Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables

Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables

Ratings: (0)|Views: 78 |Likes:
Published by ijcsis
Intrusion detection systems and Intrusion Prevention system are few of the possible ways for handling various types of attacks or intrusions. But the credibility of such systems itself are at stake. None of the existing systems can assure you, your safety. In this paper we propose integration of SOM based intrusion detection system with an intrusion prevention system in the Linux platform for preventing intrusions. We propose a framework for reducing the real time security risks by using Selforganizing maps for intrusion detection accompanied by packet filtering through Netfilter-Iptable to handle the malicious data Packets.
Intrusion detection systems and Intrusion Prevention system are few of the possible ways for handling various types of attacks or intrusions. But the credibility of such systems itself are at stake. None of the existing systems can assure you, your safety. In this paper we propose integration of SOM based intrusion detection system with an intrusion prevention system in the Linux platform for preventing intrusions. We propose a framework for reducing the real time security risks by using Selforganizing maps for intrusion detection accompanied by packet filtering through Netfilter-Iptable to handle the malicious data Packets.

More info:

Published by: ijcsis on Aug 13, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/15/2010

pdf

text

original

 
 
.
 
Framework for vulnerability reduction in realtime intrusion detection and prevention systemsusing SOM based IDS with Netfilter-Iptables
Abhinav KumarX-Scholar, CSE DepartmentJaypee Institute of InformationTechnology, Deemed UniversityNoida, Indiaabhinavjiit@yahoo.co.inKunal ChadhaX-Scholar, CSE DepartmentJaypee Institute of InformationTechnology, Deemed UniversityNoida, Indiaid.kunal@gmail.comDr. Krishna AsawaAssociate Prof., CSE/IT DepartmentJaypee Institute of InformationTechnology, Deemed UniversityNoida, Indiakrishna.asawa@jiit.ac.in
 Abstract
— Intrusion detection systems and Intrusion Preventionsystem are few of the possible ways for handling various types of attacks or intrusions. But the credibility of such systems itself areat stake. None of the existing systems can assure you, your safety.In this paper we propose integration of SOM based intrusiondetection system with an intrusion prevention system in theLinux platform for preventing intrusions. We propose aframework for reducing the real time security risks by using Self-organizing maps for intrusion detection accompanied by packetfiltering through Netfilter-Iptable to handle the malicious dataPackets.
 Keywords-Intrusion Detection System, SOM.
I.
 
I
NTRODUCTION
In today’s world every computer is vulnerable, nothing issecure, but the quest of mankind for that ideal security is stillgoing on. Internet and other ways of communication overnetwork are proving to be boon as well as bane. Boon, when itis providing new dimensions to the business and bane with itsharmful effects of intrusions into various networks. Every now& then we witness various types of attacks and keep bangingour heads in solving them. As soon as one computer isconnected to another computer there is an addition of thepossibility that someone using the other computer can accessour computer's information, eventually leading to intrusions.Some recent surveys show that cyber attacks targeted to thenetworks are no longer an unlikely incident that only occurs tofew exposed networks of organizations in the limelight. In thestruggle to both maintain and implement any given IT securitypolicy, professional IT security management is no longer ableto ignore these issues, as attacks are more frequent anddevastating; the commercial success is directly related to thesafe and reliable operation of their networks [4].Intrusion is an action to attack the integrity, confidentiality andavailability of the system resources [3]. Intrusion detectionsystems were developed for this cause so that they can detectthe malicious data packets traveling on the network in realtime. But it has its own limitations such as it can’t do thesession based detection which uses multiple packets [2]. In anetwork based IDS, packets are examined both according toheader and payload searching for attack signatures, stored inthe IDS Attack signature database, which is the vital part of any IDS software [4] but it becomes inefficient when we talk about blocking those attacks and hence can easily enter into asystem. Each of such system is passive in reporting suchintrusions and hence do not provide real time security.For handling such situations we propose a real time systemthat consists of an intrusion detection system based on Self organizing maps, for tracing down the malicious packets alongwith handling those packets through an intrusion preventionsystem in the Linux environment. Self-organizing maps is anunsupervised way of learning and has the ability to expresstopological relationships [22]. The hypothesis is that typicalconnection characteristics will be emphasized – denselypopulated regions of the map – whereas atypical activities willappear in sparse regions of the topology [22]. Selection of SOM for intrusion detection is also guided by its robustnesswith regard to the choice of the number of classes to divide thedata into, and is also resistant to the presence of outliers in thetraining data, which is a desirable property: in the real-worldsituations, the training data could already contain attacks oranomalies and the algorithm must be capable of learningregular patterns out of a “dirty” training set [25]. Detectionwill be followed by prevention by using Netfilter-Iptablesavailable in Linux environment [3]. Our system blocks themalicious data packet as soon as they are detected, withoutany external help, in real time.This paper is organized in various sections in which wediscuss the existing intrusion detection system as well asintrusion prevention systems. This is followed by descriptionof framework which consists of training of SOM, usage of netfilter-iptables for packet filtering.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 4, July 2010229http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 
.
II.
 
