Talk2 - Computer Science
Download
Report
Transcript Talk2 - Computer Science
A Wavelet Approach to
Network Intrusion
Detection
W. Oblitey & S. Ezekiel
IUP Computer Science Dept.
Intrusion Detection:
Provides monitoring of system resources to help
detect intrusion and/or identify attacks.
Complimentary to blocking devices.
Insider attacks.
Attacks that use traffic permitted by the firewall.
Can monitor the attack after it crosses through the
firewall.
Helps gather useful information for
Detecting attackers,
Identifying attackers,
Reveal new attack strategies.
Classification:
Intrusion Detection Systems classified
according to how they detect malicious
activity:
Signature detection systems
Also called Misuse detection systems
Anomaly detection systems
Also classified as:
Network-based intrusion detection systems
Monitor network traffic
Host-based intrusion detection systems.
Monitor activity on host machines
Signature Detection:
Achieved by creating signatures:
Models of attack
Monitored events compared to models to determine
qualification as attacks.
Excellent at detecting known attacks.
Requires the signatures to be created and entered
into the sensor’s database before operation.
May generate false alarms (False Positives).
Problem:
Needs a large number of signatures for effective detection.
The database can grow very massive.
Anomaly Detection:
Creates a model of normal use and looks
for activity that does not conform to the
model.
Problems with this method:
Difficulty in creating the model of normal
activity
If the network already had malicious activity
on it, is it ‘normal activity’?
Some patterns classified as anomalies may
not be malicious.
Network-Based IDS
By far the most commonly employed form
of Intrusion Detection Systems.
To many people, “IDS” is synonymous
with “NIDS”.
Matured more quickly than the host-based
equivalents.
Large number of NIDS products available
on the market.
Deploying NIDS
Points to consider:
Where do sensors belong in the network?
What is to be protected the most?
Which devices hold critical information assets?
Cost effectiveness;
We cannot deploy sensors on all network segments.
Even not manageable.
We need to carefully consider where sensors are to
be deployed.
Locations for IDS Sensors
Just inside the firewall.
On the DMZ.
The firewall is a bottleneck for all traffic.
All inbound/outbound traffic pass here.
The sensor can inspect all incoming and outgoing traffic.
The publicly reachable hosts located here are often get attacked.
The DMZ is usually the attacker’s first point of entry into the
network.
On the server farm segment.
We can monitor mission-critical application servers.
Example: Financial, Logistical, Human Resources functions.
Also monitors insider attacks.
On the network segments connecting the mainframe or
midrange hosts.
Monitor mission-critical devises.
The Network Monitoring Problem
Network-based IDS sensors employ sniffing to
monitor the network traffic.
Networks using hubs:
Can monitor all packets.
Hubs transmit every packet out of every connected
interface.
Switched networks:
The sensor must be able to sniff the passing traffic.
Switches forward packets only to ports connected to
destination hosts.
Monitoring Switched Networks
Use of Switch Port Analyzer (SPAN)
configurations.
Use of hubs in conjunction with the switches.
Causes switch to copy all packets destined to a given
interface.
Transmits packets to the modified port.
The hub must be a fault-tolerant one.
Use of taps in conjunction with the switches.
Fault-tolerant hub-like devices.
Permit only one-way transmission of data out of the
monitoring port.
NIDS Signature Types
These look for patterns in packet payloads
that indicate possible attacks.
Port signatures
Watch for connection attempts to a known or
frequently attacked ports.
Header signatures
These watch for dangerous or illogical
combinations in packet headers.
Network IDS Reactions Types
Typical reactions of network-based IDS
with active monitoring upon detection of
attack in progress:
TCP resets
IP session logging
Shunning or blocking
Capabilities are configurable on persignature basis:
Sensor responds based on configuration.
TCP Reset Reaction
Operates by sending a TCP reset packet to
the victim host.
This terminates the TCP session.
Spoofs the IP address of the attacker.
Resets are sent from the sensor’s
monitoring/sniffing interface.
It can terminate an attack in progress but
cannot stop the initial attack packet from
reaching the victim.
IP Session Logging
The sensor records traffic passing between the
attacker and the victim.
Limitation:
Can be very useful in analyzing the attack.
Can be used to prevent future attacks.
Only the trigger and the subsequent packets are
logged.
Preceding packets are lost.
Can impact sensor performance.
Quickly consumes large amounts of disk space.
Shunning/Blocking
Sensor connects to the firewall or a packetfiltering router.
Configures filtering rules
Needs arrangement of proper authentication:
Blocks packets from the attacker
Ensures that the sensor can securely log into the
firewall or router.
A temporary measure that buy time for the
administrator.
The problem with spoofed source addresses.
Host-based IDS
Started in the early 1980s when networks were
not do prevalent.
Primarily used to protect only critical servers
Software agent resides on the protected system
Signature based:
Detects intrusions by analyzing logs of operating
systems and applications, resource utilization, and
other system activity
Use of resources can have impact on system
performance
HIDS Methods of Operation
Auditing logs:
system logs, event logs, security logs, syslog
Monitoring file checksums to identify changes
Elementary network-based signature techniques
including port activity
Intercepting and evaluating requests by
applications for system resources before they
are processed
Monitoring of system processes for suspicious
activity
Log File Auditing
Detects past activity
Cannot stop the action that set off the alarm
from taking place.
