Upload
xin-yi
View
214
Download
2
Embed Size (px)
Citation preview
A Mobile Agent and Snort Based Distributed Intrusion Detection System
Xiao-Ling Ye, Ying-Chao Zhang,Chao-Long Zhang ,Chao Chen, Xin-Yi Huang
Nanjing University of Information Science and Technology,
Nanjing 210044, China,
Abstract
Nowadays with the growing scale of computer
network as well as the number of nodes, the traditional
method of mobile agent based distributed intrusion
detection system may cause severe problem of network
congestion and time delay, for the data processing of
all the nodes are converged to the central node which
will lead to a mass data processing on it. In this article
we bring up a mobile agent and snort based distributed
intrusion detection system (short for MASDIDS). It
does data collection, analysis and response on the
supervisory node and the result is analyzed by mobile
agent. Therefore, the central server only has to take
down the intrusion behavior and manage components,
because most calculation is distributed to the
supervisory nodes. The problem of excessive flow in
the system processing center will not exist, so that the
real-time of the system will be enhanced.
1. Structure and Function of MASDIDS
1.1. Topology of MASDIDS
The topology of MASDIDS is illustrated in graph 1.
In this graph, there is a central server CS. CS manages
all the supervisory nodes Host and deals with all the
agent transaction of the whole system.
1.2. Function and Structure of MASDIDS
Most of the reality intrusion behaviors are not
isolated attack but compound attacks made up with
many scattered behaviors or a series of attack. [3]
These scattered attacks usually happened at several
nodes and have a certain period of time span. We
should not detect these scattered attacks in isolation but
make unified analysis and processing, so that we can
detect the compound attack correctly. Therefore, we
must make comprehensive consideration by combining
the detection result both base on host and network and
the result of every node, and then the compound attack
may be detected. The function structure of MASDIDS
has taken into account the detection of compound
attack and made corresponding solutions. [1][5]
Graph 1. Topology of MASDIDS.
The system collects and processes network packets
by using Snort. Except Snort, there are 5 other agent:
Data Collection Agent (DCA), Data Analysis Agent
(DAA), Search Agent (SA), State Detect Agent (SDA)
and Center Manage Agent (CMA). Every agent is an
individual entity. All of them constitute the MASDIDS
system.
DCA is a static agent. There is a DCA and a Snort
in every supervisory node. DCA collects analyses and
processes log and audit data on supervisory node, and
Snort collects and analyses network data, and then
DCA starts to make comprehensive consideration on
the detection results based on host and network. The
result will be saved in Mysql of this node. The control
works of Snort is also achieved by DCA. The DCA can
make Snort start, stop, update its rule base, and so on.
Firewall
Internet
Router
Switch
CS Host1 Hostn
World Congress on Software Engineering
978-0-7695-3570-8/09 $25.00 © 2009 IEEE
DOI 10.1109/WCSE.2009.310
281
World Congress on Software Engineering
978-0-7695-3570-8/09 $25.00 © 2009 IEEE
DOI 10.1109/WCSE.2009.310
281
World Congress on Software Engineering
978-0-7695-3570-8/09 $25.00 © 2009 IEEE
DOI 10.1109/WCSE.2009.310
281
World Congress on Software Engineering
978-0-7695-3570-8/09 $25.00 © 2009 IEEE
DOI 10.1109/WCSE.2009.310
281
The analysis result of DCA is not only the basis of
DAA for further analysis but also the basic section of
MASDIDS.
DAA is a mobile agent. There are more than one
DAA in the system. DAA makes further analysis based
on the result made by DCA. Every DAA takes charge
of several supervisory nodes for analyzing. DAA also
needs corporation among themselves to ensure the
efficiency of analysis.
SA is a best effort mobile agent. If an intrusion
behavior is detected, CMA will generate an SA to trace
its path and source which can be contributive to collect
evidence and update rule base. The SA may be not
efficient, because many intrusion behaviors are
generally through an intermediary node, and they can
also eliminate their evidence. As a result, SA can just
be a best effort agent.
