Featuring 151 Papers as of April 14, 2016
Neutrino Exploit Kit Analysis and Threat Indicators
by Luis Rocha - April 13, 2016
Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.
Mimikatz Overview, Defenses and Detection
by James Mulder - February 29, 2016
Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.
Mimikatz Overview, Defenses and Detection
by James Mulder - February 29, 2016
Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.
Incident identification through outlier analysis
by Joshua Lewis - February 16, 2016
Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective.
Intrusion Detection and Prevention Systems Cheat Sheet: Choosing the Best Solution, Common Misconfigurations, Evasion Techniques, and Recommendations.
by Phillip Bosco - January 25, 2016
There are many decisions a company must make while choosing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for their infrastructure. Pricing questions will arise to determine if it will fit into their budget.
Automated Network Defense through Threat Intelligence and Knowledge Management
by Christopher O'Brien - January 4, 2016
Many organizations know that they should have cyber security threat intelligence, fewer know how to use it and fewer still are actually doing so.
Poaching: Hunting Without Permission
by David Switzer - December 23, 2015
In the parlance of information security, hunting is proactively searching out a problem. An intrusion detection system (IDS) can miss a 0-day, so proactive and interactive hunting for indicators of compromise (IOCs) can be more productive than simply relying on automated tools.
Infrastructure Security Architecture for Effective Security Monitoring
by Luciana Obregon - December 11, 2015
The biggest challenges that Information Security departments face is identifying the critical assets that makes an organization unique, locating these assets on the network, and building security defenses around them while maintaining functionality.
The LogLED An LED-Based Information Security Dashboard
by Paul Ackerman - November 2, 2015
Each year, Mandiant produces a detailed view of breach-related information security trends called the M-trends report.
Learning from the Dridex Malware - Adopting an Effective Strategy
by Lionel Teo Jia Yeong - October 29, 2015
Dridex Malware first surface at the third quarter of 2014 (Olson, 2014) targeting specifically companies in financial and banking industry.
Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool
by Dallas Haselhorst - October 26, 2015
What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s).
Detecting a Targeted Data Breach with Ease: A SANS Product Review
by Jake Williams - October 21, 2015
- Associated Webcasts: Implementing Active Breach Detection
A product review by Jake Williams. It examines LightCyber Magna, focusing on its effectiveness in detecting reconnaissance, lateral movement, data exfiltration and other threats.
Practical approaches for MTCP Security
by Joshua Lewis - October 2, 2015
Multi-path TCP (MPTCP) is an emerging IETF standard for providing connection resilience and bandwidth aggregation. MPTCP evolves the existing TCP protocol by allowing multiple TCP flows for a TCP session. This provides exciting new possibilities for mobile devices that can maintain TCP sessions as connection paths are added or dropped, and multi-homed servers that allow TCP sessions to take advantage of a mesh topology. However, current network security monitoring infrastructure solutions cannot appropriately inspect MPTCP connections, leaving significant intrusion detection and data loss blind spots. This paper will discuss practical approaches for MPTCP security.
Automating the Hunt for Hidden Threats
by Eric Cole, PhD - October 1, 2015
An Analyst Program whitepaper by Dr. Eric Cole. It defines the process of automating the hunt for threats, and discusses how to deploy a continuous threat-hunting process while preparing a team to analyze threats to protect critical processes and data.
Fingerprinting Windows 10 Technical Preview
by Jake Haaksma - September 17, 2015
Understanding the intricacies of a network is powerful information for security professionals and malicious attackers alike. Operating system (OS) fingerprinting is the process of determining the OS of a remote computer. This can be primarily accomplished by passively sniffing network packets between hosts or actively sending crafted packets to the ports of a target host in order to analyze its response. This paper attempts to fingerprint Windows 10 Technical Preview for the purpose of OS identification and to improve Nmap's OS detection database.
Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise
by Jason Mack - August 10, 2015
As the interest in collecting actionable cyber intelligence has grown substantially over the last several years in response to the growing sophistication of attackers, with it has come the need for organizations to more readily process indicators of compromise and act immediately upon them to determine if they are present in a given enterprise environment. While host-based tools have been designed for this very purpose, they can be challenging to deploy on an enterprise-wide basis and are dependent on frequent updates. This paper will propose several methodologies by which these indicators of compromise may be visible within network traffic. It will further study how key network security devices (e.g. Snort IDS, IPTables Firewall, Web Proxy, etc.) can be used to effectively identify and alert on indicators of compromise both on the way into the network and also via analysis of outbound traffic. In addition, STIX and TAXII will be thoroughly investigated as individual protocols, including how they can best be incorporated into the rapid generation of customized network monitoring rules.
