- 85 Views
- Uploaded on

Download Presentation
## A Wavelet Approach to Network Intrusion Detection

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### A Wavelet Approach to Network Intrusion Detection

W. Oblitey & S. Ezekiel

IUP Computer Science Dept.

Secure IT - 2005

Intrusion Detection:

- Provides monitoring of system resources to help detect intrusion and/or identify attacks.
- Complimentary to blocking devices.
- Insider attacks.
- Attacks that use traffic permitted by the firewall.
- Can monitor the attack after it crosses through the firewall.
- Helps gather useful information for
- Detecting attackers,
- Identifying attackers,
- Reveal new attack strategies.

Secure IT - 2005

Classification:

- Intrusion Detection Systems classified according to how they detect malicious activity:
- Signature detection systems
- Also called Misuse detection systems
- Anomaly detection systems
- Also classified as:
- Network-based intrusion detection systems
- Monitor network traffic
- Host-based intrusion detection systems.
- Monitor activity on host machines

Secure IT - 2005

Signature Detection:

- Achieved by creating signatures:
- Models of attack
- Monitored events compared to models to determine qualification as attacks.
- Excellent at detecting known attacks.
- Requires the signatures to be created and entered into the sensor’s database before operation.
- May generate false alarms (False Positives).
- Problem:
- Needs a large number of signatures for effective detection.
- The database can grow very massive.

Secure IT - 2005

Anomaly Detection:

- Creates a model of normal use and looks for activity that does not conform to the model.
- Problems with this method:
- Difficulty in creating the model of normal activity
- If the network already had malicious activity on it, is it ‘normal activity’?
- Some patterns classified as anomalies may not be malicious.

Secure IT - 2005

Network-Based IDS

- By far the most commonly employed form of Intrusion Detection Systems.
- To many people, “IDS” is synonymous with “NIDS”.
- Matured more quickly than the host-based equivalents.
- Large number of NIDS products available on the market.

Secure IT - 2005

Deploying NIDS

- Points to consider:
- Where do sensors belong in the network?
- What is to be protected the most?
- Which devices hold critical information assets?
- Cost effectiveness;
- We cannot deploy sensors on all network segments.
- Even not manageable.
- We need to carefully consider where sensors are to be deployed.

Secure IT - 2005

Locations for IDS Sensors

- Just inside the firewall.
- The firewall is a bottleneck for all traffic.
- All inbound/outbound traffic pass here.
- The sensor can inspect all incoming and outgoing traffic.
- On the DMZ.
- The publicly reachable hosts located here are often get attacked.
- The DMZ is usually the attacker’s first point of entry into the network.
- On the server farm segment.
- We can monitor mission-critical application servers.
- Example: Financial, Logistical, Human Resources functions.
- Also monitors insider attacks.
- On the network segments connecting the mainframe or midrange hosts.
- Monitor mission-critical devises.

Secure IT - 2005

The Network Monitoring Problem

- Network-based IDS sensors employ sniffing to monitor the network traffic.
- Networks using hubs:
- Can monitor all packets.
- Hubs transmit every packet out of every connected interface.
- Switched networks:
- The sensor must be able to sniff the passing traffic.
- Switches forward packets only to ports connected to destination hosts.

Secure IT - 2005

Monitoring Switched Networks

- Use of Switch Port Analyzer (SPAN) configurations.
- Causes switch to copy all packets destined to a given interface.
- Transmits packets to the modified port.
- Use of hubs in conjunction with the switches.
- The hub must be a fault-tolerant one.
- Use of taps in conjunction with the switches.
- Fault-tolerant hub-like devices.
- Permit only one-way transmission of data out of the monitoring port.

Secure IT - 2005

NIDS Signature Types

- These look for patterns in packet payloads that indicate possible attacks.
- Port signatures
- Watch for connection attempts to a known or frequently attacked ports.
- Header signatures
- These watch for dangerous or illogical combinations in packet headers.

