Download Talk2 - Computer Science

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
Document related concepts

Computer security wikipedia , lookup

Geophysical MASINT wikipedia , lookup

Signals intelligence wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
A Wavelet Approach to
Network Intrusion
Detection
W. Oblitey & S. Ezekiel
IUP Computer Science Dept.
Intrusion Detection:


Provides monitoring of system resources to help
detect intrusion and/or identify attacks.
Complimentary to blocking devices.




Insider attacks.
Attacks that use traffic permitted by the firewall.
Can monitor the attack after it crosses through the
firewall.
Helps gather useful information for



Detecting attackers,
Identifying attackers,
Reveal new attack strategies.
Classification:

Intrusion Detection Systems classified
according to how they detect malicious
activity:

Signature detection systems



Also called Misuse detection systems
Anomaly detection systems
Also classified as:

Network-based intrusion detection systems


Monitor network traffic
Host-based intrusion detection systems.

Monitor activity on host machines
Signature Detection:

Achieved by creating signatures:






Models of attack
Monitored events compared to models to determine
qualification as attacks.
Excellent at detecting known attacks.
Requires the signatures to be created and entered
into the sensor’s database before operation.
May generate false alarms (False Positives).
Problem:


Needs a large number of signatures for effective detection.
The database can grow very massive.
Anomaly Detection:


Creates a model of normal use and looks
for activity that does not conform to the
model.
Problems with this method:
Difficulty in creating the model of normal
activity
 If the network already had malicious activity
on it, is it ‘normal activity’?
 Some patterns classified as anomalies may
not be malicious.

Network-Based IDS




By far the most commonly employed form
of Intrusion Detection Systems.
To many people, “IDS” is synonymous
with “NIDS”.
Matured more quickly than the host-based
equivalents.
Large number of NIDS products available
on the market.
Deploying NIDS

Points to consider:




Where do sensors belong in the network?
What is to be protected the most?
Which devices hold critical information assets?
Cost effectiveness;



We cannot deploy sensors on all network segments.
Even not manageable.
We need to carefully consider where sensors are to
be deployed.
Locations for IDS Sensors

Just inside the firewall.




On the DMZ.



The firewall is a bottleneck for all traffic.
All inbound/outbound traffic pass here.
The sensor can inspect all incoming and outgoing traffic.
The publicly reachable hosts located here are often get attacked.
The DMZ is usually the attacker’s first point of entry into the
network.
On the server farm segment.

We can monitor mission-critical application servers.



Example: Financial, Logistical, Human Resources functions.
Also monitors insider attacks.
On the network segments connecting the mainframe or
midrange hosts.

Monitor mission-critical devises.
The Network Monitoring Problem


Network-based IDS sensors employ sniffing to
monitor the network traffic.
Networks using hubs:



Can monitor all packets.
Hubs transmit every packet out of every connected
interface.
Switched networks:


The sensor must be able to sniff the passing traffic.
Switches forward packets only to ports connected to
destination hosts.
Monitoring Switched Networks

Use of Switch Port Analyzer (SPAN)
configurations.



Use of hubs in conjunction with the switches.


Causes switch to copy all packets destined to a given
interface.
Transmits packets to the modified port.
The hub must be a fault-tolerant one.
Use of taps in conjunction with the switches.


Fault-tolerant hub-like devices.
Permit only one-way transmission of data out of the
monitoring port.
NIDS Signature Types


These look for patterns in packet payloads
that indicate possible attacks.
Port signatures


Watch for connection attempts to a known or
frequently attacked ports.
Header signatures

These watch for dangerous or illogical
combinations in packet headers.
Network IDS Reactions Types

Typical reactions of network-based IDS
with active monitoring upon detection of
attack in progress:
TCP resets
 IP session logging
 Shunning or blocking


Capabilities are configurable on persignature basis:

Sensor responds based on configuration.
TCP Reset Reaction

Operates by sending a TCP reset packet to
the victim host.




This terminates the TCP session.
Spoofs the IP address of the attacker.
Resets are sent from the sensor’s
monitoring/sniffing interface.
It can terminate an attack in progress but
cannot stop the initial attack packet from
reaching the victim.
IP Session Logging

The sensor records traffic passing between the
attacker and the victim.



Limitation:




Can be very useful in analyzing the attack.
Can be used to prevent future attacks.
Only the trigger and the subsequent packets are
logged.
Preceding packets are lost.
Can impact sensor performance.
Quickly consumes large amounts of disk space.
Shunning/Blocking


Sensor connects to the firewall or a packetfiltering router.
Configures filtering rules


Needs arrangement of proper authentication:



Blocks packets from the attacker
Ensures that the sensor can securely log into the
firewall or router.
A temporary measure that buy time for the
administrator.
The problem with spoofed source addresses.
Host-based IDS




Started in the early 1980s when networks were
not do prevalent.
Primarily used to protect only critical servers
Software agent resides on the protected system
Signature based:


Detects intrusions by analyzing logs of operating
systems and applications, resource utilization, and
other system activity
Use of resources can have impact on system
performance
HIDS Methods of Operation

Auditing logs:





system logs, event logs, security logs, syslog
Monitoring file checksums to identify changes
Elementary network-based signature techniques
including port activity
Intercepting and evaluating requests by
applications for system resources before they
are processed
Monitoring of system processes for suspicious
activity
Log File Auditing

Detects past activity


Cannot stop the action that set off the alarm
from taking place.
Log Files:
Monitor changes in the log files.
 New entries for changes logs are compared
with HIDS attack signature patterns for match
 If match is detected, administrator is alerted

File Checksum Examination

Detects past activity:




Cannot stop the action that set off the alarm
from taking place.
Hashes created only for system files that
should not change or change infrequently.
Inclusion of frequently changing files is a
huge disturbance.
File checksum systems, like Tripwire, may
also be employed.
Network-Based Techniques




The IDS product monitors packets
entering and leaving the host’s NIC for
signs of malicious activity.
Designed to protect only the host in
question.
The attack signatures used are not as
sophisticated as those used in NIDs.
Provides rudimentary network-based
protections.
Intercepting Requests



Intercepts calls to the operating system
before they are processed.
Is able to validate software calls made to
the operating system and kernel.
Validation is accomplished by:
Generic rules about what processes may have
access to resources.
 Matching calls to system resources with
predefined models which identify malicious
activity.