IPv6 and Open Source IDS
by Jon Mark Allen - May 14, 2015
This paper will examine the current support of IPv6 amongst three of the most popular open source intrusion detection systems: Snort, Suricata, and Bro. It will also examine support of the IPv6 protocol within the publicly available signatures and rules for each system, where applicable.
Enhancing Intrusion Analysis through Data Visualization
by Wylie Shanks - February 12, 2015
Increasingly, companies are required to sift through large volumes of relevant data in order to meet their governance, risk, compliance and security needs.
An Analysis of Gameover Zeus Network Traffic
by Daryl Ashley - February 9, 2015
In September of 2011, a peer-to-peer variant of Zeus emerged on the internet (Symantec, 2014).
Home Field Advantage - Using Indicators of Compromise to Hunt down the Advanced Persistent Threat
by Matthew Toussain - September 25, 2014
Current cyber defense strategies focus on building a wall around the network and "digging in". Behind this cyber version of the Maginot Line, network defenders attempt to block adversary intrusions in any way possible.
Botnet Tracking Tools
by Pierce Gibbs - August 14, 2014
Botnets are a serious threat to internet security.
IDS: File Integrity Checking
by Lawrence Grim - August 7, 2014
The file integrity checking application is a host-based intrusion detection software.
Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention
by Tony Sager - July 29, 2014
- Associated Webcasts: Need to defeat APTs? Tony Sager Explains Where We're At With Live Threat Detection Automation
- Sponsored By: Palo Alto Networks
All attacks follow certain stages. By observing those stages during an attack progression and then creating immediate protections to block those attack methods, organizations can achieve a level of closed-loop intelligence that can block and protect across this attack kill chain. This paper explains the many steps in the kill chain, along with how to detect unknown attacks by integrating intelligence into sensors and management consoles.
Wireshark: A Guide to Color My Packets
by Roy Cheok - July 3, 2014
Incident Responders investigating technology-facilitated crime in an unfamiliar or even non-homogenous network environment can be given access to raw packet trace files.
Designing and Implementing a Honeypot for a SCADA Network
by Charles Scott - June 20, 2014
This paper is based on a facilities network filled with Supervisory Control and Data Acquisition (SCADA)-type devices, controlling and monitoring everything from elevators, to pumps, to generators, to smart meters, to building access control systems.
Security Analytics: having fun with Splunk and a packet capture file (pcap)
by Alexandre Teixeira - May 30, 2014
Security Analytics is one of the most discussed topics within the Information Security (IS) industry, especially when combined with another buzzword such as Big Data.
Intrusion Analysis Using Windows PowerShell
by Michael Weeks - May 30, 2014
Microsoft during the late 90s and through the turn of the millennium was not held in high regard in terms to security.
SAMHAIN: Host Based Intrusion Detection via File Integrity Monitoring
by Martinus Nel - May 6, 2014
This paper will focus on the installation and configuration of Samhain in a client / server architecture with some specific compile and runtime options explored.
Rootkit Detection with OSSEC
by Sally Vandeven - April 16, 2014
Most malware consists of a malicious application that gets installed on a victims computer.
Integrating Wired and Wireless IDS Data
by Michael D. Stanton - February 11, 2014
According to Gartner, smart phones and other mobile computing devices are rapidly replacing personal computers.
An Early Malware Detection, Correlation, and Incident Response System with Case Studies
by Yaser Mansour - January 20, 2014
"The complexity of software is an essential property, not an accidental one" (Brooks, 1987).
An Approach to Detect Malware Call-Home Activities
by Tyler (Tianqiang) Cui - January 17, 2014
In the internal network of a large organization, there may be a number of security measures or products in place, such as anti-virus, security patch management, Intrusion Prevention Systems (IPS), Firewalls, etc., and there is still some malware that goes undetected.
HTTP header heuristics for malware detection
by Tobias Lewis - January 2, 2014
Signature based detection is one of the most fundamental techniques for identifying malicious activity on your network.
How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
by Tim Proffitt - September 19, 2013
Metrics are used in many facets of a person's life and can be quite beneficial to the decision making process.
The Security Onion Cloud Client Network Security Monitoring for the Cloud
by Joshua Brower - September 17, 2013
Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
Implementing Active Defense Systems on Private Networks
by Josh Johnson - August 20, 2013
As attacks become increasingly complex due to the sophistication, organization and motivation of adversaries, defensive strategies must mature in order to remain effective.
60 Seconds on the Wire: A Look at Malicious Traffic
by Kiel Wadner - August 19, 2013
Malware depends on its communication network to receive commands, extract information and infect systems.
Event Monitoring and Incident Response
by Ryan Boyle - May 15, 2013
System security policies can still have security holes after implementation and may even introduce unintended consequences.
by Joaquin Moreno - April 29, 2013
During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.