Secure IT - 2005

Network IDS Reactions Types

- Typical reactions of network-based IDS with active monitoring upon detection of attack in progress:
- TCP resets
- IP session logging
- Shunning or blocking
- Capabilities are configurable on per-signature basis:
- Sensor responds based on configuration.

Secure IT - 2005

TCP Reset Reaction

- Operates by sending a TCP reset packet to the victim host.
- This terminates the TCP session.
- Spoofs the IP address of the attacker.
- Resets are sent from the sensor’s monitoring/sniffing interface.
- It can terminate an attack in progress but cannot stop the initial attack packet from reaching the victim.

Secure IT - 2005

IP Session Logging

- The sensor records traffic passing between the attacker and the victim.
- Can be very useful in analyzing the attack.
- Can be used to prevent future attacks.
- Limitation:
- Only the trigger and the subsequent packets are logged.
- Preceding packets are lost.
- Can impact sensor performance.
- Quickly consumes large amounts of disk space.

Secure IT - 2005

Shunning/Blocking

- Sensor connects to the firewall or a packet-filtering router.
- Configures filtering rules
- Blocks packets from the attacker
- Needs arrangement of proper authentication:
- Ensures that the sensor can securely log into the firewall or router.
- A temporary measure that buy time for the administrator.
- The problem with spoofed source addresses.

Secure IT - 2005

Host-based IDS

- Started in the early 1980s when networks were not do prevalent.
- Primarily used to protect only critical servers
- Software agent resides on the protected system
- Signature based:
- Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity
- Use of resources can have impact on system performance

Secure IT - 2005

HIDS Methods of Operation

- Auditing logs:
- system logs, event logs, security logs, syslog
- Monitoring file checksums to identify changes
- Elementary network-based signature techniques including port activity
- Intercepting and evaluating requests by applications for system resources before they are processed
- Monitoring of system processes for suspicious activity

Secure IT - 2005

Log File Auditing

- Detects past activity
- Cannot stop the action that set off the alarm from taking place.
- Log Files:
- Monitor changes in the log files.
- New entries for changes logs are compared with HIDS attack signature patterns for match
- If match is detected, administrator is alerted

Secure IT - 2005

File Checksum Examination

- Detects past activity:
- Cannot stop the action that set off the alarm from taking place.
- Hashes created only for system files that should not change or change infrequently.
- Inclusion of frequently changing files is a huge disturbance.
- File checksum systems, like Tripwire, may also be employed.

Secure IT - 2005

Network-Based Techniques

- The IDS product monitors packets entering and leaving the host’s NIC for signs of malicious activity.
- Designed to protect only the host in question.
- The attack signatures used are not as sophisticated as those used in NIDs.
- Provides rudimentary network-based protections.

Secure IT - 2005

Intercepting Requests

- Intercepts calls to the operating system before they are processed.
- Is able to validate software calls made to the operating system and kernel.
- Validation is accomplished by:
- Generic rules about what processes may have access to resources.
- Matching calls to system resources with predefined models which identify malicious activity.

Secure IT - 2005

System Monitoring

- Can preempt attacks before they are executed.
- This type of monitoring can:
- Prevent files from being modified.
- Allow access to data files only to a predefined set of processes.
- Protect system registry settings from modification.
- Prevent critical system services from being stopped.
- Protect settings for users from being modified.
- Stop exploitation of application vulnerabilities.

Secure IT - 2005

HIDS Software

- Deployed by installing agent software on the system.
- Effective for detecting insider-attacks.
- Host wrappers:
- Inexpensive and deployable on all machines
- Do not provide in-depth, active monitoring measures of agent-based HIDS products
- Sometimes referred to as personal firewalls
- Agent-based software:
- More suited for single purpose servers

Secure IT - 2005

HIDS Active Monitoring Capabilities

- Options commonly used:
- Log the event
- Very good for post mortem analysis
- Alert the administrator
- Through email or SNMP traps
- Terminate the user login
- Perhaps with a warning message
- Disable the user account
- Preventing access to memory, processor time, or disk space.

