1 / 39

A Wavelet Approach to Network Intrusion Detection

A Wavelet Approach to Network Intrusion Detection. W. Oblitey & S. Ezekiel IUP Computer Science Dept. Intrusion Detection:. Provides monitoring of system resources to help detect intrusion and/or identify attacks. Complimentary to blocking devices. Insider attacks.

norris
Download Presentation

A Wavelet Approach to Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Wavelet Approach to Network Intrusion Detection W. Oblitey & S. Ezekiel IUP Computer Science Dept.

  2. Intrusion Detection: • Provides monitoring of system resources to help detect intrusion and/or identify attacks. • Complimentary to blocking devices. • Insider attacks. • Attacks that use traffic permitted by the firewall. • Can monitor the attack after it crosses through the firewall. • Helps gather useful information for • Detecting attackers, • Identifying attackers, • Reveal new attack strategies.

  3. Classification: • Intrusion Detection Systems classified according to how they detect malicious activity: • Signature detection systems • Also called Misuse detection systems • Anomaly detection systems • Also classified as: • Network-based intrusion detection systems • Monitor network traffic • Host-based intrusion detection systems. • Monitor activity on host machines

  4. Signature Detection: • Achieved by creating signatures: • Models of attack • Monitored events compared to models to determine qualification as attacks. • Excellent at detecting known attacks. • Requires the signatures to be created and entered into the sensor’s database before operation. • May generate false alarms (False Positives). • Problem: • Needs a large number of signatures for effective detection. • The database can grow very massive.

  5. Anomaly Detection: • Creates a model of normal use and looks for activity that does not conform to the model. • Problems with this method: • Difficulty in creating the model of normal activity • If the network already had malicious activity on it, is it ‘normal activity’? • Some patterns classified as anomalies may not be malicious.

  6. Network-Based IDS • By far the most commonly employed form of Intrusion Detection Systems. • To many people, “IDS” is synonymous with “NIDS”. • Matured more quickly than the host-based equivalents. • Large number of NIDS products available on the market.

  7. Deploying NIDS • Points to consider: • Where do sensors belong in the network? • What is to be protected the most? • Which devices hold critical information assets? • Cost effectiveness; • We cannot deploy sensors on all network segments. • Even not manageable. • We need to carefully consider where sensors are to be deployed.

  8. Locations for IDS Sensors • Just inside the firewall. • The firewall is a bottleneck for all traffic. • All inbound/outbound traffic pass here. • The sensor can inspect all incoming and outgoing traffic. • On the DMZ. • The publicly reachable hosts located here are often get attacked. • The DMZ is usually the attacker’s first point of entry into the network. • On the server farm segment. • We can monitor mission-critical application servers. • Example: Financial, Logistical, Human Resources functions. • Also monitors insider attacks. • On the network segments connecting the mainframe or midrange hosts. • Monitor mission-critical devises.

  9. The Network Monitoring Problem • Network-based IDS sensors employ sniffing to monitor the network traffic. • Networks using hubs: • Can monitor all packets. • Hubs transmit every packet out of every connected interface. • Switched networks: • The sensor must be able to sniff the passing traffic. • Switches forward packets only to ports connected to destination hosts.

  10. Monitoring Switched Networks • Use of Switch Port Analyzer (SPAN) configurations. • Causes switch to copy all packets destined to a given interface. • Transmits packets to the modified port. • Use of hubs in conjunction with the switches. • The hub must be a fault-tolerant one. • Use of taps in conjunction with the switches. • Fault-tolerant hub-like devices. • Permit only one-way transmission of data out of the monitoring port.

  11. NIDS Signature Types • These look for patterns in packet payloads that indicate possible attacks. • Port signatures • Watch for connection attempts to a known or frequently attacked ports. • Header signatures • These watch for dangerous or illogical combinations in packet headers.

  12. Network IDS Reactions Types • Typical reactions of network-based IDS with active monitoring upon detection of attack in progress: • TCP resets • IP session logging • Shunning or blocking • Capabilities are configurable on per-signature basis: • Sensor responds based on configuration.

  13. TCP Reset Reaction • Operates by sending a TCP reset packet to the victim host. • This terminates the TCP session. • Spoofs the IP address of the attacker. • Resets are sent from the sensor’s monitoring/sniffing interface. • It can terminate an attack in progress but cannot stop the initial attack packet from reaching the victim.

  14. IP Session Logging • The sensor records traffic passing between the attacker and the victim. • Can be very useful in analyzing the attack. • Can be used to prevent future attacks. • Limitation: • Only the trigger and the subsequent packets are logged. • Preceding packets are lost. • Can impact sensor performance. • Quickly consumes large amounts of disk space.

  15. Shunning/Blocking • Sensor connects to the firewall or a packet-filtering router. • Configures filtering rules • Blocks packets from the attacker • Needs arrangement of proper authentication: • Ensures that the sensor can securely log into the firewall or router. • A temporary measure that buy time for the administrator. • The problem with spoofed source addresses.

