Embed Size (px)
DESCRIPTION
A Wavelet Approach to Network Intrusion Detection. W. Oblitey & S. Ezekiel IUP Computer Science Dept. Intrusion Detection:. Provides monitoring of system resources to help detect intrusion and/or identify attacks. Complimentary to blocking devices. Insider attacks. - PowerPoint PPT Presentation
Citation preview
A Wavelet Approach to A Wavelet Approach to Network Intrusion Network Intrusion
DetectionDetection
W. Oblitey & S. EzekielW. Oblitey & S. Ezekiel IUP Computer Science Dept.IUP Computer Science Dept.
Intrusion Detection: Intrusion Detection: Provides monitoring of system resources to Provides monitoring of system resources to
help detect intrusion and/or identify attacks.help detect intrusion and/or identify attacks. Complimentary to blocking devices. Complimentary to blocking devices.
Insider attacks.Insider attacks. Attacks that use traffic permitted by the firewall.Attacks that use traffic permitted by the firewall.
Can monitor the attack after it crosses through Can monitor the attack after it crosses through the firewall. the firewall.
Helps gather useful information forHelps gather useful information for Detecting attackers,Detecting attackers, Identifying attackers,Identifying attackers, Reveal new attack strategies.Reveal new attack strategies.
Classification:Classification: Intrusion Detection Systems classified Intrusion Detection Systems classified
according to how they detect malicious according to how they detect malicious activity:activity: Signature detection systemsSignature detection systems
Also called Misuse detection systemsAlso called Misuse detection systems Anomaly detection systemsAnomaly detection systems
Also classified as:Also classified as: Network-based intrusion detection systemsNetwork-based intrusion detection systems
Monitor network trafficMonitor network traffic Host-based intrusion detection systems.Host-based intrusion detection systems.
Monitor activity on host machinesMonitor activity on host machines
Signature Detection:Signature Detection: Achieved by creating signatures:Achieved by creating signatures:
Models of attackModels of attack Monitored events compared to models to Monitored events compared to models to
determine qualification as attacks.determine qualification as attacks. Excellent at detecting known attacks.Excellent at detecting known attacks. Requires the signatures to be created and entered Requires the signatures to be created and entered
into the sensor’s database before operation.into the sensor’s database before operation. May generate false alarms (False Positives). May generate false alarms (False Positives). Problem:Problem:
Needs a large number of signatures for effective Needs a large number of signatures for effective detection.detection.
The database can grow very massive.The database can grow very massive.
Anomaly Detection:Anomaly Detection: Creates a model of normal use and Creates a model of normal use and
looks for activity that does not looks for activity that does not conform to the model.conform to the model.
Problems with this method:Problems with this method: Difficulty in creating the model of Difficulty in creating the model of
normal activitynormal activity If the network already had malicious If the network already had malicious
activity on it, is it ‘normal activity’?activity on it, is it ‘normal activity’? Some patterns classified as anomalies Some patterns classified as anomalies
may not be malicious.may not be malicious.
Network-Based IDSNetwork-Based IDS By far the most commonly employed By far the most commonly employed
form of Intrusion Detection Systems.form of Intrusion Detection Systems. To many people, “IDS” is To many people, “IDS” is
synonymous with “NIDS”.synonymous with “NIDS”. Matured more quickly than the host-Matured more quickly than the host-
based equivalents.based equivalents. Large number of NIDS products Large number of NIDS products
available on the market.available on the market.
Deploying NIDSDeploying NIDS Points to consider:Points to consider:
Where do sensors belong in the network?Where do sensors belong in the network? What is to be protected the most?What is to be protected the most? Which devices hold critical information assets?Which devices hold critical information assets?
Cost effectiveness;Cost effectiveness; We cannot deploy sensors on all network We cannot deploy sensors on all network
segments.segments. Even not manageable.Even not manageable. We need to carefully consider where sensors We need to carefully consider where sensors
are to be deployed.are to be deployed.
Locations for IDS SensorsLocations for IDS Sensors Just inside the firewall.Just inside the firewall.
