1 / 76

A Wavelet Approach to Network Intrusion Detection

A Wavelet Approach to Network Intrusion Detection. W. Oblitey & S. Ezekiel IUP Computer Science Dept. Intrusion Detection:. Provides monitoring of system resources to help detect intrusion and/or identify attacks. Complimentary to blocking devices. Insider attacks.

tucker
Download Presentation

A Wavelet Approach to Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Wavelet Approach to Network Intrusion Detection W. Oblitey & S. Ezekiel IUP Computer Science Dept. Secure IT - 2005

  2. Intrusion Detection: • Provides monitoring of system resources to help detect intrusion and/or identify attacks. • Complimentary to blocking devices. • Insider attacks. • Attacks that use traffic permitted by the firewall. • Can monitor the attack after it crosses through the firewall. • Helps gather useful information for • Detecting attackers, • Identifying attackers, • Reveal new attack strategies. Secure IT - 2005

  3. Classification: • Intrusion Detection Systems classified according to how they detect malicious activity: • Signature detection systems • Also called Misuse detection systems • Anomaly detection systems • Also classified as: • Network-based intrusion detection systems • Monitor network traffic • Host-based intrusion detection systems. • Monitor activity on host machines Secure IT - 2005

  4. Signature Detection: • Achieved by creating signatures: • Models of attack • Monitored events compared to models to determine qualification as attacks. • Excellent at detecting known attacks. • Requires the signatures to be created and entered into the sensor’s database before operation. • May generate false alarms (False Positives). • Problem: • Needs a large number of signatures for effective detection. • The database can grow very massive. Secure IT - 2005

  5. Anomaly Detection: • Creates a model of normal use and looks for activity that does not conform to the model. • Problems with this method: • Difficulty in creating the model of normal activity • If the network already had malicious activity on it, is it ‘normal activity’? • Some patterns classified as anomalies may not be malicious. Secure IT - 2005

  6. Network-Based IDS • By far the most commonly employed form of Intrusion Detection Systems. • To many people, “IDS” is synonymous with “NIDS”. • Matured more quickly than the host-based equivalents. • Large number of NIDS products available on the market. Secure IT - 2005

  7. Deploying NIDS • Points to consider: • Where do sensors belong in the network? • What is to be protected the most? • Which devices hold critical information assets? • Cost effectiveness; • We cannot deploy sensors on all network segments. • Even not manageable. • We need to carefully consider where sensors are to be deployed. Secure IT - 2005

  8. Locations for IDS Sensors • Just inside the firewall. • The firewall is a bottleneck for all traffic. • All inbound/outbound traffic pass here. • The sensor can inspect all incoming and outgoing traffic. • On the DMZ. • The publicly reachable hosts located here are often get attacked. • The DMZ is usually the attacker’s first point of entry into the network. • On the server farm segment. • We can monitor mission-critical application servers. • Example: Financial, Logistical, Human Resources functions. • Also monitors insider attacks. • On the network segments connecting the mainframe or midrange hosts. • Monitor mission-critical devises. Secure IT - 2005

  9. The Network Monitoring Problem • Network-based IDS sensors employ sniffing to monitor the network traffic. • Networks using hubs: • Can monitor all packets. • Hubs transmit every packet out of every connected interface. • Switched networks: • The sensor must be able to sniff the passing traffic. • Switches forward packets only to ports connected to destination hosts. Secure IT - 2005

  10. Monitoring Switched Networks • Use of Switch Port Analyzer (SPAN) configurations. • Causes switch to copy all packets destined to a given interface. • Transmits packets to the modified port. • Use of hubs in conjunction with the switches. • The hub must be a fault-tolerant one. • Use of taps in conjunction with the switches. • Fault-tolerant hub-like devices. • Permit only one-way transmission of data out of the monitoring port. Secure IT - 2005