AirNIDS: The Need for Intrusion Detection on the Wireless Ether
by Thomas Hoffecker - March 15, 2013
The inherent insecurities and vulnerabilities of wireless 802.11b networks are well known. The benefit of being wireless is the greatest drawback.
Monitoring Network Traffic for Android Devices
by Angel Alonso-Parrizas - January 25, 2013
In order to detect possible intrusions or any unusual patterns, several techniques have been used in the past.
What's Running on Your Network?
by Francois Begin - January 25, 2013
Now more than ever, IT infrastructures are targeted by malicious outsiders, ranging from ideologically motivated groups such as Anonymous (Norton, 2012) to corporations and governments utilizing highly sophisticated Advanced Persistent Threats (Juels & Yen, 2012).
How to identify malicious HTTP Requests
by Niklas Sarokaari - January 21, 2013
Hypertext transfer protocol (HTTP) is a stateless protocol and it uses a message-based model.
Using Watermarks to Prevent Leaks
by Allison Nixon - January 21, 2013
In a world of general purpose computing, the person that possesses a piece of data has complete control over it.
Host-Based Detection and Data Loss Prevention Using Open Source Tools
by Chris Hoke - December 26, 2012
Defending connected networks has been a challenge for as long as there have been connected networks.
Web Application Attack Analysis Using Bro IDS
by Ganesh Kumar - November 27, 2012
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.
An Analysis of the Snort Data Acquisition Modules
by Christopher Murphy - November 8, 2012
Snort is an open-source Intrusion Detection System (IDS) that runs on Linux, UNIX, BSD variants and Windows.
Surfing the Web Anonymously - The Good and Evil of the Anonymizer
by Peter Chow - October 8, 2012
Companies of all sizes spend large amounts of time, resources, and money to ensure that their network resources and Internet connections are not being misused.
Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment
by Sunil Gupta - August 8, 2012
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
Using and Configuring Security Onion to detect and prevent Web Application Attacks
by Ashley Deuble - July 12, 2012
Security Onion contains software used for installing, configuring, and testing Intrusion Detection Systems. Security Onion contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, and tcpreplay (Burks, 2012).
IP Fragment Reassembly with Scapy
by Mark Baggett - July 5, 2012
Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.
A Complete Guide on IPv6 Attack and Defense
by Atik Pilihanto - March 19, 2012
Based on RFC 791, the internet protocol is designed for use in interconnected systems of packet switched computer communication networks.
Using SNORT® for intrusion detection in MODBUS TCP/IP communications
by Javier Jimenez Diaz - December 19, 2011
Not long ago, analog and purpose built communications systems use to be prevalent technologies on industrial plants. It wasnt common to find either interoperability or compatibility among them. In the 70s communication Networking began to be used in Direct Digital Control (Berge Jonas, 2004).
Base64 Can Get You Pwned
by Kevin Fiscus - September 12, 2011
Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.
Denial of Service attacks and mitigation techniques: Real time implementation with detailed analysis
by Subramani Rao - September 12, 2011
Amongst various security threats that have evolved lately, Denial of service (DoS) attack is the most destructive according to the security experts. A Denial of Service attack is a method of blocking service from its intended users.
An Experimental Study of Detecting and Correlating Different Intrusions
by Ratna Deepika Kannan - September 12, 2011
With the ubiquitous growth of the Internet, retaining its security is a difficult task. Two decades ago, computer systems were generally not connected to the Internet or were simply a part of a small network.
by Chad Robertson - July 5, 2011
"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response" (Trend Micro, 2010).
Using Decision Tree Analysis for Intrusion Detection: A How-To Guide
by Jeff Markey - June 9, 2011
As the volume and sophistication of computer network attacks increase, it becomes increasingly difficult to detect and counter intrusions into a network of interest.
Reducing Organizational Risk Through Virtual Patching
by Joseph Faust - January 11, 2011
Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (Shrinking time from, 2006). It has also been identified that 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.
Detecting and Responding to Data Link Layer Attacks
by TJ OConnor - October 15, 2010
In this paper, we examine techniques for identifying signatures and anomalies associated with attacks against the data link layer on both wired and wireless networks. Methods for signature-based detection and anomaly-based detection are not new. Intrusion detection systems such as SNORT are quite capable of detecting some of the known data link layer attacks and include a mechanism for integrating Intrusion Prevention System (IPS) solutions. This paper does not advocate against the use of these solutions in organizations. What we present can augment your existing capabilities by detecting attacks that may be blind to your IDS.
