Luciano Paschoal Gaspary

Identification of intrusion scenarios through classification, characterization and analysis of firewall events

The content analysis of firewall logs is essential (i) to quantify and identify accesses to external and private networks, (ii) to follow the historical growth of accesses volume and applications used, (iii) to debug problems on the configuration of filtering rules and (iv) to recognize suspicious event sequences that indicate strategies used by intruders in attempts to obtain non-authorized access to stations and services. The paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated during one week by the university firewall.

An SNMP agent for stateful intrusion inspection

Intrusion detection systems (IDS) have been increasingly used in organizations, in addition to other security mechanisms, to detect intrusions to systems and networks. In the recent years several IDS have been released, but (a) the high number of false alarms generated, (b) the lack of a high-level notation for attack signature specification, and (c) the difficulty to integrate IDS with existing network management infrastructure hinder their widespread and efficient use. In this paper we address these problems by presenting an SNMP agent for stateful intrusion inspection. By using a state machine-based language called PTSL (Protocol Trace Specification Language), the network manager can describe attack signatures that should be monitored. The signatures to be used by the agent are configured by the network manager through the IETF Script MIB. Once programmed, the agent starts monitoring the occurrence of the signatures on the network traffic and stores statistics, according to their occurrence, in an extended RMON2 MIB. These statistics may be retrieved from any SNMP-based management application and can be used to accomplish signature-based analysis. The paper also describes two experiments that have been carried out with the agent to assess its performance and to demonstrate its effectiveness in terms of false alarm generation rates.

Network-based intrusion detection systems evaluation through a short term experimental script

Intrusion Detection Systems (IDSs) have become an essential component to improve security in networked environments. The increasing set of available IDSs has stimulated research projects that investigate means to assess them and to find out their strengths and limitations (in order to improve the IDSs themselves) and to assist the security manager in selecting the product that best suits specific requirements. Current approaches to do that (a) require the accomplishment of complex procedures that take too much time to be executed, (b) do not provide any systematic way of executing them, and (c) require, in general, specific knowledge of IDSs internal structure to be applied. In this paper we address these limitations by proposing a script to evaluate network-based IDSs regarding their detection capability, scalability and false positive rate. Two Intrusion Detection Systems, Snort and Firestorm, have been assessed to validate our approach.

On the Evaluation of a Secure Solution to Access 802.11 Networks

Despite offering the possibility to develop and distribute a new set of applications to its users, the widespread and unrestricted use of mobile computing depends on the provisioning of a secure network environment. Regarding the communication established from mobile devices such as PDAs (Personal Digital Assistants), one of the most currently used standards is the IEEE 802.11b, which presents known security flaws. To overcome them, some alternative setups are commonly deployed, based on link, network, transport or application-layer. In this paper we evaluate the impact on data reception rate and energy consumption of IPSec-based PDAs access to 802.11b (WiFi) wireless LANs. As a result of this work we identify the overhead imposed by the security mechanisms and the capacity of the device to run CPU and network-intensive applications.

Spotting Intrusion Scenarios from Firewall Logs Through a Case-Based Reasoning Approach

Despite neglected by most security managers due to the low availability of tools, the content analysis of firewall logs is fundamental (a) to measure and identify accesses to external and private networks, (b) to access the historical growth of accesses volume and applications used, (c) to debug problems on the configuration of filtering rules and (d) to recognize suspicious event sequences that indicate strategies used by intruders in attempt to obtain non-authorized access to stations and services. This paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique, from the Artificial Intelligence field, to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated along one week by the university firewall.

Towards a programmable agent-based distributed architecture for enterprise application and service management

The popularization of electronic commerce and the growing use of this business modality by companies as well as the growth in the number of applications, protocols and services that are executed in computer networks generate difficulties for management tools. Most of these tools are able to monitor a previously established set of protocols; monitoring new protocols becomes possible with updated firmware or through development kits that are hard for network managers to assimilate. Additionally, these tools usually have little or no ability to act automatically when facing unexpected behaviors from these protocols. This paper presents an architecture for distributed management of enterprise networked applications, high-layer protocols and network services based an programmable agents. By means of a high-level graphical and textual language, the network manager is able to specify protocol traces in order to perform FCAPS (fault, configuration, accounting, performance and security) management. The observation of these traces in the network traffic leads to actions which are also determined by the network manager. This paper describes the language used to specify traces, the architecture and some examples of applications that validate the proposal.