  11. NIDS Signature Types • These look for patterns in packet payloads that indicate possible attacks. • Port signatures • Watch for connection attempts to a known or frequently attacked ports. • Header signatures • These watch for dangerous or illogical combinations in packet headers. Secure IT - 2005

  12. Network IDS Reactions Types • Typical reactions of network-based IDS with active monitoring upon detection of attack in progress: • TCP resets • IP session logging • Shunning or blocking • Capabilities are configurable on per-signature basis: • Sensor responds based on configuration. Secure IT - 2005

  13. TCP Reset Reaction • Operates by sending a TCP reset packet to the victim host. • This terminates the TCP session. • Spoofs the IP address of the attacker. • Resets are sent from the sensor’s monitoring/sniffing interface. • It can terminate an attack in progress but cannot stop the initial attack packet from reaching the victim. Secure IT - 2005

  14. IP Session Logging • The sensor records traffic passing between the attacker and the victim. • Can be very useful in analyzing the attack. • Can be used to prevent future attacks. • Limitation: • Only the trigger and the subsequent packets are logged. • Preceding packets are lost. • Can impact sensor performance. • Quickly consumes large amounts of disk space. Secure IT - 2005

  15. Shunning/Blocking • Sensor connects to the firewall or a packet-filtering router. • Configures filtering rules • Blocks packets from the attacker • Needs arrangement of proper authentication: • Ensures that the sensor can securely log into the firewall or router. • A temporary measure that buy time for the administrator. • The problem with spoofed source addresses. Secure IT - 2005

  16. Host-based IDS • Started in the early 1980s when networks were not do prevalent. • Primarily used to protect only critical servers • Software agent resides on the protected system • Signature based: • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance Secure IT - 2005

  17. HIDS Methods of Operation • Auditing logs: • system logs, event logs, security logs, syslog • Monitoring file checksums to identify changes • Elementary network-based signature techniques including port activity • Intercepting and evaluating requests by applications for system resources before they are processed • Monitoring of system processes for suspicious activity Secure IT - 2005

  18. Log File Auditing • Detects past activity • Cannot stop the action that set off the alarm from taking place. • Log Files: • Monitor changes in the log files. • New entries for changes logs are compared with HIDS attack signature patterns for match • If match is detected, administrator is alerted Secure IT - 2005

  19. File Checksum Examination • Detects past activity: • Cannot stop the action that set off the alarm from taking place. • Hashes created only for system files that should not change or change infrequently. • Inclusion of frequently changing files is a huge disturbance. • File checksum systems, like Tripwire, may also be employed. Secure IT - 2005

  20. Network-Based Techniques • The IDS product monitors packets entering and leaving the host’s NIC for signs of malicious activity. • Designed to protect only the host in question. • The attack signatures used are not as sophisticated as those used in NIDs. • Provides rudimentary network-based protections. Secure IT - 2005

  21. Intercepting Requests • Intercepts calls to the operating system before they are processed. • Is able to validate software calls made to the operating system and kernel. • Validation is accomplished by: • Generic rules about what processes may have access to resources. • Matching calls to system resources with predefined models which identify malicious activity. Secure IT - 2005

  22. System Monitoring • Can preempt attacks before they are executed. • This type of monitoring can: • Prevent files from being modified. • Allow access to data files only to a predefined set of processes. • Protect system registry settings from modification. • Prevent critical system services from being stopped. • Protect settings for users from being modified. • Stop exploitation of application vulnerabilities. Secure IT - 2005

  23. HIDS Software • Deployed by installing agent software on the system. • Effective for detecting insider-attacks. • Host wrappers: • Inexpensive and deployable on all machines • Do not provide in-depth, active monitoring measures of agent-based HIDS products • Sometimes referred to as personal firewalls • Agent-based software: • More suited for single purpose servers Secure IT - 2005

  24. HIDS Active Monitoring Capabilities • Options commonly used: • Log the event • Very good for post mortem analysis • Alert the administrator • Through email or SNMP traps • Terminate the user login • Perhaps with a warning message • Disable the user account • Preventing access to memory, processor time, or disk space. Secure IT - 2005