Using OSSEC with NETinVM
by Jon Mark Allen - September 17, 2010
The days of installing a firewall at the edge of the network and monitoring traffic from a single point have long vanished into the history books. Today's security edge has collapsed all the way to the desktop and traffic from practically every system in the network must be monitored, analyzed, and acted on to maintain a secure posture (Cummings, 2004). This type of intense monitoring requires a combination of intrusion detection systems (IDS), event correlation, and analysis.
by Erik Couture - August 19, 2010
Historically, the expression covert channel has broadly encompassed all communications that are hidden and communicate stealthily between endpoints. The goal of such a channel is not necessarily to obscure the data flowing through the channel, but to obscure the very fact that a channel exists. Often this data may be passed in plain sight of possible observers, but if properly engineered, may remain nearly impossible to detect. Covert channels represent a pure example of security through obscurity.
Effective Use Case Modeling for Security Information & Event Management
by Daniel Frye - March 10, 2010
With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
SIEM Based Intrusion Detection with Q1Labs Qradar
by Jim Beechey - February 18, 2010
Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch todays sophisticated and well funded attackers.
Capturing and Analyzing Packets with Perl
by John Brozycki - January 28, 2010
The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.
Smart IDS - Hybrid LaBrea Tarpit
by Cristian Ruvalcaba - December 28, 2009
The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.
A Multi-Perspective View of PHP Remote File Include Attacks
by Dennis Schwarz - November 10, 2009
This paper describes the mechanics of a RFI (remote file include) attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files.
Efficiently Deducing IDS False Positives Using System Profiling
by Michael Karwaski - November 9, 2009
Security Whitepaper: How to create a simple, static inventory database and compare security alerts to see if they relate to the host in question. This will allow for greater visibility into which alerts are actually relevant to the end users network.
Harness the Power of SIEM
by Dereck Haye - October 6, 2009
Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.
Detecting Torrents Using Snort
by Richard Wanner - July 7, 2009
This paper decomposes BitTorrent and the associated protocols used in conjunction with BitTorrent downloads to devise a number of different ways to detect the aspects of this traffic. This research is then used to create Snort signatures which can be implemented to detect the BitTorrent traffic in your environment.
An Inexpensive Wireless IDS using Kismet and OpenWRT
by Jason Murray - May 4, 2009
The discipline of network security has as one of its goals the protection of critical business network traffic. There are a number of preventative methods that can be employed to ensure that a network is designed well, but attackers will still attempt to exploit weaknesses to gain access to important business data and systems.
Snort 3.0 Beta 3 for Analysts
by Doug Burks - April 15, 2009
This paper will demonstrate how analysts can begin experimenting with Snort 3.0 today by manually compiling the source code or by simply downloading a preconfigured bootable CD. This paper will also discuss the design of Snort 3.0 and its new features, such as multithreading, native inline bridging, dynamic reconfiguration, and native IPv6 support.
Capturing 10G versus 1G Traffic Using Correct Settings!
by Emilio Valente - March 16, 2009
In this paper, I will describe the steps needed to tune the host TCP/IP stack for optimal throughput for use with 1 GigE network interfaces and 10 GigE network interfaces.
Detecting and Preventing Anonymous Proxy Usage
by John Brozycki - November 6, 2008
This paper explores methods organizations may use to detect and prevent anonymous proxy usage.
Intrusion Detection Likelihood: A Risk-Based Approach
by Blake Hartstein - November 5, 2008
The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).
Intel IXP Network Processor Based Intrusion Detection
by Greg Pangrazio - October 16, 2008
This paper will introduce the IXP series processors as well as outline the steps to create a functioning Snort based IDS on the IXP 425.
Network IDS & IPS Deployment Strategies
by Nicholas Pappas - April 11, 2008
Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.
Challenges of Managing an Intrusion Detection System (IDS) in the Enterprise
by Russell Meyer - March 28, 2008
While every enterprise is unique, there are common challenges in managing, monitoring and reacting to network IDS alerts. These include: managing the flood of alerts, creating actionable reports, and following-up on the reported alerts. This paper will explore the IDS challenges of a large organization with examples of specific lessons learned in monitoring the internal network.
by Justin Mitchell - January 7, 2008
Generally, honeypots accomplish the detection and collection of nefarious activity via emulating a given service or vulnerability then log the corresponding action or download the malicious code accordingly. Among other places, honeypots may reside within the LAN, DMZ, or external network (Internet).
Detecting and Preventing Unauthorized Outbound Traffic
by Brian Wippich - October 29, 2007
This paper will describe some of the risks associated with outbound traffic, methods for securing this traffic, techniques for circumventing these controls, and methods for detecting and preventing these techniques. There is no way to eliminate all risk associated with outbound traffic short of closing all ports. However, a good understanding of these risks should allow you to make informed decisions on securing this traffic.