The firewall is a bottleneck for all traffic.The firewall is a bottleneck for all traffic. All inbound/outbound traffic pass here.All inbound/outbound traffic pass here. The sensor can inspect all incoming and outgoing traffic.The sensor can inspect all incoming and outgoing traffic.
On the DMZ.On the DMZ. The publicly reachable hosts located here are often get The publicly reachable hosts located here are often get
attacked.attacked. The DMZ is usually the attacker’s first point of entry into The DMZ is usually the attacker’s first point of entry into
the network.the network. On the server farm segment.On the server farm segment.
We can monitor mission-critical application servers.We can monitor mission-critical application servers. Example: Financial, Logistical, Human Resources functions.Example: Financial, Logistical, Human Resources functions.
Also monitors insider attacks.Also monitors insider attacks. On the network segments connecting the On the network segments connecting the
mainframe or midrange hosts.mainframe or midrange hosts. Monitor mission-critical devises.Monitor mission-critical devises.
The Network Monitoring ProblemThe Network Monitoring Problem
Network-based IDS sensors employ sniffing to Network-based IDS sensors employ sniffing to monitor the network traffic.monitor the network traffic.
Networks using hubs:Networks using hubs: Can monitor all packets.Can monitor all packets. Hubs transmit every packet out of every connected Hubs transmit every packet out of every connected
interface.interface. Switched networks:Switched networks:
The sensor must be able to sniff the passing traffic.The sensor must be able to sniff the passing traffic. Switches forward packets only to ports connected Switches forward packets only to ports connected
to destination hosts.to destination hosts.
Monitoring Switched NetworksMonitoring Switched Networks Use of Switch Port Analyzer (SPAN) Use of Switch Port Analyzer (SPAN)
configurations.configurations. Causes switch to copy all packets destined to a Causes switch to copy all packets destined to a
given interface.given interface. Transmits packets to the modified port.Transmits packets to the modified port.
Use of hubs in conjunction with the switches.Use of hubs in conjunction with the switches. The hub must be a fault-tolerant one.The hub must be a fault-tolerant one.
Use of taps in conjunction with the switches.Use of taps in conjunction with the switches. Fault-tolerant hub-like devices.Fault-tolerant hub-like devices. Permit only one-way transmission of data out of Permit only one-way transmission of data out of
the monitoring port.the monitoring port.
NIDS Signature TypesNIDS Signature Types These look for patterns in packet These look for patterns in packet
payloads that indicate possible payloads that indicate possible attacks.attacks.
Port signaturesPort signatures Watch for connection attempts to a Watch for connection attempts to a
known or frequently attacked ports.known or frequently attacked ports. Header signaturesHeader signatures
These watch for dangerous or illogical These watch for dangerous or illogical combinations in packet headers.combinations in packet headers.
Network IDS Reactions TypesNetwork IDS Reactions Types Typical reactions of network-based Typical reactions of network-based
IDS with active monitoring upon IDS with active monitoring upon detection of attack in progress:detection of attack in progress: TCP resetsTCP resets IP session loggingIP session logging Shunning or blockingShunning or blocking
Capabilities are configurable on per-Capabilities are configurable on per-signature basis:signature basis: Sensor responds based on configuration.Sensor responds based on configuration.
TCP Reset ReactionTCP Reset Reaction Operates by sending a TCP reset Operates by sending a TCP reset
packet to the victim host.packet to the victim host. This terminates the TCP session.This terminates the TCP session.
Spoofs the IP address of the attacker.Spoofs the IP address of the attacker. Resets are sent from the sensor’s Resets are sent from the sensor’s
monitoring/sniffing interface.monitoring/sniffing interface. It can terminate an attack in progress It can terminate an attack in progress
but cannot stop the initial attack but cannot stop the initial attack packet from reaching the victim.packet from reaching the victim.
IP Session LoggingIP Session Logging The sensor records traffic passing between The sensor records traffic passing between
the attacker and the victim.the attacker and the victim. Can be very useful in analyzing the attack.Can be very useful in analyzing the attack. Can be used to prevent future attacks.Can be used to prevent future attacks.
