A Framework for Collection and Management of Intrusion Detection Data Sets
Ben Uphoff (Alamos National Laboratory)
Two areas in intrusion detection research receive little attention: data collection and data management. Gigabit Ethernet is becoming widely deployed, with ten gigabit Ethernet not far behind. Many current solutions strain under such bandwidth rates, resulting in data loss. This is unacceptable for accurate, reliable intrusion detection systems. Data management solutions vary greatly from product to product. Typically, older data is periodically migrated to some archived format. Once archived, the data set cannot be easily queried or analyzed without being imported back into the original tool. This makes forensics and trend analysis extremely difficult.
This paper addresses data collection and management for intrusion detection by providing a framework designed to accommodate high-volume, heterogeneous data sets. This framework solves many of the problems of conventional approaches to intrusion detection. Distributed computing is leveraged to assure scalability. Data can be captured, queried and analyzed in real-time; data set sizes are limited only by available storage. Benchmarks of the initial prototype are also provided.
c01.pdf
MD5: 4079d2b79336bee47e05b2aeb3f51e3d
Format: application/pdf
Last Update: June 7th, 2024
Size: 228.57 Kb
- PL
ARAKIS - An Early Warning and Attack Identification System
Piotr Kijewski (Research and Academic Computer Network in Poland, PL)
The paper describes the concept of an early warning and new attack identification system, called ARAKIS, being developed by CERT Polska. The system is meant to detect and identify the characteristics of new threats, such as self-propagating malicious code and other automated attacks that span across multiple sites. Its goals also include the automated creation of attack signatures for dissemination to intrusion detection systems and providing attack statistics. The paper presents the rationale behind the system. The problems encountered, current stage of development and future work are also outlined. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection, honeynets and firewalls is helpful.
c08.pdf
MD5: fe9e83c3c32312ade6ad5f9b8648511d
Format: application/pdf
Last Update: June 7th, 2024
Size: 82.17 Kb
Cisco: Voice over IP security issues
Dan Wing (Cisco Systems Co.)
d1-s3-wing-slides.pdf
MD5: db47f553f3594d52de39715e34e96454
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.63 Mb
- US
Creating a Process Map for Incident Management
Mark ZajicekGeorgia Killcrece (Carnegie Mellon University), Mark Zajicek (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
A half-day tutorial devoted to creating and defining a process map for incident management processes
t1_02.pdf
MD5: 48bae721e7f35211d73af714ece5d71c
Format: application/pdf
Last Update: June 7th, 2024
Size: 489.51 Kb
- US
Creating and Managing Computer Security Incident Response Teams (CSIRTs)
Mark ZajicekGeorgia Killcrece (Carnegie Mellon University), Mark Zajicek (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
A full-day tutorial devoted to issues and topics relevant to creating and managing an effective CSIRT
t1_01.pdf
MD5: f8cd05779d9081882bcb83fbb805dcb7
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.31 Mb
Critical Infrastructure Protection - a business view
Rolf Schulz
Critical Infrastructure Protection (CIP) becomes more and more important - for the Governments, for the Industry and for the Cert Community.
First mentioned in the late 90's under President Clinton, and rediscovered at 9/11, CIP is also an important business factor. It guarantees press attention and opens budgets for security projects, which normally are impossible to accomplish. However, if you ask 10 people about a definition of CIP, you will receive a minimum of 10 different explanations. Also a critical topic is the different view from the Government on the one side and the Industry on the other side on CIP.
This presentation will give a deeper look on Critical Infrastructure Protection out of the perspective of the involved Industry in central Europe, based on some basics to be defined in the first part of the presentation.
c15.pdf
MD5: dad7ee21c04f5776abd82c4521ee7954
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.16 Mb
- GB
Cyber Intelligence: Why a Business needs to set-up a Cyber Threat Analysis Unit
Ian CookIan Cook (GB)
This presentation will cover ways in which good intelligence procedures can be applied to the corporate sector to better enable senior management to take strategic decisions.
