280 likes | 296 Views
Explore, monitor, analyze behavior in BIDS to enhance security. Detect anomalies, prioritize, and propose future work for improved IDS efficiency.
E N D
Behavior Intrusion Detection:Enhanced Hakan Evecek Rodolfo Ortiz
GOALS • Discuss the characteristics of a Behavior Intrusion Detection Systems • Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets. • Provide the results. • Analyze the behavior of protocols when firewall enabled/disabled. • Present an approach to prioritize suspicious packets. • How to enhance Behavior IDS
WHATIS IDS? • IDS is concerned with the detection of hostile actions towards a computer system or network. • There are two types: • Anomaly detection (Behavior IDS) • Signature detection
OVERVIEW OF BIDS They can be described as an alarm for strange system behavior. Based on statistics. • Advantages • They don’t need to know the details of an attack • Dynamic, they are automatically updated • Disadvantages • Many false positives are generated during the sensor training • The training must be extensive so that the baseline is accurate
OVERVIEW OF BIDS Anomalies to be detected: • Traffic to unused ports • Non standard service assigned to one standard port (port 80 set for peer sharing) • Too much UDP/TCP traffic • More bytes coming to a HTTP server than outgoing bytes
HP5000 SW THE PROJECT Measure timing for DNS, ICMP and HTTP/HTTPSEstablish a baseline for different packet sequencesLabel packets outside the baseline for further analysis IDS Sensor DB Intranet(10.0.0.0/24) IDS Sensor (FC4) Internet DNS Web Server Server Intra2(win2003) Firewall Firewall DLink SW2 DLink SW1 IDS Inner(FC4) IDSOuter(FC4) DMZ(192.168.0.0/24) Intra1 (XP)
Firewall Intra1 (XP) SERVER IDS Inner A B ICMP Request ICMP Reply C D ICMP
Firewall Intra1 (XP) DNS SERVER IDS Inner A B DNS Request DNS Reply C D DNS
Firewall Intra1 (XP) WEB SERVER IDS Inner A SYN B C SYN ACK D ACK E F GET G HTTP
Firewall Intra1 (XP) WEB SERVER IDS Inner SYN SYN ACK ACK CLIENT HELLO CERTIFICATECLIENT KEY EXCHANGECERTIFICATE VERIFYCHANGE CIPHER SPECFINISHED APPLICATION DATA APPLICATION DATA HTTPS SERVER HELLOCERTIFICATESERVER KEY EXCHANGECERTIFICATE REQUESTSERVER HELLO DONE
m m m ± - + s s s 3 1 3 DATA OBTAINED • Units are in seconds. • In a normal distribution, approximately 99.7% of the population will be in the interval defined by • works well for the upper bound, but the lower bound is defined by • Using the formula above, we get a confidence interval
ICMP Time (sec) • Firewall • Blue-enabled • Pink-disabled • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number
DNS Time (sec) • Firewall • Blue-enabled • Pink-disabled • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number
HTTP vs. HTTPS Time (sec) • Firewall enabled • Blue-HTTP • Pink-HTTPS • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number
HTTP vs. HTTPS Time (sec) • Firewall disabled • Blue-HTTP • Pink-HTTPS • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number
m m + - s s 3 1 PROPOSED APPROACH Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound. Label the suspicious packets and give them priorities based on their distance from the confidence interval. Upper bound Lower bound
ICMP Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number
DNS Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number
HTTP Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number
HTTPS Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number
SUSPICIOUS PACKETS • The suspicious packets are defined. • Then prioritize/label the packets based on the distance from the mean. • How do we know it’s an attack? • Define a behavior for each kind of attack, e.g. worms
A:? -> C:D C:? -> E:D A C WORMS BEHAVIOR • Based on “A behavioral approach to worm detection”[20] • Need to look for this pattern of information–behavioral signature- in the database. • Host A and C and E are infected • D is port number
FUTURE WORK • What to do with the packet? How to know if it is from an intruder? • What data do we need to store? • How to collect the data towards an automated process? • How can SNORT create the intervals automatically? • Implement the approach in SNORT’s source code • Analyzing other protocols
FUTURE WORK • Analyzing other scenarios like an internet server instead of a local server • Analyze wireless communication • DNSSecure • Behavioral signatures for other attacks
CONCLUSION • Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives. • The intervals work in the studied protocols, results may change for other protocols. • Intervals need to be tested using attacks like DDoS, worms, etc. • HTTP and HTTPS graphs are different because more information is exchanged and timing varies.
REFERENCES • Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003 • Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and Julia Allen • Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002 • Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003