  25. Advantages of Host-based IDS • Can verify success or failure of attack • By reviewing log entries • Monitors user and system activities • Useful in forensic analysis of the attack • Can protect against non-network-based attacks • Reacts very quickly to intrusions • By preventing access to system resources • By immediately identifying a breach when it occurs • Does not rely on particular network infrastructure • Not limited by switched infrastructures • Installed on the protected server itself • Does not require additional hardware to deploy • Needs no changes to the network infrastructure Secure IT - 2005

  26. Active/Passive Detection • The ability of an IDS to take action when they detect suspicious activity. • Passive Systems: • Take no action to stop or prevent the activity. • They log events. • They alert administrators. • They record the traffic for analysis. • Active Systems: • They do all the recordings that passive systems do, • They interoperate with firewalls and routers • Can cause blocking or shunning • They can send TCP resets. Secure IT - 2005

  27. Our Approach • We present a variant but novel approach of the anomaly detection scheme. • We show how to detect attacks without the use of data banks. • We show how to correlate multiple inputs to define the basis of a new generation analysis engine. Secure IT - 2005

  28. Signals and signal Processing: • Signal definition: • A function of independent variables like time, distance, position, temperature, and pressure. • Signals play important part in our daily lives • Examples: speech, music, picture, and video. • Signal Classification: • Analog – the independent variable on which the signal depends is continuous. • Digital – the independent variable is discrete. • Digital signals are presented a a sequence of numbers (samples). • Signals carry information • The objective of signal processing is to extract this useful information. Secure IT - 2005

  29. Energy of a Signal: • We can also define a signal as a function of varying amplitude through time. • The measure of a signal’s strength is the area under the absolute value of the curve. • This measure is referred to as the energy of the signal and is defined as: • Energy of continuous signal • Energy of discrete signal Secure IT - 2005

  30. What is Wavelet? ( Wavelet Analysis) • Wavelets are functions that satisfy certain mathematical requirements and are used to represent data or other functions • Idea is not new--- Joseph Fourier--- 1800's • Wavelet-- the scale we use to see data plays an important role • FT non local -- very poor job on sharp spikes Waveletdb10 Sine wave Secure IT - 2005

  31. History of wavelets • 1807 Joseph Fourier- theory of frequency analysis-- any 2pi functions f(x) is the sum of its Fourier Series • 1909 Alfred Haar-- PhD thesis-- defined Haar basis function---- it is compact support( vanish outside finite interval) • 1930 Paul Levy-Physicist investigated Brownian motion ( random signal) and concluded Haar basis is better than FT • 1930's Littlewood Paley, Stein ==> calculated the energy of the function 1960 Guido Weiss, Ronald Coifman-- studied simplest element of functions space called atom • 1980 Grossman (physicist) Morlet( Engineer)-- broadly defined wavelet in terms of quantum mechanics • 1985 Stephen Mallat--defined wavelet for his Digital Signal Processing work for his Ph.D. • Y Meyer constructed first non trivial wavelet • 1988 Ingrid Daubechies-- used Mallat work constructed set of wavelets • The name emerged from the literature of geophysics, by a route through France. The word onde led to ondelette. Translation wave led to wavelet Secure IT - 2005

  32. Fourier Series and Energy Secure IT - 2005

  33. Functions • Functions (Science and Engg) often use time as their parameter • g(t)-> represent time domain • since typical function oscillate – think it as wave– so G(f) where f= frequency of the wave, the function represented in the frequency domain • A function g(t) is periodic, there exits a nonzero constant P s.t. g(t+P)=g(t) for all t, where P is called period • periodic function has 4 important attributes • Amplitude– max value it has in any period • Period---2P • Frequency f=1/P(inverse)– cycles per second, Hz • Phase—Cos is a Sin function with a phase Secure IT - 2005