Distilling Data in a SIM: A Strategy for the Analysis of Events in the ArcSight ESM
by James Voorhees - October 11, 2007
The ArcSight Enterprise Security Manager (ArcSight ESM, hereafter, simply ArcSight) collects and normalizes network data. It can include data from intrusion detection or protection systems (IDS/IPS), firewalls, servers, web servers, and other kinds of devices, including routers and switches. The data can comprise millions of events. This dataset must be reduced so that analysts can make sense of it and find the events of interest that indicate that action must be taken. This is no simple task. Nor can it be done in a day. It must be planned, then carried out with painstaking care. There is, however, no guide readily available that will tell you how to do this.
Tuning an IDS/IPS From The Ground UP
by Brandon Greenwood - September 27, 2007
This paper examines one of the many different methodologies to configuring or tuning an Intrusion Detection System or Intrusion Prevention System (IDS/IPS). The proper configuration of an IDS is a bit of an art because there are so many different ways to do it. I have seen and listened to many people explain the best way to configure a detection engine and while I dont subscribe to a best way, I have taken bits and pieces from some of these methodologies and combined them into a system that has worked for me.
Detecting and Preventing Rogue Devices on the Network
by Ibrahim Halil Saruhan - August 13, 2007
The main approach of this paper is to show how to use site survey to detect rogue devices in a wireless network. Site survey, if used correctly is extremely beneficial for detecting rogue devices. Rogue device detection can be considered the initial phase of wireless intrusion detection, in case it is not feasible to install sensors to cover all the wireless network area.
Assumptions in Intrusion Detection - Blind Spots in Analysis
by Rodney Caudle - March 28, 2007
This paper examines one of the assumptions that form the foundations of packet analysis. A discussion of an approach to analyzing protocol stacks is presented. This approach can be used to determine gaps in the protocol stack where an analyst can be misled.
Enhancing IDS using, Tiny Honeypot
by Richard Hammer - November 13, 2006
This paper will describe how to install, use, and deploy Tiny Honeypot (THP), written by George Bakos [Bakos, 2002], and then use the data returned by THP to write custom IDS rules. THP completes the incoming connection, records data received, can return custom responses, and simulate any application layer protocol. Completing the TCP connections allows the IDS to see the data payload instead of just the connection attempt.
Passive Application Mapping
by Benjamin Small - October 27, 2006
Passive Application Mapping (PAM) is a solution for this problem. In this paper I cover the topics that are vital to understanding and utilizing PAM. I also cover the commercial and public efforts that incorporate PAM to better aid in Intrusion Analysis and network maintenance.
A Framework to Collect Security Events for Intrusion Analysis
by Jim Chrisos - April 3, 2006
This paper describes a framework to help security personnel have a starting point with which to collect and view security events from devices capable of reporting via syslog. Ideally, the reader will be able to follow along and use this paper in a way similar to a how-to reference guide.
Solaris 10 Filesystem Integrity Protection Using Radmind
by Sam Wilson - May 17, 2005
This report is intended to provide information of value to security engineers who are choosing among various solutions to protect their Solaris systems from undesirable changes. In particular, the open-source product "Radmind" is described so it may be effectively compared to other, perhaps more well-known, commercial and open-source filesystem integrity applications.
Understanding Wireless Attacks and Detection
by Christopher Low - May 17, 2005
This paper introduces wireless attacks from a OSI layer 2 perspective and attempts to understand how wireless attacks can be detected by looking at wireless frames at these layers.
A Honeypot Based Worm Alerting System
by Jeff Kloet - May 5, 2005
Network administrators are always looking for simple and effective ways to make their company networks more secure and resilient from worms and viruses.
Building a tripwire System for SQL Server
by Frank Ress - May 5, 2005
Tripwire is a well known host-based Intrusion Detection System (IDS) that is available for a wide range of operating systems in both commercial and noncommercial versions.
Maintaining a Secure Network
by Robert Droppleman - August 15, 2004
Maintaining a secure network connected to the Internet is becoming more difficult as time goes on. New viruses are released daily, higher machine speeds and more sophisticated and automated tools mean that hackers can scan and attack wide sections of the Internet at a time
Enforcing Policy at the Perimeter
by Derek Buelna - July 25, 2004
The rapid deployment of security patches and anti-virus updates has become a basic need within most IT organizations. The time between the disclosure of a vulnerability and its exploitation continues to decrease while vulnerabilities are becoming easier to exploit and are increasingly severe. Locally enforcing security policy on a large number of computers can be a challenge but keeping remote (VPN or dial-up connected) computers up to date can prove even more difficult.
Algorithm-based Approaches to Intrusion Detection and Response
by Alexis Cort - June 9, 2004
Computer and network intrusions have been with us since the introduction of the computer, but intrusion detection systems are still somewhat new to the market (first implementations started in the early 90's).
Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth
by Ted Holland - May 2, 2004
Over the past few years many papers and books have included articles explaining and supporting either Intrusion Detection Systems (IDS) or the newer technology on the security block, Intrusion Prevention Systems (IPS).