Secure IT - 2005

Advantages of Host-based IDS

- Can verify success or failure of attack
- By reviewing log entries
- Monitors user and system activities
- Useful in forensic analysis of the attack
- Can protect against non-network-based attacks
- Reacts very quickly to intrusions
- By preventing access to system resources
- By immediately identifying a breach when it occurs
- Does not rely on particular network infrastructure
- Not limited by switched infrastructures
- Installed on the protected server itself
- Does not require additional hardware to deploy
- Needs no changes to the network infrastructure

Secure IT - 2005

Active/Passive Detection

- The ability of an IDS to take action when they detect suspicious activity.
- Passive Systems:
- Take no action to stop or prevent the activity.
- They log events.
- They alert administrators.
- They record the traffic for analysis.
- Active Systems:
- They do all the recordings that passive systems do,
- They interoperate with firewalls and routers
- Can cause blocking or shunning
- They can send TCP resets.

Secure IT - 2005

Our Approach

- We present a variant but novel approach of the anomaly detection scheme.
- We show how to detect attacks without the use of data banks.
- We show how to correlate multiple inputs to define the basis of a new generation analysis engine.

Secure IT - 2005

Signals and signal Processing:

- Signal definition:
- A function of independent variables like time, distance, position, temperature, and pressure.
- Signals play important part in our daily lives
- Examples: speech, music, picture, and video.
- Signal Classification:
- Analog – the independent variable on which the signal depends is continuous.
- Digital – the independent variable is discrete.
- Digital signals are presented a a sequence of numbers (samples).
- Signals carry information
- The objective of signal processing is to extract this useful information.

Secure IT - 2005

Energy of a Signal:

- We can also define a signal as a function of varying amplitude through time.
- The measure of a signal’s strength is the area under the absolute value of the curve.
- This measure is referred to as the energy of the signal and is defined as:
- Energy of continuous signal
- Energy of discrete signal

Secure IT - 2005

What is Wavelet? ( Wavelet Analysis)

- Wavelets are functions that satisfy certain mathematical requirements and are used to represent data or other functions
- Idea is not new--- Joseph Fourier--- 1800's
- Wavelet-- the scale we use to see data plays an important role
- FT non local -- very poor job on sharp spikes

Waveletdb10

Sine wave

Secure IT - 2005

History of wavelets

- 1807 Joseph Fourier- theory of frequency analysis-- any 2pi functions f(x) is the sum of its Fourier Series
- 1909 Alfred Haar-- PhD thesis-- defined Haar basis function---- it is compact support( vanish outside finite interval)
- 1930 Paul Levy-Physicist investigated Brownian motion ( random signal) and concluded Haar basis is better than FT
- 1930's Littlewood Paley, Stein ==> calculated the energy of the function 1960 Guido Weiss, Ronald Coifman-- studied simplest element of functions space called atom
- 1980 Grossman (physicist) Morlet( Engineer)-- broadly defined wavelet in terms of quantum mechanics
- 1985 Stephen Mallat--defined wavelet for his Digital Signal Processing work for his Ph.D.
- Y Meyer constructed first non trivial wavelet
- 1988 Ingrid Daubechies-- used Mallat work constructed set of wavelets
- The name emerged from the literature of geophysics, by a route through France. The word onde led to ondelette. Translation wave led to wavelet

Secure IT - 2005

Fourier Series and Energy

Secure IT - 2005

Functions

- Functions (Science and Engg) often use time as their parameter
- g(t)-> represent time domain
- since typical function oscillate – think it as wave– so G(f) where f= frequency of the wave, the function represented in the frequency domain
- A function g(t) is periodic, there exits a nonzero constant P s.t. g(t+P)=g(t) for all t, where P is called period
- periodic function has 4 important attributes
- Amplitude– max value it has in any period
- Period---2P
- Frequency f=1/P(inverse)– cycles per second, Hz
- Phase—Cos is a Sin function with a phase

Secure IT - 2005

Fourier, Haar

- Amplitude, time amplitude , frequency
- 1965 Cooley and Tukey – Fast Fourier Transform
- Haar