SDA is mainly used to detect the state of DCA and
DAA and at the same time, it provides location based
services for DAA. In the system, the start and
termination of DCA and DAA must send a log in and
log out message to SDA, and when the DAA needs to
change its location, it should also send a location
message to SDA. There is only one active SDA in the
system. When DCA needs a certain DAA to get
through the analysis mission, SDA can show all the
location of DAA which are in normal state to DCA in
order to make sure the communication is unimpeded
and the system is stable.
CMA takes charge of all the agent and snort in the
system. It must make sure that all the agent and snort is
normal and available. It also manages and updates
system rule base. CMA makes statistical analysis on
the intrusion behaviors to the whole system, and
illustrates all the statistical information of intrusion in
GUI to the user.
2. Snort
The capture and detection of network packet of
MASDIDS is mainly depended on snort. Therefore, the
efficiency of snort detection algorithm plays an
important role to system performance. [5]
2.1. Detection process of Snort
Snort is a standard application based on Libpcap
base. It uses Libpcap base to capture network packet
and trigger the detection progress of snort for
detection.
As Snort started, it initializes at first, and then read
every rules file and analyze them using corresponding
grammar rule to generate a syntax tree. When it
analyzes a packet, enter the certain sub tree for
matching according to its type of agreement. Among
those rules that make up the rule syntax tree, their
relationships are the logic relationship OR. A match
does not impact the others. Among the elements of
these rules, such as the source IP, destination IP,
source Port and destination Port, their relationships are
the logic relationship AND. The rule will be triggered
only if all of the elements are matched. The generation
of syntax tree of rules is illustrated in graph 2.
Graph 2. Process graph of syntax tree of Snort rules.
The process of matching rules is the process of
matching packet caught from network and syntax tree
of rules. If successfully matched, an attack is thought
to be detected and can make certain response. If there
is no matching, the packet is a normal packet. The
detection process is illustrated in graph 3.
Graph 3. Workflow diagram of Snort.
2.2. Optimized detection algorithm of Snort
While a syntax tree is constructed, Snort begins to
match the captured packet and syntax tree of rules.
Therefore, the optimized Snort matching algorithm can
Initialize
Read Rule File, Analyze Rule Base
Open Libpcap Base
Capture Network Packet
Analyze Network Packet
Match Rule
Syntax
Tree?
No
Normal
Generate Rule Syntax Tree
Yes
An Intrusion is Detected,
Make Certain Response
Main Chain
Sub
Chain
Rule Head1
Source IP
Destination IP
Source Port
Destination Port
Head of
the Chain
Rule Head2
Source IP
Destination IP
Source Port
Destination Port
Rule Option 11
Rule Option 12
Rule Option 21
Rule Option 22
282282282282
be helpful to Snort to save matching time and reduce
network delay.
First of all, let’s take the two rules below as an
example:
(1) alert tcp any any -> any 7070 (msg:
"IDS411/dos-realaudio"; flags: AP; content: "|fff4 fffd
06|"; reference: arachNIDS,IDS411;)
(2) aert tcp any any -> any 21 (msg: "IDS287/ftp-
wuftp260-venglin-linux"; flags: AP; content:
"|31c031db 31c9b046 cd80 31c031db|"; reference:
arachNIDS,IDS411; )
In Snort rules, every rule element is corresponded to
a matching sub-function. While Snort is matching
rules, it uses one by one in-depth matching method and
it needs to call all the matching sub-functions
corresponded by rule elements in every rule. Most of
them should be called for several times. If both two
rules have the option of “reference” and their
parameters are the same, the first matching result
cannot be called directly by the second. The second
must call its matching sub-function and parameter
again, so we can say the matching is not efficient.
Second, according to the real-time monitoring of the
network, we can find these attacks have many same
points in a certain period of time. Most network attacks
their mainly targets are some system loopholes and
port by using scanning attack. For example, one of
these attacks is to remote control the computer through
the loophole of input method by port 3389. It had been
a main network intrusion method before Microsoft’s
patch was published. After the publish of the patch,
this kind of intrusion behavior declined. Instead of it
were other network intrusions. However, the rules in
Snort rule base are arranged according to the original
state, and they don’t make adjustment for the intrusions
occurred in a certain time period.
