IDSIC: A Modeling of Intrusion Detection System with

Download Report

Transcript IDSIC: A Modeling of Intrusion Detection System with 

IDSIC: A Modeling of Intrusion
Detection System with
Identification Capability
Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih
Cryptology & Network Security Lab.
Electrical Engineering Department
National Cheng Kung University
1
Outline
1.
2.
3.
4.
5.
Introduction
Traditional IDS model
A New model: IDSIC
Implementation issues of IDSIC
Conclusion
2
Cryptology & Network Security Lab.
1.Introduction

Three fundamental functional components of
intrusion detection system (IDS)

Collection


Detection


collects the different sources of information
analyze the information sources
Response


notifies the system managers when or where an intrusion
happens
Active measures & Passive measures
3
Cryptology & Network Security Lab.
1.Introduction (cont.)


In some security standards, e.g., ISO 17799,
it suggests that there should be an inner
auditor periodically checks the security issues
in the enterprise networks
In order to discover the real security holes or
vulnerabilities, the security tools using by the
auditors are the same tools used by the
outside hackers
4
Cryptology & Network Security Lab.
1.Introduction (cont.)

These tests can be separated into two
situations

Rehearsal


the auditors notify the system managers when
the security auditing starts and how the security
tests go on
both the system managers and the auditors
know scenarios of security tests, the testing
results in this situation are very little
5
Cryptology & Network Security Lab.
1.Introduction (cont.)

auditors imitate hackers’ behaviors when
performing security test



The system managers do not know when,
where, and how the tests will take place in
advance
active response measure would enable selfprotecting ability
passive response measure will alert much
alarms notifying the system managers to cope
with
6
Cryptology & Network Security Lab.
1.Introduction (cont.)


Lee et al. propose a cost-sensitive
model for IDSs by using some major
cost factors, such as damage cost,
response cost, operational cost, etc, to
evaluate the total cost of IDSs
IDSs should minimize these costs
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2,
2002.
7
Cryptology & Network Security Lab.
Motivation


The traditional IDSs (TIDSs) do not
consider the behavior of the security
auditors.
We are motived to study whether the
IDSs’ cost is minimal in the top-secret
enterprise network with security auditors.
8
Cryptology & Network Security Lab.
2.Traditional IDS model


Traditional IDSs (TIDSs) requirements
Roles and costs in TIDSs
9
Cryptology & Network Security Lab.
J. Cannady. An Adaptive Neural Network Approach to Intrusion Detection and
Response. Ph.D Thesis, Nova Southeastern University, 2000.
TIDSs requirements

Detection of known attacks


Real-time/near real-time analysis


analyze information sources gathered by the IDS
sensor as soon as possible
Minimal resource


should have the ability to determine the malicious
attackers
use the minimal resource in the systems when
monitoring
High accuracy

make sure the detection is correct and lower the
10
false alarms
Cryptology & Network Security Lab.
The roles in TIDSs

Hackers


People who attempt to gain unauthorized access
to a computer system. These people are often
malicious and have many tools for breaking into a
system.
System Manager (SM)

the person who takes charge to minimize the use
of excess, network management, and system
maintenance costs. If a system under some
attacks results IDSs alarms, they have to make
efforts to find out where the problem is.
11
Cryptology & Network Security Lab.
The roles in TIDSs (cont.)

Detection System (DS)

the system that monitor the events
occurring in protected hosts or networks
and analyze them for signs of intrusions.
12
Cryptology & Network Security Lab.
The roles and relationships in
TIDSs
13
Cryptology & Network Security Lab.
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2,
2002.
The costs of TIDSs

damage cost (DCost)


response cost (RCost)


the cost of damage caused by hackers when IDSs
do not work appropriately
the costs of actions when response components
generate alarms
operational cost (OpCost)

the cost of processing and analyzing the activities
of events
14
Cryptology & Network Security Lab.
The costs of TIDSs (cont.)