Limitation:Limitation: Only the trigger and the subsequent packets are Only the trigger and the subsequent packets are
logged.logged. Preceding packets are lost.Preceding packets are lost.
Can impact sensor performance.Can impact sensor performance. Quickly consumes large amounts of disk Quickly consumes large amounts of disk
space.space.
Shunning/BlockingShunning/Blocking Sensor connects to the firewall or a packet-Sensor connects to the firewall or a packet-
filtering router.filtering router. Configures filtering rulesConfigures filtering rules
Blocks packets from the attackerBlocks packets from the attacker Needs arrangement of proper authentication:Needs arrangement of proper authentication:
Ensures that the sensor can securely log into the Ensures that the sensor can securely log into the firewall or router.firewall or router.
A temporary measure that buy time for the A temporary measure that buy time for the administrator.administrator.
The problem with spoofed source addresses.The problem with spoofed source addresses.
Host-based IDSHost-based IDS Started in the early 1980s when networks Started in the early 1980s when networks
were not do prevalent.were not do prevalent. Primarily used to protect only critical serversPrimarily used to protect only critical servers Software agent resides on the protected Software agent resides on the protected
systemsystem Signature based:Signature based:
Detects intrusions by analyzing logs of operating Detects intrusions by analyzing logs of operating systems and applications, resource utilization, systems and applications, resource utilization, and other system activityand other system activity
Use of resources can have impact on system Use of resources can have impact on system performanceperformance
HIDS Methods of OperationHIDS Methods of Operation Auditing logs:Auditing logs:
system logs, event logs, security logs, syslogsystem logs, event logs, security logs, syslog Monitoring file checksums to identify Monitoring file checksums to identify
changeschanges Elementary network-based signature Elementary network-based signature
techniques including port activitytechniques including port activity Intercepting and evaluating requests by Intercepting and evaluating requests by
applications for system resources before applications for system resources before they are processedthey are processed
Monitoring of system processes for Monitoring of system processes for suspicious activitysuspicious activity
Log File AuditingLog File Auditing Detects past activityDetects past activity
Cannot stop the action that set off the alarm Cannot stop the action that set off the alarm from taking place.from taking place.
Log Files:Log Files: Monitor changes in the log files.Monitor changes in the log files. New entries for changes logs are compared New entries for changes logs are compared
with HIDS attack signature patterns for with HIDS attack signature patterns for matchmatch
If match is detected, administrator is alertedIf match is detected, administrator is alerted
File Checksum ExaminationFile Checksum Examination Detects past activity:Detects past activity:
Cannot stop the action that set off the Cannot stop the action that set off the alarm from taking place.alarm from taking place.
Hashes created only for system files Hashes created only for system files that should not change or change that should not change or change infrequently.infrequently.
Inclusion of frequently changing files is Inclusion of frequently changing files is a huge disturbance.a huge disturbance.
File checksum systems, like Tripwire, File checksum systems, like Tripwire, may also be employed.may also be employed.
Network-Based TechniquesNetwork-Based Techniques The IDS product monitors packets The IDS product monitors packets
entering and leaving the host’s NIC for entering and leaving the host’s NIC for signs of malicious activity.signs of malicious activity.
Designed to protect only the host in Designed to protect only the host in question.question.
The attack signatures used are not as The attack signatures used are not as sophisticated as those used in NIDs.sophisticated as those used in NIDs.
Provides rudimentary network-based Provides rudimentary network-based protections.protections.
Intercepting RequestsIntercepting Requests Intercepts calls to the operating Intercepts calls to the operating
system before they are processed.system before they are processed. Is able to validate software calls made Is able to validate software calls made
to the operating system and kernel.to the operating system and kernel. Validation is accomplished by:Validation is accomplished by:
Generic rules about what processes may Generic rules about what processes may have access to resources.have access to resources.
Matching calls to system resources with Matching calls to system resources with predefined models which identify predefined models which identify malicious activity.malicious activity.