  16. Host-based IDS • Started in the early 1980s when networks were not do prevalent. • Primarily used to protect only critical servers • Software agent resides on the protected system • Signature based: • Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity • Use of resources can have impact on system performance

  17. HIDS Methods of Operation • Auditing logs: • system logs, event logs, security logs, syslog • Monitoring file checksums to identify changes • Elementary network-based signature techniques including port activity • Intercepting and evaluating requests by applications for system resources before they are processed • Monitoring of system processes for suspicious activity

  18. Log File Auditing • Detects past activity • Cannot stop the action that set off the alarm from taking place. • Log Files: • Monitor changes in the log files. • New entries for changes logs are compared with HIDS attack signature patterns for match • If match is detected, administrator is alerted

  19. File Checksum Examination • Detects past activity: • Cannot stop the action that set off the alarm from taking place. • Hashes created only for system files that should not change or change infrequently. • Inclusion of frequently changing files is a huge disturbance. • File checksum systems, like Tripwire, may also be employed.

  20. Network-Based Techniques • The IDS product monitors packets entering and leaving the host’s NIC for signs of malicious activity. • Designed to protect only the host in question. • The attack signatures used are not as sophisticated as those used in NIDs. • Provides rudimentary network-based protections.

  21. Intercepting Requests • Intercepts calls to the operating system before they are processed. • Is able to validate software calls made to the operating system and kernel. • Validation is accomplished by: • Generic rules about what processes may have access to resources. • Matching calls to system resources with predefined models which identify malicious activity.

  22. System Monitoring • Can preempt attacks before they are executed. • This type of monitoring can: • Prevent files from being modified. • Allow access to data files only to a predefined set of processes. • Protect system registry settings from modification. • Prevent critical system services from being stopped. • Protect settings for users from being modified. • Stop exploitation of application vulnerabilities.

  23. HIDS Software • Deployed by installing agent software on the system. • Effective for detecting insider-attacks. • Host wrappers: • Inexpensive and deployable on all machines • Do not provide in-depth, active monitoring measures of agent-based HIDS products • Sometimes referred to as personal firewalls • Agent-based software: • More suited for single purpose servers

  24. HIDS Active Monitoring Capabilities • Options commonly used: • Log the event • Very good for post mortem analysis • Alert the administrator • Through email or SNMP traps • Terminate the user login • Perhaps with a warning message • Disable the user account • Preventing access to memory, processor time, or disk space.

  25. Advantages of Host-based IDS • Can verify success or failure of attack • By reviewing log entries • Monitors user and system activities • Useful in forensic analysis of the attack • Can protect against non-network-based attacks • Reacts very quickly to intrusions • By preventing access to system resources • By immediately identifying a breach when it occurs • Does not rely on particular network infrastructure • Not limited by switched infrastructures • Installed on the protected server itself • Does not require additional hardware to deploy • Needs no changes to the network infrastructure

  26. Active/Passive Detection • The ability of an IDS to take action when they detect suspicious activity. • Passive Systems: • Take no action to stop or prevent the activity. • They log events. • They alert administrators. • They record the traffic for analysis. • Active Systems: • They do all the recordings that passive systems do, • They interoperate with firewalls and routers • Can cause blocking or shunning • They can send TCP resets.

  27. Our Approach • We present a variant but novel approach of the anomaly detection scheme. • We show how to detect attacks without the use of data banks. • We show how to correlate multiple inputs to define the basis of a new generation analysis engine.

  28. Signals and signal Processing: • Signal definition: • A function of independent variables like time, distance, position, temperature, and pressure. • Signals play important part in our daily lives • Examples: speech, music, picture, and video. • Signal Classification: • Analog – the independent variable on which the signal depends is continuous. • Digital – the independent variable is discrete. • Digital signals are presented a a sequence of numbers (samples). • Signals carry information • The objective of signal processing is to extract this useful information.

  29. Energy of a Signal: • We can also define a signal as a function of varying amplitude through time. • The measure of a signal’s strength is the area under the absolute value of the curve. • This measure is referred to as the energy of the signal and is defined as: • Energy of continuous signal • Energy of discrete signal

  30. Wavelet: • Is a waveform of effectively limited duration that has an average value of zero. • Presently used in many fields of science and engineering. • It development resulted from the need to generate algorithms that would compute compact representations of signals and data sets at an accelerated pace. • Started as Alfred Haar’s step functions, now called wavelets. • We analyze wavelets by breaking up a signal into shifted and scaled versions of the original (mother) wavelet.

  31. Our Network Topology: • We set up a star topology network; • Four computers in an island • Each running Linux RedHat 9.2 • The machines are connected by a switch • The switch is connected to a PIX 515E Firewall • 3Com Ethernet Hub sits between the switch and the firewall • For Sniffing and capturing packets • We duplicated this island six times and connected them with routers. • We then connected the islands, via the routers, to a central Cisco switch. • For simulation purposes, we installed Windows XP on one machine in island one.

  32. DataCollection: • We generated packets with a Perl script on a Linux system. • We used the three most common protocols for our simulation: • HTTP, FTP, and SMTP. • For each protocol: • We generated a constant traffic; • We created 50 datasets each consisting of the number of packets transmitted over two minute intervals. • We executed the same traffic scripts with a random pause between 0 and 60 seconds. • We then rerun the traffic between 0 and 15 seconds to create additional datasets. • We collected all the 150 datasets by Ethereal for further analysis.

  33. Results: Figure 1

  34. Figure 2

  35. Figure 3

  36. Figure 4

  37. Figure 5

  38. Figure 6

  39. Conclusion & Future Direction • We have presented: • A wavelet based – framework for network monitoring • This is our first phase for the development of an engine for Network Intrusion Analysis • This will not depend on databases and thus will minimize false negatives and false positives

More Related