Running a World Class Intrusion Detection Program: More Than Just Picking the Right Tool
by JD Aupperle - May 2, 2004
In today's security landscape, Intrusion detection systems have joined firewalls as "must have" tools, but getting the greatest benefit from these devices requires much more than a deploy and move on strategy.
Enterprise Security Management Reducing the Pain of Managing Multiple IDS Systems
by David Leadston - March 25, 2004
ESM is an emerging market space within the security technology arena that consists of several vendors who provide a holistic view of all your security device information.
IDS Burglar Alarms: A How-To Guide
by Mark Embrich - March 2, 2004
The goal of this paper is to make the task of building Intrusion Detection burglar alarms less daunting and incorporates modular "how-to" guides.
Intrusion detection evasion: How Attackers get past the burglar alarm
by Corbin Carlo - December 13, 2003
The purpose of this paper is to show methods that attackers can use to fool IDS systems into thinking their attack is legitimate traffic.
Secure Setup of a Corporate Detection and Scanning Environment
by Dieter Sarrazyn - December 13, 2003
This paper covers the secure deployment of a distributed intrusion detection environment as well as the secure deployment of a distributed vulnerability scanning environment.
Wanted Dead or Alive: Snort Intrusion Detection System
by Mark Eanes - December 13, 2003
A review of IDS deployment strategies using hubs, switches, or taps and a brief discussion on IDS implementation on the network is presented in this paper.
Distributed NIDS: A HOW-TO Guide
by Alan McCarty - November 6, 2003
This paper discusses the design, installation, configuration and monitoring of an NIDS, and provides the reader with a fully functional and powerfully distributed NIDS as a result.
Snort Alert Collection and Analysis Suite
by Chip Calhoun - November 6, 2003
This document outlines separating Snort IDS Collection and Analysis Suite duties across a minimum of three servers (Snort sensor, MySQL database and an ACID web server) to gain optimal coverage and performance.
The Human Factor - Adding Intelligence and Action to Intrusion Detection
by Daniel Hill - August 22, 2003
This paper explores the current state of Intrusion Detection Systems (IDS) technology, identifies system requirements and essential elements in the context of an overall architecture; and it highlights several systems, available today, that fit nicely into the suggested architecture.
Intrusion Detection with MOM - Going Above the Wire
by Don Murdoch - July 29, 2003
In this paper, Microsoft Operations Manager 2000 (hence, MOM) will be discussed as a tool to aid the analyst in understanding what occurs within the operating system and the application level.
Intelligent Correlator for NIDS
by Marco Bove - June 19, 2003
The goal of this work is the realization of a prototype of a system that reduces the number of false positives of a NIDS by triggering a real time collects for information upon alert reception.
Securing a Windows Snort Sensor for Hostile Environments
by Michael Wunsch - June 3, 2003
This white paper documents how to secure a Windows' Snort sensor for deployment into extremely hostile environments.
IDMEF "Lingua Franca" for Security Incident Management
by Douglas Corner - June 3, 2003
This paper examines the relationship of the Intrusion Detection Working Group specifications to transfer protocols well as an overview of the specifications themselves.
Intrusion Prevention - Part of Your Defense in Depth Architecture?
by Roberta Spitzberg - June 2, 2003
This paper will explore Intrusion Protection Systems (IPS) from the perspective of using IPS as part of a Defense in Depth strategy.
Installing, Configuring, and Testing The Deception Tool Kit on Mac OS X
by Jon Lucenius - May 30, 2003
This paper will introduce a Honey Pot known as the Deception Tool Kit (DTK) written by Fred Cohen. It will give an overview of what the DTK is, where to obtain it, how it works, and offers advice about when it should be deployed.
Intrusion Detection Is Dead. Long Live Intrusion Prevention!
by Timothy Wickham - May 12, 2003
This practical will demonstrate the limitations and drawbacks of intrusion detection as well as the reasons why intrusion prevention is a vastly better method of securing a network
An Overview of PureSecureTM
by Jeffrey Slonaker - May 12, 2003
This paper's objective was to examine the role of the Intrusion Detection System (IDS) in modern security strategies, establish a set of criteria for IDS evaluation, investigate the functionality of PureSecureTM, an application developed and marketed by Demarc Security, and present conclusions concerning its desirability as a working IDS.
Turning the tables: Loadable Kernel Module Rootkits deployed in a honeypot environment
by Jonathan Rose - May 8, 2003
This paper addresses the topic of honeypots, which are one of the latest technologies available to track and monitor hackers and Internet attackers.
Archiving Event Logs
by Jim Stansbury - May 8, 2003
Archived event logs often play an important role in the detection, investigation, and prosecution of a computer crime or other computer misuse.