  34. Fourier, Haar • Amplitude, time  amplitude , frequency • 1965 Cooley and Tukey – Fast Fourier Transform • Haar Secure IT - 2005

  35. CWT • continuous wavelet transform (CWT) of a function f(t) a mother wavelet • mother wavelet may be real or complex with the following properties • 1.the total area under the curve=0, • 2. the total area of is finite • 3. Admissible condition • oscillate above and below the t-axis • energy of the function is finite function is localize • Infinite number of functions satisfies above conditions– some of them used for wavelet transform • example • Morlet wavelet • Mexican hat wavelet Secure IT - 2005

  36. once a wavelet has been chosen , the CWT of a square integrable function f(t) is defined as * denotes complex conjugate For any a, Thus b is a translation parameter Setting b=0, Here a is a scaling parameter a>1 stretch the wavelet and 0<a<1 shrink it Secure IT - 2005

  37. Wavelets Fourier Transform CWT = C( scale, position)= Scaling wave means simply Stretching (or Shrinking) it Shifting f (t) f(t-k) Secure IT - 2005

  38. Wavelets Continue • Wavelets are basis functions in continuous time • A basis is a set of linearly independent function that can be used to produce a function f(t) • f(t) = combination of basis function = • is constructed from a single mother wave w(t) -- normally it is a small wave-- it start at 0 and ends at t=N • Shrunken ( scaled) • shifted • A typical wavelet compressed j times and shifted k times is • Property:- Remarkable property is orthogonality i.e. their inner-products are zero • This leads to a simple formula for bjk Secure IT - 2005

  39. Haar Transform • Digitized sound, image are discrete.  we need discrete wavelet • where ck and dj,k are coefficients to be calculated • example:- consider the array of 8 values (1,2,3,4,5,6,7,8) • 4 average values 4 difference ( detail coefficients) • calculate average, and difference for 4 averages • continue this way • Method is called PYRAMID DECOMPOSITION • Haar transform depends on coeff ½, ½ and ½, - ½ • if we replace 2 by √2 then it is called coarse detail and fine detail Secure IT - 2005

  40. Transforms • Transform of a signal is a new representation of that signal • Example:- signal x0,x1,x2,x3 define y0,y1,y2,y3 • Questions • 1. What is the purpose of y's • 2. Can we get back x's • Answer for 2: The Transform is invertible-- perfect reconstruction • Divide Transform in to 3 groups • 1. Lossless( Orthogonal)-- Transformed Signal has the same length • 2. Invertible (bi-orthogonal)-- length and angle may change-- no information lost • 3. Lossy ( Not invertible)-- Secure IT - 2005

  41. Answer to Q1: Purpose • IT SEES LARGE vs SMALL • X0=1.2, X1= 1.0, x2=-1.0, x3=-1.2 • Y=[2.2 0 -2.2 0] • Key idea for wavelets is the concept of " SCALE" • We can take sum and difference again==> recursion => Multiresolution • Main idea of Wavelet analysis– analyze a function at different scales– mother wavelet use to construct wavelet in different scale and translate each relative to the function being analyzed • Z=[ 0 0 4.4 0 ] • Reconstruct =====>compression 4:1 Secure IT - 2005

  42. Secure IT - 2005

  43. Secure IT - 2005

  44. Secure IT - 2005

  45. Secure IT - 2005

  46. Secure IT - 2005

  47. Secure IT - 2005

  48. Secure IT - 2005

  49. Real electricity consumption • peak in the center, followed by two drops, shallow drop, and then a considerably weaker peak • d1 d2 shows the noise • d3– presents high value in the beginning and at the end of the main peak, thus allowing us to locate the corresponding peak • d4 shows 3 successive peak– this fits the shape of the curve remarkably • a1,a2 strong resemblance • a3 reasonable---- a4 lost lots of information Secure IT - 2005

  50. Secure IT - 2005

More Related