Secure IT - 2005

CWT

- continuous wavelet transform (CWT) of a function f(t) a mother wavelet
- mother wavelet may be real or complex with the following properties
- 1.the total area under the curve=0,
- 2. the total area of is finite
- 3. Admissible condition
- oscillate above and below the t-axis
- energy of the function is finite function is localize
- Infinite number of functions satisfies above conditions– some of them used for wavelet transform
- example
- Morlet wavelet
- Mexican hat wavelet

Secure IT - 2005

once a wavelet has been chosen , the CWT of a square integrable function f(t) is defined as

* denotes complex conjugate

For any a,

Thus b is a translation parameter

Setting b=0,

Here a is a scaling parameter

a>1 stretch the wavelet and 0<a<1 shrink it

Secure IT - 2005

Wavelets

Fourier Transform

CWT = C( scale, position)=

Scaling wave means simply Stretching

(or Shrinking) it

Shifting

f (t) f(t-k)

Secure IT - 2005

Wavelets Continue

- Wavelets are basis functions in continuous time
- A basis is a set of linearly independent function that can be used to produce a function f(t)
- f(t) = combination of basis function =
- is constructed from a single mother wave w(t) -- normally it is a small wave-- it start at 0 and ends at t=N
- Shrunken ( scaled)
- shifted
- A typical wavelet compressed j times and shifted k times is
- Property:- Remarkable property is orthogonality i.e. their inner-products are zero
- This leads to a simple formula for bjk

Secure IT - 2005

Haar Transform

- Digitized sound, image are discrete. we need discrete wavelet
- where ck and dj,k are coefficients to be calculated
- example:- consider the array of 8 values (1,2,3,4,5,6,7,8)
- 4 average values 4 difference ( detail coefficients)
- calculate average, and difference for 4 averages
- continue this way
- Method is called PYRAMID DECOMPOSITION
- Haar transform depends on coeff ½, ½ and ½, - ½
- if we replace 2 by √2 then it is called coarse detail and fine detail

Secure IT - 2005

Transforms

- Transform of a signal is a new representation of that signal
- Example:- signal x0,x1,x2,x3 define y0,y1,y2,y3
- Questions
- 1. What is the purpose of y's
- 2. Can we get back x's
- Answer for 2: The Transform is invertible-- perfect reconstruction
- Divide Transform in to 3 groups
- 1. Lossless( Orthogonal)-- Transformed Signal has the same length
- 2. Invertible (bi-orthogonal)-- length and angle may change-- no information lost
- 3. Lossy ( Not invertible)--

Secure IT - 2005

Answer to Q1: Purpose

- IT SEES LARGE vs SMALL
- X0=1.2, X1= 1.0, x2=-1.0, x3=-1.2
- Y=[2.2 0 -2.2 0]
- Key idea for wavelets is the concept of " SCALE"
- We can take sum and difference again==> recursion => Multiresolution
- Main idea of Wavelet analysis– analyze a function at different scales– mother wavelet use to construct wavelet in different scale and translate each relative to the function being analyzed
- Z=[ 0 0 4.4 0 ]
- Reconstruct =====>compression 4:1

Secure IT - 2005

Real electricity consumption

- peak in the center, followed by two drops, shallow drop, and then a considerably weaker peak
- d1 d2 shows the noise
- d3– presents high value in the beginning and at the end of the main peak, thus allowing us to locate the corresponding peak
- d4 shows 3 successive peak– this fits the shape of the curve remarkably
- a1,a2 strong resemblance
- a3 reasonable---- a4 lost lots of information

Secure IT - 2005

JPEG (Joint Photographic Experts Group)

- 1. Color images ( RGB) change into luminance, chrominance, color space
- 2. color images are down sampled by creating low resolution pixels – not luminance part– horizontally and vertically, ( 2:1 or 2:1, 1:1)– 1/3 +(2/3)*(1/4)= ½ size of original size
- 3. group 8x8 pixels called data sets– if not multiple of 8– bottom row and right col are duplicated
- 4. apply DCT for each data set– 64 coefficients
- 5. each of 64 frequency components in a data unit is divided by a separate number called quantization coefficients (QC) and then rounded into integer
- 6. QC encode using RLE, Huffman encoding, Arithmetic Encoding ( QM coder)
- 7. Add Headers, parameters, and output the result
- interchangeable format= compressed data + all tables need for decoder
- abbreviated format= compressed data+ not tables ( few tables)
- abbreviated format =just tables + no compressed data
- DECODER DO THE REVERSE OF THE ABOVE STEPS

