1. AN ARCHITECTURE FOR MINING THE EGYPTIAN E - GOVERNMENT NETWORK TRAFFIC FOR INTRUSION DETECTION Prepared By: Mervat M. Fahmy Supervised By: Dr. A. M. Riad, Dr. M. A. Sharkawy 06/07/09 Mansoura University Faculty of Computer & Information Sciences Information Systems Dept.
2.
3.
4. Components of Intrusion Detection Systems 06/07/09 capture and analyze network packets using sensors placed at various points in a network, and report attacks to a management console. operate on data collected from individual computer systems (OS audit trails, system logs, etc.) analyze the events occurring within a software application that are registered in the application’s transaction log files. analyzing system activity to find events that match predefined patterns (signatures) describing known attacks. identifying abnormal behavior (anomalies) on a host or network. The main assumption is ‘attacks are different from legitimate activity and can be detected by systems that identify these differences ’. IDS components Data sources Analysis Approach Response Mechanism Network Monitoring Host Monitoring Application Monitoring Misuse Detection Anomaly Detection Active Passive
5.
6.
7.
8.
9.
10.
11. The Egyptian e-government as an environment 06/07/09 Ministries & Public Bodies Security System Investors Organizations Experts Internet & Telephony E-Government’s Private Network Citizens National Databases Service Brokers
12.
13.
14. MEGNTID Architecture 06/07/09 Sensor Unlabeled Traffic Data Formatted Traffic Data Traffic Data Known Attacks Preprocessing Engine Global Layer of Intrusion Detection System Known Attacks New Attacks Rules Highly Suspicious Anomalies Global Known-Attacks Detection Engine Global Response Engine High-Ranked Anomalies Global Anomaly Analysis Engine Attacks Database Local Layer of Intrusion Detection System Normal Data Records Local Profile Matching Engine Local Response Engine Normal Records High-Ranked Anomalies Anomalous Data Records New Normal Profile Rules Local Anomaly Detection Engine Normal Profile Database Local Site 1 The Real-Time Building Phase Local Site n