10
Rule-Based Detection
Search by User ID and Web App ID
NG
result
OK
Notification
Time tuple frequency Check
OK
Feedback
NG
Device and Location Check
Profile-Based Detection
Suspicious
result
OK
Notification
OK
Feedback
NG
Abnormal
Normal
Abnormal
11
Interaction between Monitoring Service and Users
  • Must be independent of the Internet
  • Automated phone call to users' cell phones is a
    strong candidate.
  • Most people have cell phones.
  • As long as phone companies are trustworthy, the
    channel is regarded as secure.

12
Future work
  • Future work includes
  • Improve anomaly detection model
  • User Profiling
  • Intrusion Detection
  • Evaluation
  • System Architecture
  • Security
  • Performance
  • Precision of detection

13
Thank you very much for your attention.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Developing Anomaly Detection Model for Security Auditing Service" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!