c14.pdf
MD5: a134693905cb888ab627098df32981f0
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.35 Mb
Defence in Depth: Protecting Against Zero-Day Attacks
Chris McNab (Matta Consulting Limited)
The objective is to:
demonstrate known issues in compiled applications
demonstrate and categorize attack vectors and types
define strategy and technologies to mitigate each attack risk
By going through this process, delegates will understand how to protect their environments against zero-day attacks. Even if vulnerable components exist, the risks can be mitigated, and incident response procedures used.
c07.pdf
MD5: 3646bbc4a19e2f69e1e0b4c1aed882b3
Format: application/pdf
Last Update: June 7th, 2024
Size: 199.97 Kb
- FR
Deploying new Wireless Standards in Corporate Environments
Laurent Butti (France Télécom R&D, FR)
This paper is about wireless secure deployements with new wireless standards. It will describe a current solution based on IPsec, and will provide the reader with a precise snapshot of standardization process: this is the theorical part. Regarding all these informations, a deployment guideline and a case study (FT R&D) will be fully explained: this is the practical part.
c09.pdf
MD5: c22defc14428fa3ceeabbc80f4321740
Format: application/pdf
Last Update: June 7th, 2024
Size: 152.86 Kb
Fighting Internet diseases: DDoS, worms and miscreants
Hank Nussbacher (Riverhead Networks), Nicholas Fischbach (COLT Telecom)
The tutorial is about network infrastructure security, (distributed) denial-of-service attacks detection and mitigation, and router and network forensics as part of incident response.
We will also cover historical information on DDoS and worms, trends, and filtering on the Internet. Tools, protocols features, technologies and processes will be presented and discussed.
t1_03.pdf
MD5: 28ce65b4c68cc8c614f5ecff4d98b046
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.36 Mb
David Crochemore
The objectives of the presentation at the conference are to explain to FIRST members and non-members what has been and will be the active role of FIRST in the whole process, and what would be the benefits for all of us:
the increasing importance of Incident Response in the texts of reference
the worldwide development of CSIRTs
a better recognition of FIRST
c13.pdf
MD5: af380adb3708d918b62968f1fec630b7
Format: application/pdf
Last Update: June 7th, 2024
Size: 156.54 Kb
From Incident response to Incident Response Management
Lillian Rostad (Centre for Information Security (SIS))
Industry and the society in general, are becoming increasingly dependent on the use of information and communication technology (ICT) in all areas. The ICT systems and the use of such systems are becoming more complex. At the same time, there has been an increase of ICT security related incidents in such systems, from internal as well as external sources.
There is an immediate need for research, development and implementation of improved methods for appropriate handling of ICT security incidents. The aim of this project is to improve information security in critical national infrastructure (CNI) by developing a new methodology and tools for incident response (IR), and supporting risk management methodologies.
t2_06.pdf
MD5: f5ab69248b916f02b0c4f733876da35f
Format: application/pdf
Last Update: June 7th, 2024
Size: 434.37 Kb
Incident Response in the Research University
Sherri Davidoff (Zanshin Security)
Successful incident response in large research universities requires an understanding of the organizational and cultural complexities of the university environment. Strategies for university incident response and large event handling will be explored in this paper, using examples from the experiences of the MIT Network Security Team. This material may prove useful and informative for other university response teams, outside security professionals, and law enforcement agencies whose work brings them into contact with university networks.
t2_05.pdf
MD5: f729578ea8e1dcc07bdc1eb45e47bba5
Format: application/pdf
Last Update: June 7th, 2024
Size: 204.58 Kb
- US
Inside Microsoft Security
Simon ConantSimon Conant (Palo Alto Networks, US)
To talk about the details rather than abstracts of Microsoft's security efforts.
Introduce attendees to "who does what" in MS security.
How Microsoft handles security vulnerabilities, the lifecycles of a vulnerability, and why they take so much time.
Help attendees understand the vuln handling process, and enable them to make "educated guesses" on timeframes.
Discuss the concepts of workarounds, and how to be proactive about these as a defense-in-depth measure.
Present inovations in security patches, new features.
Understand in detail what Microsoft is doing differently, in building software in a secure fashion.