Log Files:
Monitor changes in the log files.
New entries for changes logs are compared
with HIDS attack signature patterns for match
If match is detected, administrator is alerted
File Checksum Examination
Detects past activity:
Cannot stop the action that set off the alarm
from taking place.
Hashes created only for system files that
should not change or change infrequently.
Inclusion of frequently changing files is a
huge disturbance.
File checksum systems, like Tripwire, may
also be employed.
Network-Based Techniques
The IDS product monitors packets
entering and leaving the host’s NIC for
signs of malicious activity.
Designed to protect only the host in
question.
The attack signatures used are not as
sophisticated as those used in NIDs.
Provides rudimentary network-based
protections.
Intercepting Requests
Intercepts calls to the operating system
before they are processed.
Is able to validate software calls made to
the operating system and kernel.
Validation is accomplished by:
Generic rules about what processes may have
access to resources.
Matching calls to system resources with
predefined models which identify malicious
activity.
System Monitoring
Can preempt attacks before they are executed.
This type of monitoring can:
Prevent files from being modified.
Allow access to data files only to a predefined set of
processes.
Protect system registry settings from modification.
Prevent critical system services from being stopped.
Protect settings for users from being modified.
Stop exploitation of application vulnerabilities.
HIDS Software
Deployed by installing agent software on the
system.
Effective for detecting insider-attacks.
Host wrappers:
Inexpensive and deployable on all machines
Do not provide in-depth, active monitoring measures
of agent-based HIDS products
Sometimes referred to as personal firewalls
Agent-based software:
More suited for single purpose servers
HIDS Active Monitoring Capabilities
Options commonly used:
Log the event
Alert the administrator
Through email or SNMP traps
Terminate the user login
Very good for post mortem analysis
Perhaps with a warning message
Disable the user account
Preventing access to memory, processor time, or
disk space.
Advantages of Host-based IDS
Can verify success or failure of attack
Monitors user and system activities
By preventing access to system resources
By immediately identifying a breach when it occurs
Does not rely on particular network infrastructure
Useful in forensic analysis of the attack
Can protect against non-network-based attacks
Reacts very quickly to intrusions
By reviewing log entries
Not limited by switched infrastructures
Installed on the protected server itself
Does not require additional hardware to deploy
Needs no changes to the network infrastructure
Active/Passive Detection
The ability of an IDS to take action when they
detect suspicious activity.
Passive Systems:
Take no action to stop or prevent the activity.
They log events.
They alert administrators.
They record the traffic for analysis.
Active Systems:
They do all the recordings that passive systems do,
They interoperate with firewalls and routers
Can cause blocking or shunning
They can send TCP resets.
Our Approach
We present a variant but novel approach
of the anomaly detection scheme.
We show how to detect attacks without
the use of data banks.
We show how to correlate multiple inputs
to define the basis of a new generation
analysis engine.
Signals and signal Processing:
Signal definition:
Signals play important part in our daily lives
Examples: speech, music, picture, and video.
Signal Classification:
A function of independent variables like time, distance,
position, temperature, and pressure.
Analog – the independent variable on which the signal
depends is continuous.
Digital – the independent variable is discrete.
Digital signals are presented a a sequence of numbers
(samples).
Signals carry information
The objective of signal processing is to extract this useful
information.
Energy of a Signal:
We can also define a signal as a function of
varying amplitude through time.
The measure of a signal’s strength is the area
under the absolute value of the curve.
This measure is referred to as the energy of the
signal and is defined as:
2
Energy of continuous signal Ea
x(t ) dt
Energy of discrete signal Ed
x(t )
t
2
Wavelet:
Is a waveform of effectively limited duration that has an
average value of zero.
Presently used in many fields of science and
engineering.
It development resulted from the need to generate
algorithms that would compute compact representations
of signals and data sets at an accelerated pace.
Started as Alfred Haar’s step functions, now called
wavelets.
We analyze wavelets by breaking up a signal into shifted
and scaled versions of the original (mother) wavelet.
Our Network Topology:
We set up a star topology network;
Four computers in an island
Each running Linux RedHat 9.2
The machines are connected by a switch
The switch is connected to a PIX 515E Firewall
3Com Ethernet Hub sits between the switch and the firewall
For Sniffing and capturing packets
We duplicated this island six times and connected
them with routers.
We then connected the islands, via the routers, to a
central Cisco switch.
For simulation purposes, we installed
Windows XP on one machine in island one.
Data Collection:
We generated packets with a Perl script on a Linux
system.
We used the three most common protocols for our
simulation:
For each protocol:
HTTP, FTP, and SMTP.
We generated a constant traffic;
We created 50 datasets each consisting of the number of
packets transmitted over two minute intervals.
We executed the same traffic scripts with a random pause
between 0 and 60 seconds.
We then rerun the traffic between 0 and 15 seconds to create
additional datasets.
We collected all the 150 datasets by Ethereal for further
analysis.
Results: Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Conclusion & Future Direction
We have presented:
A wavelet based – framework for network
monitoring
This is our first phase for the development of
an engine for Network Intrusion Analysis
This will not depend on databases and thus
will minimize false negatives and false
positives