System MonitoringSystem Monitoring Can preempt attacks before they are executed.Can preempt attacks before they are executed. This type of monitoring can:This type of monitoring can:
Prevent files from being modified.Prevent files from being modified. Allow access to data files only to a predefined set of Allow access to data files only to a predefined set of
processes.processes. Protect system registry settings from modification.Protect system registry settings from modification. Prevent critical system services from being stopped.Prevent critical system services from being stopped. Protect settings for users from being modified.Protect settings for users from being modified. Stop exploitation of application vulnerabilities.Stop exploitation of application vulnerabilities.
HIDS SoftwareHIDS Software Deployed by installing agent software on Deployed by installing agent software on
the system.the system. Effective for detecting insider-attacks.Effective for detecting insider-attacks. Host wrappers:Host wrappers:
Inexpensive and deployable on all machinesInexpensive and deployable on all machines Do not provide in-depth, active monitoring Do not provide in-depth, active monitoring
measures of agent-based HIDS productsmeasures of agent-based HIDS products Sometimes referred to as personal firewallsSometimes referred to as personal firewalls
Agent-based software:Agent-based software: More suited for single purpose serversMore suited for single purpose servers
HIDS Active Monitoring CapabilitiesHIDS Active Monitoring Capabilities
Options commonly used:Options commonly used: Log the eventLog the event
Very good for post mortem analysisVery good for post mortem analysis Alert the administratorAlert the administrator
Through email or SNMP trapsThrough email or SNMP traps Terminate the user loginTerminate the user login
Perhaps with a warning messagePerhaps with a warning message Disable the user accountDisable the user account
Preventing access to memory, processor Preventing access to memory, processor time, or disk space.time, or disk space.
Advantages of Host-based IDSAdvantages of Host-based IDS Can verify success or failure of attackCan verify success or failure of attack
By reviewing log entriesBy reviewing log entries Monitors user and system activitiesMonitors user and system activities
Useful in forensic analysis of the attackUseful in forensic analysis of the attack Can protect against non-network-based attacksCan protect against non-network-based attacks Reacts very quickly to intrusionsReacts very quickly to intrusions
By preventing access to system resourcesBy preventing access to system resources By immediately identifying a breach when it occursBy immediately identifying a breach when it occurs
Does not rely on particular network infrastructureDoes not rely on particular network infrastructure Not limited by switched infrastructuresNot limited by switched infrastructures
Installed on the protected server itselfInstalled on the protected server itself Does not require additional hardware to deployDoes not require additional hardware to deploy Needs no changes to the network infrastructureNeeds no changes to the network infrastructure
Active/Passive DetectionActive/Passive Detection The ability of an IDS to take action when they The ability of an IDS to take action when they
detect suspicious activity.detect suspicious activity. Passive Systems:Passive Systems:
Take no action to stop or prevent the activity.Take no action to stop or prevent the activity. They log events.They log events. They alert administrators.They alert administrators. They record the traffic for analysis.They record the traffic for analysis.
Active Systems:Active Systems: They do all the recordings that passive systems They do all the recordings that passive systems
do,do, They interoperate with firewalls and routersThey interoperate with firewalls and routers
Can cause blocking or shunningCan cause blocking or shunning They can send TCP resets.They can send TCP resets.
Our ApproachOur Approach We present a variant but novel We present a variant but novel
approach of the anomaly detection approach of the anomaly detection scheme.scheme.
We show how to detect attacks We show how to detect attacks without the use of data banks.without the use of data banks.
We show how to correlate multiple We show how to correlate multiple inputs to define the basis of a new inputs to define the basis of a new generation analysis engine.generation analysis engine.
Signals and signal Processing:Signals and signal Processing: Signal definition:Signal definition:
A function of independent variables like time, A function of independent variables like time, distance, position, temperature, and pressure. distance, position, temperature, and pressure.
Signals play important part in our daily livesSignals play important part in our daily lives Examples: speech, music, picture, and video.Examples: speech, music, picture, and video.