Discuss some of the other areas we are working in to improve internet security.
Why must MS limit support lifetimes?
t2_02.pdf
MD5: 5c220130a4aca7bd744b520f6e299938
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.09 Mb
Internet Threat Detection System Using Bayesian Estimation
Masaki Ishiguro (Mitsubishi Research Institute, Inc.)
We present an Internet security threat detection system using Bayesian estimation method. This system analyzes security state of the Internet using Bayesian estimation with transition of frequencies of IP packet arrival events to some specified IP addresses such as port scanning, worm activities and so on. While the system calculates the frequency of access events in each time interval, Bayesian updating has been repeatedly applied to improve the confidence in degree of Internet critical states. When the system detects security threat(s) on the Internet, a security alert message is automatically sent to registered E-mail addresses, such as system administrators', and the system issues security alert details on our Web site. We also provide compact HTML and HDML for mobile phone browsers aka NTT DoCoMo's i-mode and KDDI's EZweb. Since the security state of the Internet changes dynamically, application of Bayesian estimation for threat detection is considered suitable because parameters of the model of Bayesian estimation are considered as dynamically changing quantities. This paper is focused on mechanism of detecting security threat using Bayesian estimation and our experimental evaluation.
Some knoweldge on TCP/IP network technologies and statisics are required for this presentation. The intended audience of this paper presentation are network experts, network security researchers, system administrators, and data analysis researchers.
c05.pdf
MD5: 14a351699197d6f8dd77a46cdf5ed2a2
Format: application/pdf
Last Update: June 7th, 2024
Size: 439.64 Kb
Intrusion Prevention System for Databases: The Sandbox Approach
Ulf Mattsson (Protegrity Inc.)
Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall p rey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection systems represent a great leap forward over current security technologies by addressing these and other concerns. This paper presents an overview of our work in creating a true database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveillance.
t2_07.pdf
MD5: 451a91afe026893508b9ba336bd022d4
Format: application/pdf
Last Update: June 7th, 2024
Size: 387.74 Kb
Errol S. Weiss (SAIC)
Explanation of the worldwide ISAC.
d1-s2-weiss.pdf
MD5: 05085a30e4a85ee371d10050adc72862
Format: application/pdf
Last Update: June 7th, 2024
Size: 980.52 Kb
- JP
Network Monitoring and web portal site Project in AP region
Arnold Yoon, Yurie Ito (JP)
Based on the activities of KrCERT/CC and JPCERT/CC for prevent security incidents, both organization agreed to develop several joint projects.
c04.pdf
MD5: d8f2efa38f299d23fd58fe0a14ff7355
Format: application/pdf
Last Update: June 7th, 2024
Size: 397.92 Kb
- GB
PRNG in IOS: Entropy in routers
Damir (Gaus) Rajnovic (Cisco Systems Co., GB)
Damir is part of Cisco PSIRT (Product Security Incident Response Team). The only group in Cisco that
publishes Cisco Security Advisories and we are the focal point for product security within Cisco. In the
current role Damir’s responsibilities are to do whatever it takes to remove security vulnerabilities from all
Cisco's products. Apart from the reactive work (responding to customer's incidents and managing
vulnerabilities) Damir works on several proactive efforts to help building more secure products. These
efforts are concentrated on educating developers to write more secure code and working with product
designers during the design stage.
Part of the daily job is to liaise and maintain relationship with relevant external organization. Some of the
entities Damir is connect to are: law enforcement (National Hi-Tech Crime Unit, now Serious Organized
Crime Agency), coordinating centres (CERT/CC, JPCERT, NISCC) and other appropriate entities (Internet
Crime Forum, GCHQ).
.Damir is actively involved in computer security arena since 1993. It started with Ministry of Foreign
Affairs of Republic of Croatia, continued in Ministry of Science and Technology of Republic of Croatia,
moved to EuroCERT to end in Cisco System’s PSIRT where he still is. EuroCERT was project with the
aim to coordinate CERTs within European region. The project is no longer active. During that period he
established CarnetCERT, was instrumental in creation of EuroCERT and constantly involved in CERT
forums - both FIRST (internationally) and TF-CSIRT (European region). Non-security related work
includes working on a Radio 101 as a sound engineer and a theatrical group.
