(1) The document discusses network attack and intrusion prevention systems. It describes how intrusion prevention systems (IPS) aim to detect and block threats in online traffic in real-time, beyond just detecting threats like intrusion detection systems (IDS). (2) Feature extraction from network traffic is important for IPS to analyze without being overwhelmed by raw data. The document examines relevant features to monitor and criteria for deciding what is important to track. (3) Experimental testing is needed to evaluate IPS performance. The document outlines stages for training systems, testing methodsologies, and resuming test results. This helps IPS avoid unexpected outcomes and ensures continuous monitoring.

1. Network Attack and
Intrusion Prevention System
Deris Stiawan. Ph.D
C|EH, C|HFI
Computer Network & Information Security (COMNETS) Research Group
Universitas Sriwijaya
2017

2. David, S. (2012). "The state of network security." Network Security 2012(2): 14-20.

3. Dlamini, M. T., J. H. P. Eloff, et al. (2009). "Information security: The moving target." Computers & Security 28(3–4):
189-198.

5. Hansman, S. and R. Hunt (2005). "A taxonomy of network and computer attacks." Computers & Security 24: 31-43.

6. Reported increasing numbers of types, methods and volume of attacks
There are explosion of security threats in recent years: Trojan, virus,
worms, adware, spyware and DoS are continuing to grow, multiply,
evolve and toward future in the cyber war.
New method / trend of attack,
and cyber attack challenging
described
According to;
(CSI/FBI 2011), (CERT-IST, 2012)
(Kenneth, 2010b), (Mansfield-
Devine, 2011) and (David, 2012)
(Kenneth, 2010a), (Amoroso, 2011),
(Sommer, 2012) and (Chen et al., 2012)

7. Intrusion Prevention System
IPS are considered to be an extension of IDSs, although IPS and IDS both
examine network traffic searching for attacks. They both detect malicious or
unwanted traffic but IPS able to eliminate the threats traffic.
(Patel A et al., 2010; Patel A et al., 2013)
Intrusion prevention is the process of performing intrusion detection and
attempting to stop detected possible incidents.
IDS inform of a potential attack, whereas, IPS makes attempts to stop it. IPS is
designed and developed for more active protection to improve upon the IDS
and Firewall

8. Detection
Prevention
Reaction
Response
Firewall Features
Access Control
Policy Management
Alarm
Accuracy
Sensor
Reporting
Readiness
Early prevent
Prediction
Abstracted by;
(Manikopoulos 2003), (Zou & Towsley 2005), (Stakhanova et al. 2007), (Debar et al. 2008),
(Anuar et al. 2010), (Patel et al. 2010), (Mu et al. 2010), (K. Salah & Kahtani 2010), (Elshoush
& Osman 2011), (Patel et al. 2013)

9. CSI/FBI (2010) : Satisfaction With Security Technology

10. Patel, A., Q. Qassim, et al. (2010). "A survey of intrusion detection and prevention systems.“
Information Management & Computer Security 18(4): 277 - 290.
Comparison IDS & IPS

11. IDS design just only identify
and examined to produce
alarm
IPS design is to enhance data processing
ability, intelligent, accurate of it self.
- Simple pattern matching
- Stateful pattern matching
-Protocol decode-based
analysis
- Heuristic-based analysis
- Recognize attack pattern
- Blocking action
- Stateful pattern matching
- Protocol decode-based analysis
- Heuristic-based analysis
- A passive security solution
- Detect attack only after they
have entered the network,
and do nothing to stop
attacks only just attacks
traffic and send alert to
trigger.
- Active response security solution
- Early Detection, proactive technique,
early prevent the attack, when an
attack is identified then blocks the
offending data
- Commonly collected in
source sensors
- Multisensory architectures
- Enable to integrated with other
platform
- Have the ability to integrate with
heterogeneous sensor
Usefulness
Signatures
Action
Activity /
Response
Sensor
I D S I P S

12. The Problem & Issues IDPS
Active Reaction Passive Reaction
On-line / Off-line Detection Speed / Accuracy
Response
Time of Detection
Sniffing Packet Features Identification
Testing / Comparing
Data Sets
Identify threat
Simulation Live Environment Live attack Pentest
DARPA MIT ISCX ITD UTM
HighHumanInteraction
ResourceConsumption
TrafficData

13. ITD UTM Data set

14. Attack Pattern (sample)
ScanningBruteForceDoS
Windows Server 2003
Freebsd
Linux Redhat
(www.pcrg-utm.org/dataset)

15. 10.10.10.15, 10.10.10.20 (Attacker’s)
10.10.10.10.5 (Redhat), 10.10.10.10 (FreeBsd), 10.10.10.25 (Windows Server 2003)

16. Normal & Attack Traffic
DoS
Normal / Attack ?
Normal Access:
Web 2.0 ( Video, Blog, Chat)
Penetration Testing:
Probe: Scanning, Network Mapping
U2R: Rooting, Escalating Privilege
R2L: Malware, SQL Injection, ARP
Man in the Middle Attack
DoS: ICMP Flooding

23. (1) How to capture, analyse the traffic and recognise threats in online
traffic?
The Research Question
(2) How to feature extracts from the TCP/IP header of packets and
decrease the dimensionality of the dataset by discarding any redundant
or irrelevant features ?
(3) What are the criteria to decide which features should be monitored
(Niemelä, 2011); (Davis and Clark, 2011) ?
(4) Is it possible for the intrusion prevention system to react automatically
to certain problems to try to contain or stop the damage (Niemi , 2012;
Stakhanova, 2007) ?