False Negative cost is the cost of not
detecting an attack, but an attack really
happened.
False Positive cost occurs when normal
behavior is misidentified as the attack .
True Positive cost means the detection cost
when attacks really happen.
True Negative is incurred when an IDS
correctly decides there are no attacks.
15
Cryptology & Network Security Lab.
The costs of TIDSs (cont.)
Situation
Consequential Cost
(CCost)
Condition
False Negative,
DCost(e )
FN
False Positive, RCost(e)
FP
True
TP
0
RCost(e )   1DCost(e )
Positive,
0  1  1
DCost(e )
if DCost(e) RCost(e) CASE 1
if DCost(e) RCost(e) CASE 2
,
if DCost(e) RCost(e) CASE 1
if DCost(e) RCost(e) CASE 2
True Negative,
0
TN
1: the function of the events’ progress
16
Cryptology & Network Security Lab.
The costs of TIDSs (cont.)
CumulativeCost(E )   (CCost(e)  OpCost(e))
eE
e  E(the event set)
 EH

How everE : 
E
 SA
event set causedby Hackers
event set causedby Hackers
17
Cryptology & Network Security Lab.
3.A New model: IDSIC



Roles and components in IDSIC
New Requirements in IDSIC
Cost analysis in IDSIC
18
Cryptology & Network Security Lab.
Roles in IDSIC

Security Auditor (SA)


A person appointed and authorized to audit
whether the security equipments work regularly or
not by using the vulnerability testing tools.
One of security auditors’ main works is to check
the security holes or vulnerabilities in the system.
Note: traditional IDSs have no abilities to
distinguish the security auditors and hackers.
19
Cryptology & Network Security Lab.
Roles in IDSIC (cont.)

Detection System with Identification
Capability (DSIC)


One type of DS that runs the same function of DS.
However, it has an extra functionality to distinguish
between the roles of hackers and SAs.
Fingerprint

some secret information is used to let DSIC
distinguish the difference between hackers and
SAs
20
Cryptology & Network Security Lab.
Components in IDSIC


In IDSIC, we include the basic components
such that collection, detection, and response
components in TIDSs
The fingerprint adder


use fingerprint generation algorithms calculating
and adding the fingerprint into the packets
The fingerprint checker

include some validation algorithms that help DSIC
to differentiate hackers’ attack and SAs’ tests from
packets
21
Cryptology & Network Security Lab.
The roles and components in
IDSIC
22
Cryptology & Network Security Lab.
New Requirements in IDSIC

Generating fingerprint ability



SAs must have the ability to calculate the
fingerprint
The needed power for calculating fingerprint must
be as less as possible
Validity ability


DSIC needs to have the validity ability to
determine if any fingerprint in the packets
this ability of determination must be as fast as
possible
23
Cryptology & Network Security Lab.
New Requirements in IDSIC
(cont.)

Security


Hackers cannot generate a fingerprint
without the SAs’ secret
The probability of forging a fingerprint is as
small as possible
24
Cryptology & Network Security Lab.
Cost analysis in IDSIC

The damage cost (DCost) could be divided
into two parts




HDCost(e) means the damage cost caused by
hackers that may harm to the systems
SDCost(e) is the amount of security testing cost
that may damage to the systems caused by SAs
HDCost(e) >> SDCost(e)
the response cost (RCost) will also be
separated into two parts


HRCost(e) and SRCost(e)
HRCost(e) = SRCost(e)
25
Cryptology & Network Security Lab.
Cost analysis in IDSIC (cont.)

False Negative (FNIC)
FNIC  HDCost(e)   2SDCost(e), 0   2  1
2: the function of the events’ progress
Therefore, FNIC < FN

False Positive (FPIC)
RCost(e)

FPIC  

0

if DCost(e)  RCost(e)
CASE 1
if DCost(e)  RCost(e)
CASE 2
Therefore, FPIC  FP
26
Cryptology & Network Security Lab.
Cost analysis in IDSIC (cont.)