Secure IT - 2005

JPEG 2000 or JPEG Y2k

- divide into 3 colors
- each color is partitioned into rectangular, non-overlapping regions called tiles– that are compressed individually
- A tile is compressed into 4 main steps
- 1. compute wavelet transform – sub band of wavelets– integer, fp,---L+1 levels, L is the parameter determined by the encoder
- 2. wavelet coeff are quantized, -- depends on bit rate
- 3. use arithmetic encoder for wavelet coefficients
- 4. construct bit stream– do certain region, no order
- Bit streams are organized into layers, each layer contains higher resolution image information
- thus decoding layer by layer is a natural way to achieve progressive image transformation and decompression

Secure IT - 2005

Lowpass Filter = Moving Average

- y(n)= x(n)/2 + x(n-1)/2 here h(0)=1/2 and h(1)=1/2
- Fits standard form for k=0,1 x= unit impulse
- x=(...0 0 0 0 1 0 0 0...) then y=(...0 0 1/2 1/2 0 0..)
- average filter= 1/2 (identity) + 1/2 (delay)
- Every linear operator acting on a single vector x can be rep by y=Hx
- main diagonal come from identity--subdiagonal come from delay
- we have finite (two) coefficients--> FIR finite impulse response
- low pass==> scaling function
- It smooth out bumps in the signal(high freq component

Secure IT - 2005

Highpass Filter Moving Difference

- y(n)= 1/2[x(n)-x(n-1)]
- h(0)=1/2
- h(1)=-1/2
- y=H1x
- Filter Bank === Lowpass and Highpass
- they separate the signal into frequency bank
- Problem:-- Signal length doubled,
- both are same size as signal ==> gives double size of the original signal
- Solution:-- Down Sampling

Secure IT - 2005

Down Sampling

- We can keep half of Ho and H1 and still recover x
- Save only even-numbered components ( delete odd numbered elements) -- denoted by (↓2)-- decimation
- (↓2)y = (... y(-4) y(-2)y(0)y(2).......)
- Filtering + Down sampling ==> Analysis Bank ( brings half size signal)
- Inverse of this process==> Synthesis bank
- i,e, Up sampling + Filtering
- Add even numbered components zeros ( It will bring full size) denoted by (↑2)
- y = (↓2 y)= (↑2)(↓2 y)

Secure IT - 2005

Scaling function and Wavelets

- corresponding to low pass--> there is scaling function
- corresponding to high pass--> there is wavelet function
- dilation equation--> scaling function
- In terms of original low pass filters
- we have
- for h(0) and h(1) = 1/2 we have
- the graph compressed by 2 gives and shifted by 1/2 gives
- By similar way the wavelet equation

Secure IT - 2005

Wavelet Packet

- Walsh-Hadamard transform-- complete binary tree --> wavelet packet
- "Hadamard matrix"==> all entries are 1 and -1 and all rows are orthogonal-- divide two time by sqrt(2)==> orthogonal & symmetric
- Compare with wavelet-- computations

sums z0=0

sums y0 and y2

difference z2=4.4

x

sums z1=0.4

difference y1 and y3

difference z3=0

Secure IT - 2005

Filters and Filter Banks

- Filter is a linear time-invariant operator
- It acts on input vector x --- Out put vector y is the convolution of x with a fixed vector h
- h--> contains filter coefficients-- our filters are digital not analog-- h(n) are discrete time t= nT,
- T is sampling period assume it is 1 here
- x(n) and y(n) comes all the time t= 0, +_ 1....
- y(n) = Σh(k) x(n-k) = convolution h* x in the time domain
- Filter Bank= Set of all filters
- Convolution by hand--- arrange it as ordinary multiplication -- but don't carry digits from one column to another
- x= 3 2 4 h= 1 5 2
- x * h = 3 17 20 24 8