Among other FIRST-related activities, Damir is the main driver behind Vendor SIG – special interest
groups under FIRST umbrella. The purpose of that forum is to facilitate dialog among product security
groups from different vendors. Although the idea behind Vendor SIG existed for some time the forum
started its life at the beginning of 2005 and already 23 vendors participate in it. More details at
http://www.first.org/vendor-sig/
d1-s2-rajnovic-slides.pdf
MD5: fc4429a6c26d127fcdaac1338c0a7e97
Format: application/pdf
Last Update: June 7th, 2024
Size: 859.61 Kb
Public Monitoring
Damon Morda
Public monitoring is the process of gathering incident and vulnerability related information from publicly available sources such as web sites, newsgroups, and mailing lists. With the increasing number of new incidents and vulnerabilities being reported, it is essential that organizations have the capability to prioritize the monitoring of multiple sources and identify, assess, and respond to threats that may affect their infrastructure. This talk will focus on the CERT/CC's approach to public monitoring by describing tools, processes, and techniques we use to effectively manage the information. Through the public monitoring capability, information is collected that can be analyzed by the vulnerability, incident, and artifact handling teams. As with any process, there are also limitations and areas for improvement which will be discussed.
c02.pdf
MD5: fdb8cf38eb43a7c06894192a59568360
Format: application/pdf
Last Update: June 7th, 2024
Size: 184.48 Kb
Rootkit Technologies
Robert Hensing (Microsoft)
Rootkit detection on live systems and on-line incident response using a live response toolkit;
Presentation and discussion.
d1-s8-hensing.pdf
MD5: cfdb20b23a31a2e221a01e07855266e3
Format: application/pdf
Last Update: June 7th, 2024
Size: 333.42 Kb
Security Implications of IPv6
Michael H. Warfield
IPv6 is a new, widely available version of the Internet Protocol that carries a number of significant performance and security advantages over earlier versions. These same benefits also work to the advantage of IPv6-savvy attackers against, network administrators have not deployed IPv6. IPv4 administrators are unaware that IPv6 is available nearly anywhere IPv4 is available and that IPv6 traffic can pass through their networks without their awareness. Because they have ignored IPv6 as something to worry about in the future, they frequently lack the expertise to manage it and they assume it is not present on their networks. But IPv6 and IPv6 transitional mechanisms offer new security issues and open new avenues of attack even on IPv4 based networks.
c06.pdf
MD5: 58cf98b7bd8c4368e29c0468f32b4a43
Format: application/pdf
Last Update: June 7th, 2024
Size: 170 Kb
TF-CSIRT Activity Update
European CSIRTs have been examining different ways of cooperation since early 1990s. After trying several organisational models, the task force TF-CSIRT was formed in 2000 under the umbrella of TERENA (Trans-European Research and Education Networking Association). TF-CSIRT encompasses teams from academic, commercial and governmental organisations. The group spawned several projects addressing common issues: trust relationships between teams, a formal model for exchange of incident-related data, the training of CSIRT staff, problems related to differences in legislation, and soon. In continuous communications with the European Commission, TF-CSIRT has established itself as a credible partner in the area of network security. The growing number of participants in TF-CSIRT, as well as teams from elsewhere expressing interest in particular results of the group, can be regarded as a sign of the successfull efforts European CSIRTs have undertaken.
c12.pdf
MD5: 7b08af85f6ebb7a27df85259391d22ff
Format: application/pdf
Last Update: June 7th, 2024
Size: 136.11 Kb
- DE
Oliver Goebel (Stuttgart University, DE)
CAIF is an XML-based format to store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements that is designed to describe the main aspects of an issue related to security. The set of
elements can easily be extended to reflect either temporary, exotic or new requirements in a per-document manner. Besides addressing more than one problem within a single document the format allows to group information for more than one target group of readers as well as multi-lingual textual descriptions within one document. This can be used to selectively produce different renderings of an announcement for the intended target groups addressing one, a sub-set, or all problems multi- or mono-lingual in the languages provided.
