P046 - DIMVA 2004 - Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop,
Auflistung P046 - DIMVA 2004 - Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, nach Erscheinungsdatum
1 - 10 von 15
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragFoundations for intrusion prevention(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Shai, Rubin; Alderman, Ian D.; Parter, David W.; Vernon, Mary K.We propose an infrastructure that helps a system administrator to identify a newly published vulnerability on the site hosts and to evaluate the vulnerability's threat with respect to the administrator's security priorities. The infrastructure foundation is the vulnerability semantics, a small set of attributes for vulnerability definition. We demonstrate that with a few attributes it is possible to define the majority of the known vulnerabilities in a way that (i) facilitates their accurate identification, and (ii) enables the administrator to rank the vulnerabilities found according to the organization's security priorities. A large scale experiment demonstrates that our infrastructure can find significant vulnerabilities even in a site with a high security awareness.
- KonferenzbeitragVertrauensbasierte Laufzeitüberwachung verteilter komponentenstrukturierter E-Commerce-Software(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Herrmann, Peter; Lars, Wiebusch; Krumm, HeikoDie Entwicklung komponentenstrukturierter E-Commerce-Software ist kostengünstig und schnell, da man die Systeme recht einfach aus wiederverwendbaren Softwarekomponenten zusammensetzt. Allerdings führt diese Entwurfsmethode zu einer neuen Art an Problemen für die Datensicherheit dieser Systeme. Insbesondere besteht die Gefahr, dass eine bösartige Komponente die gesamte Anwendung, in die sie eingebunden ist, bedroht. Zur Abwehr dieser Gefahr verwenden wir Security Wrapper, die das Verhalten von Komponenten zur Laufzeit überwachen und die Si- cherheitsanforderungen der Anwendung durchsetzen. Ein Security Wrapper beobachtet das Verhalten an der Schnittstelle einer Komponenten und vergleicht es mit den vom Komponentenentwickler garantierten Sicherheitspolicies, die in der Komponentenspezifikation formal beschrieben werden. Wir stellen vor, wie man die Sicherheitspolicies zustandsbasiert beschreibt und führen eine Sammlung an Spezifikationsmustern ein, aus denen man die Modelle der Sicherheitspolicies für eine Komponente ableitet. Schließlich zeigen wir den Einsatz der Security Wrapper anhand eines E-Procurement- Beispiels. Darüberhinaus erläutern wir, wie man unter Berücksichtigung der Erfahrungen anderer Nutzer mit einer Komponente den Aufwand der Laufzeittests reduzieren kann. Dazu verwenden wir einen speziellen Vertrauensmanagement-Service, der gute und schlechte Erfahrungen unterschiedlicher Benutzer mit Komponenten verwaltet. Abhängig von diesen Erfahrungsberichten können die Security Wrapper das Ausmaß der Überwachung absenken, indem sie anstatt einer vollständigen Überwachung nur Stichproben durchführen oder die Überwachung sogar abbrechen.
- KonferenzbeitragAlarm reduction and correlation in intrusion detection systems(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Chyssler, Tobias; Burschka, Stefan; Semling, Michael; Lingvall, Tomas; Burbeck, KalleLarge Critical Complex Infrastructures are increasingly dependent on IP networks. Reliability by redundancy and tolerance are an imperative for such dependable networks. In order to achieve the desired reliability, the detection of faults, misuse, and attacks is essential. This can be achieved by applying methods of intrusion detection. However, in large systems, these methods produce an uncontrollable vast amount of data which overwhelms human operators. This paper studies the role of alarm reduction and correlation in existing networks for building more intelligent safeguards that support and complement the decisions by the operator. We present an architecture that incorporates Intrusion Detection Systems as sensors, and provides quantitatively and qualitatively improved alarms to the human operator. Alarm reduction via static and adaptive filtering, aggregation, and correlation is demonstrated using realistic data from sensors such as Snort, Samhain, and Syslog.
