390 likes | 537 Views
A Wavelet Approach to Network Intrusion Detection. W. Oblitey & S. Ezekiel IUP Computer Science Dept. Intrusion Detection:. Provides monitoring of system resources to help detect intrusion and/or identify attacks. Complimentary to blocking devices. Insider attacks.
E N D
A Wavelet Approach to Network Intrusion Detection W. Oblitey & S. Ezekiel IUP Computer Science Dept.
Intrusion Detection: • Provides monitoring of system resources to help detect intrusion and/or identify attacks. • Complimentary to blocking devices. • Insider attacks. • Attacks that use traffic permitted by the firewall. • Can monitor the attack after it crosses through the firewall. • Helps gather useful information for • Detecting attackers, • Identifying attackers, • Reveal new attack strategies.
Classification: • Intrusion Detection Systems classified according to how they detect malicious activity: • Signature detection systems • Also called Misuse detection systems • Anomaly detection systems • Also classified as: • Network-based intrusion detection systems • Monitor network traffic • Host-based intrusion detection systems. • Monitor activity on host machines
Signature Detection: • Achieved by creating signatures: • Models of attack • Monitored events compared to models to determine qualification as attacks. • Excellent at detecting known attacks. • Requires the signatures to be created and entered into the sensor’s database before operation. • May generate false alarms (False Positives). • Problem: • Needs a large number of signatures for effective detection. • The database can grow very massive.
Anomaly Detection: • Creates a model of normal use and looks for activity that does not conform to the model. • Problems with this method: • Difficulty in creating the model of normal activity • If the network already had malicious activity on it, is it ‘normal activity’? • Some patterns classified as anomalies may not be malicious.
Network-Based IDS • By far the most commonly employed form of Intrusion Detection Systems. • To many people, “IDS” is synonymous with “NIDS”. • Matured more quickly than the host-based equivalents. • Large number of NIDS products available on the market.
Deploying NIDS • Points to consider: • Where do sensors belong in the network? • What is to be protected the most? • Which devices hold critical information assets? • Cost effectiveness; • We cannot deploy sensors on all network segments. • Even not manageable. • We need to carefully consider where sensors are to be deployed.
Locations for IDS Sensors • Just inside the firewall. • The firewall is a bottleneck for all traffic. • All inbound/outbound traffic pass here. • The sensor can inspect all incoming and outgoing traffic. • On the DMZ. • The publicly reachable hosts located here are often get attacked. • The DMZ is usually the attacker’s first point of entry into the network. • On the server farm segment. • We can monitor mission-critical application servers. • Example: Financial, Logistical, Human Resources functions. • Also monitors insider attacks. • On the network segments connecting the mainframe or midrange hosts. • Monitor mission-critical devises.
The Network Monitoring Problem • Network-based IDS sensors employ sniffing to monitor the network traffic. • Networks using hubs: • Can monitor all packets. • Hubs transmit every packet out of every connected interface. • Switched networks: • The sensor must be able to sniff the passing traffic. • Switches forward packets only to ports connected to destination hosts.
Monitoring Switched Networks • Use of Switch Port Analyzer (SPAN) configurations. • Causes switch to copy all packets destined to a given interface. • Transmits packets to the modified port. • Use of hubs in conjunction with the switches. • The hub must be a fault-tolerant one. • Use of taps in conjunction with the switches. • Fault-tolerant hub-like devices. • Permit only one-way transmission of data out of the monitoring port.
NIDS Signature Types • These look for patterns in packet payloads that indicate possible attacks. • Port signatures • Watch for connection attempts to a known or frequently attacked ports. • Header signatures • These watch for dangerous or illogical combinations in packet headers.
Network IDS Reactions Types • Typical reactions of network-based IDS with active monitoring upon detection of attack in progress: • TCP resets • IP session logging • Shunning or blocking • Capabilities are configurable on per-signature basis: • Sensor responds based on configuration.
TCP Reset Reaction • Operates by sending a TCP reset packet to the victim host. • This terminates the TCP session. • Spoofs the IP address of the attacker. • Resets are sent from the sensor’s monitoring/sniffing interface. • It can terminate an attack in progress but cannot stop the initial attack packet from reaching the victim.
IP Session Logging • The sensor records traffic passing between the attacker and the victim. • Can be very useful in analyzing the attack. • Can be used to prevent future attacks. • Limitation: • Only the trigger and the subsequent packets are logged. • Preceding packets are lost. • Can impact sensor performance. • Quickly consumes large amounts of disk space.
Shunning/Blocking • Sensor connects to the firewall or a packet-filtering router. • Configures filtering rules • Blocks packets from the attacker • Needs arrangement of proper authentication: • Ensures that the sensor can securely log into the firewall or router. • A temporary measure that buy time for the administrator. • The problem with spoofed source addresses.