The Keep Within the Castle Walls - An Experiment in Home Network Intrusion Detection
by Gary Wallin - May 8, 2003
The author describes how to set up snort 1.9.1 on a virtual Linux machine, including before and after scenarios.
Distributed Intrusion Detection Systems: An Introduction and Review
by Royce Robbins - February 5, 2003
A number of dIDS with global scope have been active for several years, and five of these are discussed and compared with each other in terms of focus, data source, notification tools, available agents, statistical reporting tools and linkage to security and vulnerability information.
Intrusion Prevention Systems- Security's Silver Bullet?
by Dinesh Sequeira - November 14, 2002
This paper takes a look at Intrusion Prevention Systems (IPS), the technology behind these systems, why we need them, how they function, their pros and cons, and lists some highly rated products.
Hands in the Honeypot
by Kecia Gubbels - November 3, 2002
This paper focuses on the description and analysis of honeypots as well as how and where they are used. I describe the process of setting up and running a honeypot.
Choosing an Intrusion Detection System that Best Suits your Organization
by Dennis Mathew - September 16, 2002
A discussion on the nature of an IDS as well as a review of the various types of IDS' on the market with their varied approaches taken to detect intruders.
Doing My Part - Sending Data to the Internet Storm Center
by Sydney Jensen - July 1, 2002
This paper documents the procedure that I set up to automate collecting and sending intrusion attempt information to Incidents.org and the Internet Storm Center, then discusses my results and some possible next steps.
A Single IDS Console Please: ManHunt 2.1 Pilot Test
by Scott Reynolds - June 17, 2002
The paper discusses the implementation of ManHunt, the pilot version protocol anomaly based NIDS offered by Recourse Technologies that were evaluated against high level functional requirements detailed in the following case study.
Snort Install on Win2000/XP with Acid, and MySQL
by Christina Neal - May 8, 2002
This paper is designed with as much detail as possible to help "newbies" easily install and configure Snort 1.8.6 on Windows 2000/XP.
A Thousand Heads Are Better Than One - The Present and Future of Distributed Intrusion Detection
by Robert Zuver - April 30, 2002
This paper will focus on intrusion detection systems in general, and specifically on two examples of the most promising new weapon in the battle against Internet hackers and worms: distributed intrusion detection.
A Practical Guide to Running SNORT on Red Hat Linux 7.2 and Management Using IDS Policy Manger MySQL
by William Metcalf - April 2, 2002
This paper demonstrates how to setup snort on Red Hat 7.2 and how to manage your sensor and view alerts from your windows 2000 workstation.
The Design and Theory of Data Visualization Tools and Techniques
by Brian Sheffler - March 26, 2002
The purpose of this paper is to inform and educate security professionals about the analytical potential of using a tool or technique that renders visual representations of the data/traffic that traverses a given network. The emphasis is on the design and theory behind such tools. Included are examples of data visualization products that are commercially available.
SSH and Intrusion Detection
by Heather Larrieu - March 17, 2002
This paper outlines the role and issues with the use of the SSH protocol, types and methods of intrusion detection, and proposes techniques and an architecture for an intrusion detection system that uses the SSH daemon as a sensor.
Network IDS: To Tailor, or Not to Tailor
by Jon-Michael Brook - March 6, 2002
The following discussion centers on the benefits and detractors of rule-based Intrusion Detection Tailoring, and how, overall, it is best to leave tailoring for Network IDS systems to the product vendors.
Intrusion Detection Interoperability and Standardization
by Pravin Kothari - February 19, 2002
This paper presents the motivation for such standardization efforts and an overview of a potential standard - IDMEF along with its communication protocol IDXP.
A Tool for Running Snort in Dynamic IP Address Assignment Environment
by Shin Ishikawa - February 16, 2002
The purpose of this paper is to detail the creation of a small tool program which aids the operation of the Snort IDS in dynamically assigned IP address environment.
Suspicious Unix Log File Entries and Reporting Considerations
by Cathy Gresham - February 12, 2002
In my Kickstart paper I covered basic Unix log files with a configuration file that gathered everything. I would like to expand on that and now cover messages found in those log files that would cause concern and require further investigation.
Using Snort For a Distributed Intrusion Detection System
by Michael Brennan - January 29, 2002
This document will provide an option for setting up a distributed network intrusion detection system using open source tools including the intrusion detection software Snort.
Host Based Intrusion Detection: An Overview of Tripwire and Intruder Alert
by Allison Hrivnak - January 29, 2002
Choosing the right software for an intrusion detection system can be a challenging task that often requires extensive research. While there are many different products available, Tripwire from Tripwire Inc. and Symantec's Intruder Alert offer two possible solutions for a host-based intrusion detection system.
IDS - Today and Tomorrow
by Thomas Goeldenitz - January 22, 2002
This paper is not intended to predict the future, but bring to light emerging technologies and trends in the field of IDS that could make the life of the security specialist easier (if there is such a thing).