Finally, all the elements of a rule make up a logic
statement of AND in a rule. The implementation of the
terms will be true only when all the rule matching is
true. Therefore, when we are doing rule matching to a
packet, once a rule element cannot be matched, we
don’t have to match the remaining options of this rule,
for this rule does not need response. However, the rule
options in Snort are arranged according to the original
state. It will not adjust its arrestment if the matching
rates of some rule options are low.
Integrated the problems among those Snort
matching algorithm, we amend its algorithm as below:
Establish a method to sort according to the matching
sub-function. While doing rule matching to several
rules, call the sub-function to deal with the parameter
of the same kind of rule elements of different rules
first. If the parameters of rule elements of the same
rules are the same, it can be called directly, and need
not to call the same function again and again which
saved the time for calling function.
Add index parameter to all the rules in the rule base.
Once a rule is matched, its index value will be added
one, at the same time, do dynamic sort to the index, a
big index value will be put in the front of the rule base
and a small one will be put in the back.
Add index parameter to the rule options of the same
rule. While a rule option is matched, its index value
will be added one, also at the same time, sort the index
while a big index value will be put in the front of the
rule and a small one will be put in the back.
Reprogrammed and built rule tree is illustrated in
graph 4 and 5. We divide Snort syntax tree into two
parts, one is rule head linker. The parameters in the
linker is IP address and port number. The sub-function
processes the parameters in column. If the parameters
are the same, we can call the result directly, which
saves the time to call function. Every index linked by
rule head is the index value of the whole rule. If the
rule is matched, this value will add one, and do
dynamic sort to the index at the same time. That is to
compare with the index value of the former rule. If the
value is larger than the former then change the order
with the former rule, and then continue to compare the
index value to the new former rule. It will not stop
until the value is smaller. The other part is rule option
linker. The sub-function processes the parameters in
column which saves the time for calling function.
Every index linked by parameter chain is its rule option
index value. If any of the rules on the chain
successfully rule option matched, this index value adds
one. At the same time, do dynamic sort to the index.
That is to compare the index value with the latter rule
option. If the value is larger than the latter one, change
the order with the latter rule option, and then continue
to compare with the new latter rule option. It will not
stop until the value is larger than the latter.
Graph 4. Improved graph of rule head linker.
Rule Head1
Rule Head2
Rule Head3
Parameter11
Parameter21
Parameter31
Parameter12
Parameter22
Parameter 32
Index1
Index2
Index3
Rule Head Linker
Parameter Chain
of Sub-function1
Parameter Chain
of Sub-function2
283283283283
Graph 5. Improved graph of rule option linker.
3. Workflow of MASDIDS
The working process of MASDIDS system is
elaborated as below:
Data collection. Act for DCA to collect log and
audit data on supervisory node and then analyze and
process them. Snort collects, detects and processes the
packet that captured in the network. DCA analyzes and
processes its own result and the result detected by
Snort comprehensively. When an intrusion behavior is
detected, SDA will connect DAA to do a further
analysis.
If there is no idle DAA in the system, after SDA
reports CMA, CMA creates DAA according to the
system demand, and gives it certain router information
and intelligence. Then send it to the supervisory node
to do a further analysis.
When DAA reaches a certain supervisory node, it
does a further detection. During analyzing, it can move
to other supervisory node in the system to collect more
information, and cooperate with other DAA and share
the analysis result to detect compound attack.
When an intrusion behavior is detected and certain
response measures have been carried out, DAA will
report the behavior to CMA and request CMA to
publish a search agent SA to trace the origin of the
intrusion behavior.
CMA publishes SA to trace the intrusion behavior.
It analyzes the tracing result and then logs the most
complete information detected (such as the scope,
method, time and source of this attack) into the record,
and makes corresponding alarm.
4. Accomplishment and test of MASDIDS
4.1. Detection experiment
We constructed network topology to test the
MASDIDS model in order to verify it. The operating
system of central server is WindowsXP, the IP address
is 192.168.2.16, CPU 1.8G, memory 512M, NIC
10/100Mbps. The operating system of supervisory
node is WindowsXP, IP address is 192.168.2.18, CPU
1.8G, memory 256, NIC 10/100Mbps. The operating
system of intrusion host is Red Hat Linux 9.0, IP
address is 192.168.2.111, CPU 1.8G, memory 256M,
NIC 10/100Mbps.