t2_04.pdf
MD5: 500bce8c08e61ea1bd3cbede2327b552
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.33 Mb
Lance Hayden (Cisco Systems, Inc.Session)
This paper will serve as a primer to computer security incident response teams (CSIRTs) on ways to incorporate wireless security expertise into their existing methodological and technical toolkits. While many aspects of wireless security incident response are similar to traditional network security incident response, an understanding of the additional threats posed by wireless networks, and the tools for mitigating and responding to those threats can inform and improve the capabilities of the CSIRT to manage new networking risks in the organizations for which they are responsible. The paper will include recommendations and insights at both high- level and technical levels.It will be appropriate for managers and network staff alike, and anyone with responsibility for creating or managing a CSIRT in an organization that is considering, or already has deployed, wireless networked infrastructures.
c10.pdf
MD5: 7373d24f9d663b7318e4dcb75f1e3c19
Format: application/pdf
Last Update: June 7th, 2024
Size: 97.38 Kb
The Incident Response Team object in the RIPE database - the direct link from IP numbers to CSIRTs
Don StikvoortDon Stikvoort (Open CSIRT Foundation), Wilfried Wöber (Vienna University)
Description of the concept, implementation and deployment of the database object describing an incident response team - the so-called IRT object - and its relationship with the IP-address space, in particular the so-called inetnum (or IP number) object.
The essence of this relationship is that, after proper implementation in real life (which has started in the summer of 2003), it enables e.g. CSIRT professionals (or indeed the general public) to easily find the CSIRT (or CSIRTs) that are responsible for dealing with the security incidents related to specific parts of the IP address space.
c03.pdf
MD5: e2ded30044968273b4b00160cf161501
Format: application/pdf
Last Update: June 7th, 2024
Size: 127.79 Kb
UNIX and Linux based Rootkits Techniques and Countermeasures
Andreas Bunten (DFN-CERT Services GmbH)
The paper will present as much technical details as required for distinction of the different types of rootkits while concentrating on the conceptional ideas. A technical audience familiar with the topic will be updated on the current developments. A general audience with technical interest will get a good idea of what is possible and what has to be expected on a compromised UNIX system.
c17.pdf
MD5: 96c7a040d90121e1587961e1fccb1a49
Format: application/pdf
Last Update: June 7th, 2024
Size: 146.64 Kb
- JP
Update the APCERT activities (Under the Regional Initiative Activities Update slot with TF-CSIRT)
Yurie Ito (JP)
Among the FIRST members draw the needs of coordination and information sharing not just for incident handling but to prevent incident and share those activities of AP region. To provide one of the Regional Initiative activity model for other regions, to encourage to set up its own RI for efficient collaboration between CSIRTs.
c11.pdf
MD5: 675389be9fbcd163ad1cc862dd5e2578
Format: application/pdf
Last Update: June 7th, 2024
Size: 77.23 Kb
What Went Wrong?
Ken Van Wyk (KRvW Associates, LLC)
The paper is a recounting of numerous incidents that we have handled, along with detailed lessons learned and our suggestions of how to avoid or otherwise effectively handle similar difficulties. Some of the difficulties and lessons that we discuss are technical in nature, although many are procedural/human situations.
c16.pdf
MD5: 674876de6749b10c4a3dba3dee8a3a3a
Format: application/pdf
Last Update: June 7th, 2024
Size: 106.83 Kb
Workshop on Network Flow Analysis
Nils Magnus (SecuCERT)
Tracing either active attackers or investigating their traces is one of the major tasks for active incident investigation. Checking netflows is helpful to get the "big picture" but sometimes you want more details.
This is a hands-on workshop (can be set-up as a simple talk in about one hour, a workshop with examples in 2 hours or as a full half-day tutorial) providing the attendee with well-grounded information and techniques about how to look at single packets and how to read them.
t2_03.pdf
MD5: b089527c9f7c31553fd593142def819b
Format: application/pdf
Last Update: June 7th, 2024
Size: 261.3 Kb