Secure IT - 2005

Our Network Topology:

- We set up a star topology network;
- Four computers in an island
- Each running Linux RedHat 9.2
- The machines are connected by a switch
- The switch is connected to a PIX 515E Firewall
- 3Com Ethernet Hub sits between the switch and the firewall
- For Sniffing and capturing packets
- We duplicated this island six times and connected them with routers.
- We then connected the islands, via the routers, to a central Cisco switch.
- For simulation purposes, we installed Windows XP on one machine in island one.

Secure IT - 2005

DataCollection:

- We generated packets with a Perl script on a Linux system.
- We used the three most common protocols for our simulation:
- HTTP, FTP, and SMTP.
- For each protocol:
- We generated a constant traffic;
- We created 50 datasets each consisting of the number of packets transmitted over two minute intervals.
- We executed the same traffic scripts with a random pause between 0 and 60 seconds.
- We then rerun the traffic between 0 and 15 seconds to create additional datasets.
- We collected all the 150 datasets by Ethereal for further analysis.

Secure IT - 2005

Results: Figure 1

Secure IT - 2005

Figure 2

Secure IT - 2005

Figure 3

Secure IT - 2005

Figure 4

Secure IT - 2005

Figure 5

Secure IT - 2005

Figure 6

Secure IT - 2005

Conclusion & Future Direction

- We have presented:
- A wavelet based – framework for network monitoring
- This is our first phase for the development of an engine for Network Intrusion Analysis
- This will not depend on databases and thus will minimize false negatives and false positives

Secure IT - 2005

References

- [1] K. Ilgun, A real-time intrusion detection system for UNIX, IEEE Symp. On Security and Privacy, 1993.
- [2] P.Porras & R. Kemmerer, Penetration State Transition Analysis- A Rule Based Intrusion Detection Approach, Computer Security Applications Conference, 1992
- [3]http://enterprisesecurity.symantec.com/content/ productlink.cfm
- [4] http://newsroom.cisco.com/dlls/fspnisapi32b3.html
- [5] http://www.iss.net
- [6] A.Haar. Zur Theorie der orthogonalen Funktionensysteme. Mathematische Annalen, 69:331-371, 1910. Also in PhD thesis.
- [7]A. Grossmann and J. Morlet, Decomposition of Hardy functions into square integrable wavelets of constant shape, SIAM J. Math. Phys., 15 (1984), pp 723-736.
- [8] Y.Meyer. Ondeletted et operatrurs, Tome 1, Hermann Ed., 1990

Secure IT - 2005

References

- [9] S. Mallat. A theory for multiresolution signal decomposition: the wavelet representation. IEEE Transactions on pattern recognition and Machine Intelligence, 11(7):674-693, July 1989.
- [10]I. Daubechies, Ten Lectures on Wavelets, no 61 in CBMS-NSF Series in Applied Mathematics, SIAM, Philadelphia, 1992
- [11]R. R. Coifman, A real variable characterization of Hp, Studia Math, 51 (1974).
- [12] R. R. Coifman, Y. Meyer, S. Quake, and M.V. Wickerhauser, Signal Processing and compression with wave packets, in Proceedings of the International Conference on Wavelets, Marseilles, 1989, Y. Meyer, ed., Masson, Paris.
- [13]S. Ezekiel, Low-dimensional chaotic signal characterization using approximate entropy, 3rd IASTED International Conference Circuits, Signals, and Systems Cancun, May, 2003
- [14] S. Ezekiel, Heart Rate Variability Signal Processing by Using Wavelet Based Multifractal Analysis, IASTED International Conference, Digital Signal Processing and Control, USA, May , 2001
- [15]C.E.Shannon "A Mathematical Theory of Communication", Bell Syst. Tech. J., 27,379-423, 623-56.

Secure IT - 2005

Download Presentation

Connecting to Server..