Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
2Activity

Table Of Contents

0 of .
Results for:
No results containing your search query
P. 1
Using Netflows for slow portscan detection

Using Netflows for slow portscan detection

Ratings: (0)|Views: 847 |Likes:
Published by Michael Thomas
This thesis aims to investigate if Netflow analysis is more suitable for detecting slow
portscans than two traditional systems for intrusion detection, Snort and Network Flight
Recorder.
This thesis aims to investigate if Netflow analysis is more suitable for detecting slow
portscans than two traditional systems for intrusion detection, Snort and Network Flight
Recorder.

More info:

Categories:Types, Research
Published by: Michael Thomas on Mar 31, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/31/2013

pdf

text

original

 
Using Netflows for slowportscan detection
Bjarte Malmedal
Master’s ThesisMaster of Science in Information Security30 ECTSDepartment of Computer Science and Media TechnologyGjøvik University College, 2005
 
Institutt for informatikk og medieteknikk Høgskolen i Gjøvik Postboks 1912802 Gjøvik Department of Computer Science and Media TechnologyGjøvik University CollegeBox 191N-2802 Gjøvik NorwayThe MSc programme in Information Securityis run in cooperation with the Royal Instituteof Technology (KTH) in Stockholm.
 
Using Netflows for slow portscan detection
 ABSTRACT
Most organizations that have a defined security strategy implement some kind of detec-tion capability. These systems often focus on real-time analysis of security related eventsin the information systems. Signature-based systems need to inspect every byte of thenetwork traffic. Capturing, storing and analyzing all this traffic for future analysis is very resource consuming. There is thus a need for alternative ways of detecting misuses thatspan long periods of time.One alternative to inspecting each byte of the packet content is to analyze the meta-data about each logical connection; i.e. source, destination, port numbers and packetlength combined with the timestamp. The metadata for one logical connection is calleda Netflow.By limiting the scope of data collection, it becomes possible to search through the trafficdata for longer timespans, and to discover trends that a traditional intrusion detectionsystem cannot do. One type of misuse is particularly difficult to detect for the traditional"real-time" intrusion detection systems, namely slow portscans which are performed by introducing latency between each individual packet.This thesis aims to investigate if Netflow analysis is more suitable for detecting slowportscans than two traditional systems for intrusion detection, Snort and Network FlightRecorder.
Sammendrag(Abstract in Norwegian)
Organisasjoner som har en definert sikkerhetsstrategi har ofte implementert systemerfor inntrengningsdeteksjon. Slike løsninger fokuserer som regel på sann-tids analyseav sikkerhetstruende hendelser i informasjonssystemene. Signaturbaserte inntrengningssystemer må inspisere hver eneste byte som sendes gjennom nettverket. Å samle inn, la-greoghåndterestoremengdertrafikkdataforfremtidiganalyseersværtressurskrevende.Man trenger derfor alternative metoder for deteksjon av misbruk i datanettverk sompågår over lang tid.Et alternativ til å inspisere innholdet i hver nettverkspakke er å analysere metadata omhver logiske forbindelse; det vil si avsender og mottaker adresse, port nummer, pakke-lengde og tidsstempel. Slike metadata kalles en Netflow. Ved å begrense omfanget av datainnsamlingen blir det mulig å lagre data over lengre tid.Dette muliggjør deteksjon av trender som vanlige systemer for inntrengningsdeteksjonikke kan oppdage. En type hendelse som er svært vanskelig å oppdage for sanntids-systemer er sakte portscan. Sakte portscan utføres ved å introdusere forsinkelse mellomhver individuelle pakke.iii

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->