Do I Need to Be Concerned About These Firewall Log Entries?
by Arvid Soderberg - January 15, 2002
In this paper, I'll highlight certain entries from the firewall log file and attempt to determine the level of concern that should be associated with them.
Protocol Anomaly Detection for Network-based Intrusion Detection
by Kumar Das - January 5, 2002
This paper describes Intrusion Detection Systems (IDS) and compares the two main categories of detection principles, signature detection and anomaly detection; also described is a new type of anomaly detection based on protocol standards.
Host-Based Intrusion Systems for Solaris
by Lynn Bogovich - January 1, 2002
This paper presents requirements for an Intrusion Detection System (IDS), as well as an analysis of currently available IDS software packages and a recommendation of the best HIDS package to manage a suite of Solaris machines.
Network Intrusion Detection - Keeping Up With Increasing Information Volume
by Timothy Weber - December 22, 2001
This paper will detail ways to help a network-based IDS cope with the ever increasing volume of information that threatens its ability to fulfill its role in a defense-in-depth strategy.
Black ICE 2.5 Events, False Positives and Custom Attack Signatures
by Alan Mercer - November 28, 2001
This paper aims to help BlackICE IDS administrators by identifying and classifying some events frequently seen by IDS agents in two common deployments - on a DMZ web server and on systems within an internal (mainly Microsoft) network.
An Informal Analysis of One Site's Attempts to Contact Host Owners
by Laurie Zirkle - November 25, 2001
This paper will look at one system administrator's attempts to contact host owners of machines that scan or probe her network. After a brief discussion of various ways to identify possible contacts, this person's data will be used to show how different sites may respond and how probes have multiplied over a definitive period of time. The paper concludes by mentioning two projects that might help the overburdened system/network/security administrator to simplify the whole process of contacting a host owner.
The History and Evolution of Intrusion Detection
by Guy Bruneau - October 13, 2001
The aim of this paper is to examine the origins of detecting, analysing and reporting of malicious activity, where it is today and where it appears to be heading in the future. Some of the many techniques and tools presently used in Network defence will be explored as well.
Intrusion Detection Systems: Definition, Need and Challenges
by Abhijit Sarmah - October 3, 2001
This paper defines Intrusion Detection Systems and examines the need for such tools as well as the challenges of IDS implementation.
Intrusion Detection Systems: An Overview of RealSecure
by Darrin Wassom - September 27, 2001
This paper reviews one IDS, RealSecure, to describe its plusses and minuses with special emphasis on filtering out false positives.
Intrusion Detection - Systems for Today and Tomorrow
by George Ho - September 5, 2001
This paper will examine the intrusion detection systems, one of the relative new technologies in information security. It aims to explore, in high level, the intrusion detection systems available today, as well as new developments in the technology.
Building and Maintaining a NIDS Cluster Using FreeBSD and Snort
by Michael Boman - August 30, 2001
This paper describes how to build a NIDS cluster with central logging and maintenance facilities.
Anti-IDS Tools and Tactics
by Steve Martin - August 22, 2001
This paper focuses on Network ID Systems, and discusses the technical detail behind techniques that can be employed to counteract the utility of these systems and identifies tools that actually use the techniques described.
Selecting an Intrusion Detection System
by Kathleen Buonocore - August 19, 2001
This paper examines five steps to follow when selecting an intrusion detection system (IDS): identify the need, gain a general understanding of intrusion detection systems, gain a detailed understanding of the network, evaluate various IDS systems, and determine policy and procedures.
Understanding Intrusion Detection Systems
by Danny Rozenblum - August 9, 2001
The paper is designed to: outline the necessity of the implementation of Intrusion Detection systems in the enterprise environment; clarify the steps that need to be taken in order to efficiently implement your Intrusion Detection System; and, describe the necessary components.
Application of Neural Networks to Intrusion Detection
by Jean-Philippe Planquart - July 29, 2001
This paper presents a "state of the art" of Intrusion Detection Systems, developing commercial and research tools, and a new way to improve false-alarm detection using Neural Network approach.
Using Snort v1.8 with SnortSnarf on a RedHat Linux System
by Richard Greene - July 25, 2001
This analysis concentrates on several ways of getting the log file information from an open source IDS system called Snort. The tool that is explored for that purpose is SnortSnarf.
How to Choose Intrusion Detection Solution
by Baiju Shah - July 24, 2001
This paper discues how Intrusion detection systems are crucial in securing any system but the effectiveness comes only from proper planning, deploying, monitoring, and responding to intrusions.
Logfile Analysis: Identifying a Network Attack
by Michael Fleming - July 21, 2001
Although all parts of the backup strategy are equally important, this paper will focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.