- KonferenzbeitragA honeynet within the German research network – Experiences and results(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Reiser, Helmut; Volker, GereonA honeynet is a special prepared network which is not used in normal business. It is a kind of playground to watch and learn the tactics of crackers. The only purpose of a honeynet is to be probed, attacked or compromised. During the operation other systems may not be harmed by an attack originated within the honeynet. In this paper the design, realization and operation of a honeynet built within the German Research Network (DFN) will be described. Concepts for continuously monitoring and securing the honeynet are introduced. A selection of the results of the operation phase will be presented as well.
- KonferenzbeitragStructural comparison of executable objects(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Flake, HalvarA method to heuristically construct an isomorphism between the sets of functions in two similar but differing versions of the same executable file is presented. Such an isomorphism has multiple practical applications, specifically the ability to detect programmatic changes between the two executable versions. Moreover, information (function names) which is available for one of the two versions can also be made available for the other . A framework implementing the described methods is presented, along with empirical data about its performance when used to analyze patches to recent security vulnerabilities. As a more practical example, a security update which fixes a critical vulnerability in an H.323 parsing component is analyzed, the relevant vulnerability extracted and the implications of the vulnerability and the fix discussed.
- KonferenzbeitragSensors for detection of misbehaving nodes in MANETs(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Kargl, Frank; Klenk, Andreas; Weber, Michael; Schlott, StefanThe fact that security is a critical problem when implementing mobile ad hoc networks (MANETs) is widely acknowledged. One of the different kinds of misbehavior a node may exhibit is selfishness. A selfish node wants to preserve its resources while using the services of others and consuming their resources. One way of preventing selfishness in a MANET is a detection and exclusion mechanism. In this paper, we focus on the detection and present different kinds of sensors that will find selfish nodes. First we present simulations that show the negative effects which selfish nodes cause in MANET. In the related work section we will analyze the detection mechanisms proposed by others. Our new detection mechanisms that we describe in this paper are called activity-based overhearing, iterative probing, and unambiguous probing. Simulation-based analysis of these mechanisms show that they are highly effective and can reliably detect a multitude of selfish behaviors.
- KonferenzbeitragLIV - The Linux integrated viruswall(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Dantas de Medeiros, Teobaldo A.; Pires, Paulo S. MottaThis paper presents a system developed in Linux aiming the protection of local area networks containing Windows workstations against malicious agents. The developed solution, named LIV - Linux Integrated Viruswall, besides filtering SMTP, HTTP and FTP traffic destined to the protected network, is capable of detecting malicious agents propagation in the local area network using a technique that we call 'sharing-trap'. Compromised workstations are isolated from the network and their users are notified, stopping the malicious agent's spread. Results collected from a network protected by LIV, containing thousands of Windows workstations, are presented and discussed. This paper includes information about the recent incident caused by MyDoom worm.
- KonferenzbeitragAnti-patterns in JDK security and refactorings(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Schönefeld, MarcThis paper underlines the importance of security awareness whilst programming Java applications. Several problems in current JDK implementations are demonstrated that allow to undermine the security of Java applications. Coding errors and quality problems in current Java distributions create possibilities to create covert channels, cause resource blocking and denial-of-service attacks. To make things worse Java components are often deployed according to the AllPermissions antipattern with non-restrictive security settings, which allows bugs on the system layer to be exploited by attackers. Coping with this antipattern from the user side is connected with the definition of adequate permission sets. A tool that automates this time consuming task is presented as a refactoring for the AllPermission antipattern.
- KonferenzbeitragRisiken der Nichterkennung von Malware in komprimierter Form(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Fangmeier, Heiko; Messerschmidt, Michel; Müller, Fabian; Seedorf, JanMaliziöse Software (Malware) gefährdet die Vertraulichkeit, Integrität und die Verfügbarkeit von Informatiksystemen auf verschiedene Art und Weise. In diesem Beitrag wird der Frage nachgegangen, inwiefern durch Malware in komprimierter Form Risiken entstehen. Ausgewählte Risiken werden anhand eines Szenarios veranschaulicht und analysiert. Ein Standard-Schutzmechanismus vor Malware ist Anti-Malware-Software. Es wird eine Testmethodik vorgestellt, mit der systematisch die Güte der Erkennung von Malware in komprimierter Form durch Anti-Malware Software getestet werden kann. Abschließend werden mit dieser Methodik erlangte Testergebnisse vorgestellt.