The central server and supervisory node in the
system have installed the running environment Tahiti
for Aglet. These supervisory nodes have also installed
and correctly configured the running environment
apache + php + mysql + adodb + jpgraph + winpcap +
acid + snortrules for Snort, and the latest version of
Snort, Snort 2.8.1 has also been installed. The alarm
information of Snort is saved in Mysql. Snort display
intrusion detection information through acid. Aglet is a
mobile agent technology developed by IBM Japan
merely by Java. The company also developed a useful
interface – Aglet Workbench for people to develop and
run mobile agent system. Until now, Aglet is the most
successful and all-around system.
The code for test includes Centeraglet.java and
Hostaglet.java. Centeralet.java is an Aglet for central
server. It provides user operating interface and network
supervisory interface automatically when it is created,
and it also collects Mysql alarm log from the host by
Hostaglet and displays it in the window.
Hostaglet.java is an Aglet sent to supervisory node.
Its main function is to response the alarm of Snort.
Hostaglet detects alarm log of Snort every one minute
in our design. If the alarm log changed, Hostaglet will
send the new content of the alarm log of Snort to
Centeraglet.
When we need to add host node in MASDIDS, click
button “add” in supervisory domain and you can see
such interface as in graph 6. In this interface, you can
add supervisory node and sent Aglet to atp that user
specified. In this program, there is only Hostaglet. On
the host of supervisory node 192.168.2.18 has installed
the running interface Aglet beforehand, and on the host
of 192.168.2.18 has correctly installed and configured
Snort. Run Snort supervisory program.
Graph 6. To add supervisory node in MASDIDS.
Rule
Option1
Rule
Option2
Rule
Option3
Parameter11
Parameter21
Parameter 31
Parameter 12
Parameter 22
Parameter 32
Index1
Index 2
Parameter Chain
of Sub-function1
Rule Option
Linker
Parameter 12
Parameter 22
Parameter 32
Index 3
Parameter Chain
of Sub-function2
Parameter Chain
of Sub-function2
284284284284
On the interface of MASDIDS, if we choose a
certain supervisory node and click “configure”, we can
enter the interface of configuration supervision. An
intrusion host, IP address 192.168.2.111, runs hping2
and starts attacking 192.168.2.18. In the interface of
Snort remote supervision, the attack can be detected
generally in 3 seconds. The detected result is saved in
Mysql, as illustrated in graph 7. The alarm information
displayed by MASDIDS is illustraded in graph 8. From
the pictures we can see that Hstaglet of supervisory
node sends alarm information in Mysql to the central
server and displays it.
Graph 7. The attack that detected by supervisory interface.
Graph 8. Graph of detected alarm information of
MASDIDS.
5. Conclusion
From the experiment above we get the conclusion
that the MASDIDS system model, using mobile agent
to control professional network intrusion detection
system is feasible. As Snort is integrated, the system is
professional at the aspect of network based intrusion
detection and has a good real-time detection. For this
model, it only needs to program an Aglet program with
new features to add a new Aglet to the system, so that
it can realize new functions.
6. Acknowledgments
This work is supported in part by the Nature Science of
Higher Education (Grant No.06KJD520122) “The Six
Top Talents" of Jiangsu Province” (Grant No.06-A-
027), the Nature Science of NUIST(Grant
No.20070084), the Jiangsu Province Philosophy and
Social Sciences(Grant No.08EYB018),
7. References [1] Christopher Krugel, Thomas Toth, Engin Kirda:
SPARTA, a mobile agent based intrusion detection system.
Network Security 2001, Leuven, Belgium, 2001
[2] S. H. Qing, J. C. Jiang, H. T. Ma. Research on Intrusion
Detection Techniques: A Survey [J].Journal on
Communications, 2004:25(7):19~ 29
[3] James P. Anderson. Information Security in a Multi-User
Computer Environment. Advances in Computers 1972,12: 1-
36
[4] Mark Slagell. The design and implementation of MAIDS
(mobile agent intrusion detection system). Iow a State
University, Tech.Rep.: TR01-07, 2001
[5]http://www.snort.org
285285285285