24. (1) Capture, analyze the traffic and recognize

25. (2) Feature extraction from raw data

26. (3) What the Relevant Parameter Features

27. Sensor Analyzer Reporting Event Response
SniffingModule
(4) Identify and Response Mechanism
Allow
Deny
LogNotificationCapturing

28. Experimental Stages
• Training the data
• The methodology
• Avoid some unexpected results
• Testing (sequence / randomize) process and
continuous
– Standard stages of observations
– Resume the results

29. Research: IPS
Existing method: Static Parameters for update policy
Naveed et al., (2010) Nicoletti , (2009) ;
Zhou et al., (2010)
abortion, ads,
adult, banking,
blog, chat,
drug,
ecommerce,
Gambling,
hacking, porn,
warez, etc
Wuu et al., 2007
The current methods of payload attacks have changed, modern attackers are able to change the information and
content of packets
Those solutions were only unable to identify traffic and can not detect or block threats occurring in real-time traffic
Able to identify threats without any response
method
Detection threat based on src IP, Dst IP, Packet
Length, TCP lags
URL lookup
& Content
Filtering
Able to block based on
URL & content filtering
IP Access List
Able to block threat
based on IP / Port

30. Wattanapongsakorn et al., (2012)Sangkatsanee et al., (2011)

31. Practical: IPS
Hardware / Software based
- Box devices, add on / module device for router (hardware based)
- Applications running on operating system (software based)
IPS Features from Firewall & IDS function with Unified Threat Management
- Able to stop L7 (Application), L4 (Transport), L3 (Network), L2 (Data Link)
- Firewall function: stop / reject the malicious
- IDS function: detection, monitoring and deep packet inspections
- One integration management system
Engine for device knowledge
- They have own knowledge / method or combined with Snort signature

32. Source: www.dtginc.net

33. Command Rules

34. Astaro Security
Gateway 110/120
Astaro Security
Gateway 220
Astaro Security
Gateway 320
Astaro Security
Gateway 425
Astaro Security
Gateway 525/525F
Environment
Small office/
branch office
Small to Medium
business
Medium business
Medium business,
enterprise division
enterprise division
Hardware
specs
3 x 10/100 Base-TX
ports
integrated HD
8 x 10/100 Base-TX
ports
integrated HD
4 x 10/100 Base-TX ports
4 x Gigabit Base-TX port
integrated HD
4 x Gigabit ports – PCI bus
4 x Gigabit ports – PCI
Express bus
Hardware acceleration card
integrated HD
Dual Intel Xeon CPU
10 x Gigabit ports – PCI
Express bus
- 525: 10 x Copper
- 525F: 4 x Copper/6 x SFP
Hardware acceleration card
2 integrated HD (RAID1) 1)
2 redundant Power supplies)
Performance
Firewall
VPN
IPS
100 Mbps
30 Mbps
55 Mbps
260 Mbps
150 Mbps
110 Mbps
420 Mbps
200 Mbps
180 Mbps
1,200 Mbps
265 Mbps
450 Mbps
3,000 Mbps
400 Mbps
750 Mbps
1) hot-swappable
Sophos Astaro: Security Gateway Appliances

35. Screenshot Dashboard Sophos

36. Screenshot Dashboard Sophos

37. Screenshot Dashboard Sophos

38. 2013:05:26-17:09:24 sophos ulogd*4673+: id="2001” severity="info" sys="SecureNet"
sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0"
srcmac="68:ef:bd:ab:13:7f" dstmac="e4:1f:13:69:44:14"
srcip="115.239.210.27" dstip="202.9.69.90" proto="6"
length="40" tos="0x00" prec="0x00" ttl="47"
srcport="80" dstport="29238" tcpflags="ACK SYN“
Sample Log Astaro
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"D WEB-MISC Webtrends HTTP probe"; flow:to_server,established;
content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|";
classtype:web-application-activity; sid:1101;)
Sample Rule Astaro

39. Testbed & Pentest

40. Analysis and Results
Traffic accuracy for
inbound – outbound:
(a) without policy,
(b) Other method,
(c) RT-IPS pitcher flow

42. Thank You
deris@ieee.org