True Positive (TPIC)
HRCost(e) + ε1(HDCost(e) ε3SDCost(e)),

0  ε1,ε3  1
TPIC  

HDCost(e) ε3SDCost(e)


if (HDCost(e)  ε3SDCost(e))
 HRCost(e) CASE 1
if (HDCost(e)  ε3SDCost(e))
 HRCost(e) CASE 2
3: the function of the events’ progress
Therefore, TPIC  TP

True Negative (TNIC) =0
27
Cryptology & Network Security Lab.
CCost v.s. ICCost
Situation
CCost in TIDS
ICCost in IDSIC
FN or FNIC
DCost (e )
HDCost(e)   2SDCost(e),
RCost (e )
RCost( e )
CASE 1
0
0
CASE 2
RCost(e )   1DCost(e ),
HRCost(e) +
FP or FPIC
TP or TPIC
0  1  1
DCost (e )
TN or TNIC 0
Condition
0  2  1
 1(HDCost(e)   3 SDCost(e)),
0   1, 3  1
HDCost (e )   3 SDCost ( e )
0
28
Cryptology & Network Security Lab.
CASE 1
CASE 2
Cost analysis in IDSIC (cont.)
CumulativeCost(E ) 
(ICCost(e)  OpCost(e))
eE



OpCost(e) is similar in TIDS and IDSIC
CCost(e) in TIDS is greater than
ICCost(e) in IDSIC
IDSIC could have smaller
CumulativeCost(E) than TIDS.
29
Cryptology & Network Security Lab.
4.Implementation issues of
IDSIC



How to generate the fingerprint
Where and How to put the fingerprint in
the packets
Where to put the fingerprint checker
component in IDSIC
30
Cryptology & Network Security Lab.
How to generate the
fingerprint

packet messages (m)


Information about IPs, the sequential number, the
packet timestamp, and so on
Three approaches to generate the needed
fingerprint



HMAC (Hashed Message Authentication Code)
HMAC using secret value
signature
31
Cryptology & Network Security Lab.
HMAC
32
Cryptology & Network Security Lab.
HMAC using secret value
33
Cryptology & Network Security Lab.
signature



uses Public Key Infrastructure (PKI)
the SAs should sign the packet messages
with their private keys and the DSIC uses
SAs’ public keys to check the signature
No matter what approaches are used, it
should satisfy the minimal resource
requirement.
34
Cryptology & Network Security Lab.
Where to put the fingerprint in
the packets

We suggest using the IP identification
field in IP header to store fingerprint



This field is currently used to differentiate
IP fragments that belong to different
packets
less than 0.25% of all Internet traffic is
fragments
Savage et al. use this field in IP marking
technique
35
Cryptology & Network Security Lab.
IP Header
VER
4 bits
HLEN
4 bits
TOS
8 bits
Identification
16 bits
Time to live
8 bits
TOTAL LENGTH
16 bits
Flags
3 bits
Protocol
8 bits
Offset
13 bits
Header checksum
16 bits
Source IP address 32 bits
Destination IP address 32 bits
Options
36
Cryptology & Network Security Lab.
How to put the fingerprint in
the packets


The IP identification field contains only
16 bits and the hackers’ forging
probability is 2-16
We could set a threshold k reducing the
hackers’ forging probability to (2-16)k
37
Cryptology & Network Security Lab.
Where to put the fingerprint
checker in IDSIC

two choices to deploy the fingerprint
checker component
Collection
Collection
Detection
Before Fingerprint checker
Detection
Fingerprint checker After
Response
Response
38
Cryptology & Network Security Lab.
Where to put the fingerprint
checker in IDSIC (cont.)

before the detection component



claims the fingerprint checker has to check
every receiving packet
may spend lots of time for checking
the fingerprint checker may lost some packets
under mounts of packets
39
Cryptology & Network Security Lab.
Where to put the fingerprint
checker in IDSIC (cont.)

after the detection component



IDSIC would first determine whether an
intrusion happens
DSIC can work like DS and the fingerprint
checker only has to check the doubtful intrusion
packets
if the SAs often perform the security tests, then
the detection component may be busy dealing
with these testing packets.
40
Cryptology & Network Security Lab.
Where to put the fingerprint
checker in IDSIC (cont.)

The best deployment depends on





the frequency of security tests (fst)(from SAs)
the frequency of attacks (fa) (from Hackers)
the fingerprint checker examining time (tfc)
the DSIC dealing time (tDSIC)
For example, in rehearsal situation, fst is
greater than fa, thus it would be better to
deploy the fingerprint checker before the
detection component.
41
Cryptology & Network Security Lab.
Conclusion


We propose a new model, IDSIC, based
on the auditing point of view and
propose the new requirements in IDSIC.
We prove the CumulativeCost in TIDS
does not reach to minimal cost under
the roles of SA exists.
42
Cryptology & Network Security Lab.