Host-based IDS • Started in the early 1980s when networks were not do prevalent. • Primarily used to protect only critical servers • Software agent resides on the protected system • Signature based: • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance
HIDS Methods of Operation • Auditing logs: • system logs, event logs, security logs, syslog • Monitoring file checksums to identify changes • Elementary network-based signature techniques including port activity • Intercepting and evaluating requests by applications for system resources before they are processed • Monitoring of system processes for suspicious activity
Log File Auditing • Detects past activity • Cannot stop the action that set off the alarm from taking place. • Log Files: • Monitor changes in the log files. • New entries for changes logs are compared with HIDS attack signature patterns for match • If match is detected, administrator is alerted
File Checksum Examination • Detects past activity: • Cannot stop the action that set off the alarm from taking place. • Hashes created only for system files that should not change or change infrequently. • Inclusion of frequently changing files is a huge disturbance. • File checksum systems, like Tripwire, may also be employed.
Network-Based Techniques • The IDS product monitors packets entering and leaving the host’s NIC for signs of malicious activity. • Designed to protect only the host in question. • The attack signatures used are not as sophisticated as those used in NIDs. • Provides rudimentary network-based protections.
Intercepting Requests • Intercepts calls to the operating system before they are processed. • Is able to validate software calls made to the operating system and kernel. • Validation is accomplished by: • Generic rules about what processes may have access to resources. • Matching calls to system resources with predefined models which identify malicious activity.
System Monitoring • Can preempt attacks before they are executed. • This type of monitoring can: • Prevent files from being modified. • Allow access to data files only to a predefined set of processes. • Protect system registry settings from modification. • Prevent critical system services from being stopped. • Protect settings for users from being modified. • Stop exploitation of application vulnerabilities.
HIDS Software • Deployed by installing agent software on the system. • Effective for detecting insider-attacks. • Host wrappers: • Inexpensive and deployable on all machines • Do not provide in-depth, active monitoring measures of agent-based HIDS products • Sometimes referred to as personal firewalls • Agent-based software: • More suited for single purpose servers
HIDS Active Monitoring Capabilities • Options commonly used: • Log the event • Very good for post mortem analysis • Alert the administrator • Through email or SNMP traps • Terminate the user login • Perhaps with a warning message • Disable the user account • Preventing access to memory, processor time, or disk space.
Advantages of Host-based IDS • Can verify success or failure of attack • By reviewing log entries • Monitors user and system activities • Useful in forensic analysis of the attack • Can protect against non-network-based attacks • Reacts very quickly to intrusions • By preventing access to system resources • By immediately identifying a breach when it occurs • Does not rely on particular network infrastructure • Not limited by switched infrastructures • Installed on the protected server itself • Does not require additional hardware to deploy • Needs no changes to the network infrastructure
Active/Passive Detection • The ability of an IDS to take action when they detect suspicious activity. • Passive Systems: • Take no action to stop or prevent the activity. • They log events. • They alert administrators. • They record the traffic for analysis. • Active Systems: • They do all the recordings that passive systems do, • They interoperate with firewalls and routers • Can cause blocking or shunning • They can send TCP resets.
Our Approach • We present a variant but novel approach of the anomaly detection scheme. • We show how to detect attacks without the use of data banks. • We show how to correlate multiple inputs to define the basis of a new generation analysis engine.
Signals and signal Processing: • Signal definition: • A function of independent variables like time, distance, position, temperature, and pressure. • Signals play important part in our daily lives • Examples: speech, music, picture, and video. • Signal Classification: • Analog – the independent variable on which the signal depends is continuous. • Digital – the independent variable is discrete. • Digital signals are presented a a sequence of numbers (samples). • Signals carry information • The objective of signal processing is to extract this useful information.
Energy of a Signal: • We can also define a signal as a function of varying amplitude through time. • The measure of a signal’s strength is the area under the absolute value of the curve. • This measure is referred to as the energy of the signal and is defined as: • Energy of continuous signal • Energy of discrete signal
Wavelet: • Is a waveform of effectively limited duration that has an average value of zero. • Presently used in many fields of science and engineering. • It development resulted from the need to generate algorithms that would compute compact representations of signals and data sets at an accelerated pace. • Started as Alfred Haar’s step functions, now called wavelets. • We analyze wavelets by breaking up a signal into shifted and scaled versions of the original (mother) wavelet.
Our Network Topology: • We set up a star topology network; • Four computers in an island • Each running Linux RedHat 9.2 • The machines are connected by a switch • The switch is connected to a PIX 515E Firewall • 3Com Ethernet Hub sits between the switch and the firewall • For Sniffing and capturing packets • We duplicated this island six times and connected them with routers. • We then connected the islands, via the routers, to a central Cisco switch. • For simulation purposes, we installed Windows XP on one machine in island one.
DataCollection: • We generated packets with a Perl script on a Linux system. • We used the three most common protocols for our simulation: • HTTP, FTP, and SMTP. • For each protocol: • We generated a constant traffic; • We created 50 datasets each consisting of the number of packets transmitted over two minute intervals. • We executed the same traffic scripts with a random pause between 0 and 60 seconds. • We then rerun the traffic between 0 and 15 seconds to create additional datasets. • We collected all the 150 datasets by Ethereal for further analysis.
Conclusion & Future Direction • We have presented: • A wavelet based – framework for network monitoring • This is our first phase for the development of an engine for Network Intrusion Analysis • This will not depend on databases and thus will minimize false negatives and false positives