The detection of attacks on large administrative network domains is nowadays generally accomplished centrally by analyzing the data traffic on the uplink to the Internet. The first phase of an infection is usually difficult to observe. Often attackers use e-mail attachments or external media, such as USB sticks, hardware with preinstalled malware, or contaminated mobile devices to infect target systems. In such scenarios, the initial infection cannot be blocked at the network level. The lateral movement of attack programs (exploits) through internal networks and the exfiltration of data, however, which are the main purpose of targeted attacks, run always over the network. Security measures against such internal network attacks require a comprehensive monitoring concept that spans the entire network to its edge. Especially for preventive measures, this means providing a security concept for local area networks (LANs). In this paper, we propose based on an analysis of typical LAN-based attacks an approach for preventing these attacks for both IPv4 and IPv6 networks. It applies the software-defined networking (SDN) paradigm for centralizing the related network decisions in a central authority—the SDN controller—that manages all network connections and hence the associated data flows.
Today's growing number of security threats to computers and networks also increase the importance of log inspections to support the detection of possible breaches. The investigation and assessment of security incidents becomes more and more a daily business. Further, the manual log analysis is essentially in the context of developing signatures for intrusion detection systems (IDS), which allow for an automated defense against security attacks or incidents. But the analysis of log data in the context of forensic investigations and IDS signature development is a tedious and time-consuming task, due to the large amount of textual data. Moreover, this task requires a skilled knowledge to differentiate between the important and the non-relevant information. In this paper, we propose an approach for log resp. audit data representation, which aims at simplifying the analysis process for the security officer. For this purpose audit data and existing relations between audit events are represented graphically in a threedimensional space. We describe a general approach for analyzing and exploring audit or log data in the context of this presentation paradigm. Further, we introduce our tool, which implements this approach and demonstrate the strengths and benefits of this presentation and exploration form. I. MOTIVATIONThe growing dependencies of social processes on IT infrastructures as well as their increasing complexity provide a large potential of threats that jeopardizes these processes. Furthermore, the number of security incidents has increased dramatically and continues to ascend annually [3], [4]. Consequently, the investigation and assessment of security incidents becomes more and more a daily business. Therefore, regularly security officers have to reconstruct and extract the actions of the attacker from system logs, which record the entire system behavior. System logs or audit trails record all security relevant actions of a system, whereby each action is described by an audit event. The investigation of these audit trails is extremely time-consuming and error-prone due to the flood of logged data and can be seen as "looking for the needle in the haystack". In addition to these investigations and the assessment of security incidents, an efficient digital forensic is also a crucial precondition for the development process of signatures for intrusion detection systems (IDS). In contrast to typical preventive security measures of IT systems (e.g. firewalls or virus-scanners), IDS allow for a reactive protection of systems. IDS provide means to detect occurred security violations automatically and to trigger appropriate countermeasures. Two complementary approaches are applied by IDS: anomaly and misuse detection. Anomaly detection aims at detecting abnormal user behavior and requires a comprehensive set of data describing the normal user behavior. Often it is difficult to provide these descriptions. That's why anomaly detection currently has only a limited importance in practice. Misuse detection focuses on the det...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.