System Monitoring


Can preempt attacks before they are executed.
This type of monitoring can:






Prevent files from being modified.
Allow access to data files only to a predefined set of
processes.
Protect system registry settings from modification.
Prevent critical system services from being stopped.
Protect settings for users from being modified.
Stop exploitation of application vulnerabilities.
HIDS Software



Deployed by installing agent software on the
system.
Effective for detecting insider-attacks.
Host wrappers:




Inexpensive and deployable on all machines
Do not provide in-depth, active monitoring measures
of agent-based HIDS products
Sometimes referred to as personal firewalls
Agent-based software:

More suited for single purpose servers
HIDS Active Monitoring Capabilities

Options commonly used:

Log the event


Alert the administrator


Through email or SNMP traps
Terminate the user login


Very good for post mortem analysis
Perhaps with a warning message
Disable the user account

Preventing access to memory, processor time, or
disk space.
Advantages of Host-based IDS

Can verify success or failure of attack


Monitors user and system activities




By preventing access to system resources
By immediately identifying a breach when it occurs
Does not rely on particular network infrastructure


Useful in forensic analysis of the attack
Can protect against non-network-based attacks
Reacts very quickly to intrusions


By reviewing log entries
Not limited by switched infrastructures
Installed on the protected server itself


Does not require additional hardware to deploy
Needs no changes to the network infrastructure
Active/Passive Detection


The ability of an IDS to take action when they
detect suspicious activity.
Passive Systems:





Take no action to stop or prevent the activity.
They log events.
They alert administrators.
They record the traffic for analysis.
Active Systems:


They do all the recordings that passive systems do,
They interoperate with firewalls and routers


Can cause blocking or shunning
They can send TCP resets.
Our Approach



We present a variant but novel approach
of the anomaly detection scheme.
We show how to detect attacks without
the use of data banks.
We show how to correlate multiple inputs
to define the basis of a new generation
analysis engine.
Signals and signal Processing:

Signal definition:


Signals play important part in our daily lives


Examples: speech, music, picture, and video.
Signal Classification:




A function of independent variables like time, distance,
position, temperature, and pressure.
Analog – the independent variable on which the signal
depends is continuous.
Digital – the independent variable is discrete.
Digital signals are presented a a sequence of numbers
(samples).
Signals carry information

The objective of signal processing is to extract this useful
information.
Energy of a Signal:



We can also define a signal as a function of
varying amplitude through time.
The measure of a signal’s strength is the area
under the absolute value of the curve.
This measure is referred to as the energy of the

signal and is defined as:
2

Energy of continuous signal Ea 
  x(t )  dt



Energy of discrete signal Ed 

  x(t ) 
t 
2
Wavelet:





Is a waveform of effectively limited duration that has an
average value of zero.
Presently used in many fields of science and
engineering.
It development resulted from the need to generate
algorithms that would compute compact representations
of signals and data sets at an accelerated pace.
Started as Alfred Haar’s step functions, now called
wavelets.
We analyze wavelets by breaking up a signal into shifted
and scaled versions of the original (mother) wavelet.
Our Network Topology:

We set up a star topology network;





Four computers in an island
Each running Linux RedHat 9.2
The machines are connected by a switch
The switch is connected to a PIX 515E Firewall
3Com Ethernet Hub sits between the switch and the firewall




For Sniffing and capturing packets
We duplicated this island six times and connected
them with routers.
We then connected the islands, via the routers, to a
central Cisco switch.
For simulation purposes, we installed
Windows XP on one machine in island one.
Data Collection:


We generated packets with a Perl script on a Linux
system.
We used the three most common protocols for our
simulation:


For each protocol:





HTTP, FTP, and SMTP.
We generated a constant traffic;
We created 50 datasets each consisting of the number of
packets transmitted over two minute intervals.
We executed the same traffic scripts with a random pause
between 0 and 60 seconds.
We then rerun the traffic between 0 and 15 seconds to create
additional datasets.
We collected all the 150 datasets by Ethereal for further
analysis.
Results: Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Conclusion & Future Direction

We have presented:
A wavelet based – framework for network
monitoring
 This is our first phase for the development of
an engine for Network Intrusion Analysis
 This will not depend on databases and thus
will minimize false negatives and false
positives

Related documents
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Intrusion Prevention Systems
Intrusion Prevention Systems
Network Infrastructure Security
Network Infrastructure Security
Firewall Configuration
Firewall Configuration
Report: Intrusion Detection Systems
Report: Intrusion Detection Systems
Building Survivable Systems based on Intrusion Detection and
Building Survivable Systems based on Intrusion Detection and
CHAPTER 1 THE INTRUSION DETECTION SYSTEM
CHAPTER 1 THE INTRUSION DETECTION SYSTEM
ECPE 5984 - Virginia Alliance for Secure Computing and Networking
ECPE 5984 - Virginia Alliance for Secure Computing and Networking
Intrusion Detection Systems:
Intrusion Detection Systems:
NETWORK SECURITY - Clarkson University
NETWORK SECURITY - Clarkson University
AK23214220
AK23214220
N44096972
N44096972