Signal Classification:Signal Classification: Analog – the independent variable on which the Analog – the independent variable on which the
signal depends is continuous.signal depends is continuous. Digital – the independent variable is discrete.Digital – the independent variable is discrete. Digital signals are presented a a sequence of Digital signals are presented a a sequence of
numbers (samples).numbers (samples). Signals carry informationSignals carry information
The objective of signal processing is to extract this The objective of signal processing is to extract this useful information.useful information.
Energy of a Signal:Energy of a Signal: We can also define a signal as a function We can also define a signal as a function
of varying amplitude through time.of varying amplitude through time. The measure of a signal’s strength is the The measure of a signal’s strength is the
area under the absolute value of the area under the absolute value of the curve.curve.
This measure is referred to as the energy This measure is referred to as the energy of the signal and is defined as:of the signal and is defined as: Energy of continuous signalEnergy of continuous signal
Energy of discrete signal Energy of discrete signal
2( )aE x t dt
2( )dt
E x t
Wavelet:Wavelet: Is a waveform of effectively limited duration that Is a waveform of effectively limited duration that
has an average value of zero.has an average value of zero. Presently used in many fields of science and Presently used in many fields of science and
engineering.engineering. It development resulted from the need to generate It development resulted from the need to generate
algorithms that would compute compact algorithms that would compute compact representations of signals and data sets at an representations of signals and data sets at an accelerated pace.accelerated pace.
Started as Alfred Haar’s step functions, now called Started as Alfred Haar’s step functions, now called wavelets. wavelets.
We analyze wavelets by breaking up a signal into We analyze wavelets by breaking up a signal into shifted and scaled versions of the original (mother) shifted and scaled versions of the original (mother) wavelet.wavelet.
Our Network Topology:Our Network Topology: We set up a star topology network;We set up a star topology network;
Four computers in an islandFour computers in an island Each running Linux RedHat 9.2Each running Linux RedHat 9.2 The machines are connected by a switchThe machines are connected by a switch The switch is connected to a PIX 515E FirewallThe switch is connected to a PIX 515E Firewall 3Com Ethernet Hub sits between the switch and the 3Com Ethernet Hub sits between the switch and the
firewall firewall For Sniffing and capturing packetsFor Sniffing and capturing packets
We duplicated this island six times and connected We duplicated this island six times and connected them with routers.them with routers.
We then connected the islands, via the routers, to We then connected the islands, via the routers, to a central Cisco switch.a central Cisco switch.
For simulation purposes, we installed For simulation purposes, we installed Windows XP on one machine in island one.Windows XP on one machine in island one.
DataData CollectionCollection:: We generated packets with a Perl script on a We generated packets with a Perl script on a
Linux system. Linux system. We used the three most common protocols for We used the three most common protocols for
our simulation:our simulation: HTTP, FTP, and SMTP.HTTP, FTP, and SMTP.
For each protocol:For each protocol: We generated a constant traffic;We generated a constant traffic; We created 50 datasets each consisting of the number We created 50 datasets each consisting of the number
of packets transmitted over two minute intervals.of packets transmitted over two minute intervals. We executed the same traffic scripts with a random We executed the same traffic scripts with a random
pause between 0 and 60 seconds.pause between 0 and 60 seconds. We then rerun the traffic between 0 and 15 seconds to We then rerun the traffic between 0 and 15 seconds to
create additional datasets.create additional datasets. We collected all the 150 datasets by Ethereal for We collected all the 150 datasets by Ethereal for
further analysis.further analysis.
Results: Figure 1Results: Figure 1
Figure 2Figure 2
Figure 3Figure 3
Figure 4Figure 4
Figure 5Figure 5
Figure 6Figure 6
Conclusion & Future DirectionConclusion & Future Direction We have presented:We have presented:
A wavelet based – framework for A wavelet based – framework for network monitoringnetwork monitoring
This is our first phase for the This is our first phase for the development of an engine for Network development of an engine for Network Intrusion Analysis Intrusion Analysis
This will not depend on databases and This will not depend on databases and thus will minimize false negatives and thus will minimize false negatives and false positivesfalse positives