E
XISTING
I
NTRUSION
D
ETECTION
S
YSTEM
 Scientist and researchers had been continuously working forquite a few years for the development of a perfect intrusiondetection system (IDS) that can’t be bluffed. Its main job is tomonitor, analyze, detect and respond to the intrusions to theinformation systems [5]. Intrusion detection systems can bebroadly categorized into signature based and anomalydetection systems. It may be passive. Signature based IDSlook for attack signatures, specific patterns of network trafficor activity in log files that indicate suspicious behavior.Signature-based methods rely on a specific signature of anintrusion which when found triggers an alarm [6, 7]. Nowcoming on to its sub categories-if an IDS searches forsuspicious attack signatures on the traffic flowing on thenetwork then it is named as Network intrusion detectionsystems (NIDS) and when the same is done by looking at logfile of hosts, it is termed as Host intrusion detection systems(HIPS) [4]. HIDS is mostly deployed in e-commerceenvironments for securing the sensitive data. But it serves thepurpose only at the host level. NIDS performs the search forattack signatures at the packet level and as soon as a match isfound, an alarm gets raised. The anomaly detection IDS usesstatistical techniques to detect penetrations and attacks thatbegins with the establishment of base-line statistical behaviorthat what is the normal behavior for this system. After that itcaptures new statistical data and measure, for finding thedeviation from the base line. Once a threshold is exceeded, analarm is generated [4].All the above-mentioned IDS’s suffer from few seriouslimitations. As the attack-trails is increased, it became difficultfor network IDS or host IDS to detect the attacks with a limitedcapability [9]. Some of them are 1) High misinformation rate-isa bulky log and real-time prevention problems that has not yetbeen solved efficiently [3]. An alarm gets raised even if therewas no attack (false positive) and no alarm even if there is asan attack (false negative). Hence there is need for a more exactand effective access control policy [8]. Hence in anomalydetection methods, the base line needs to be adjusteddynamically. 2) Once an IDS gets attacked then it allows theattacker to move freely on the network [8] .3) There is no wayby which an IDS can block an attacker, it remains confinedonly to its primary job of detection.III.
 
I
NTRUSION
P
REVENTION
S
YSTEM
 Intrusion prevention system (IPS), also known as Network Defense System (NDS), is a system in which firewall is tightlycoupled with IDS and it can react to the changes of thenetwork environment [8]. It can be either in the form of software or hardware providing help in blocking of illegalexternal attack, preventing the loss, destroy and change of internal information from illegitimate users through Internet,and helping internal information to be provided to the outsidesafely. It is an active protection process to prohibit fromincoming of illegal traffics and permit only the authorizedtraffics [17]. IPS is located in the rear section of routergenerally and keeps a check on the forwarded packets to therouter by analyzing and comparing with filter-rules [16]. Inorder to have proper security the IPS should fulfill thecriterions like- it must be a part of communication link andsupported by dedicated hardware, it should actively detect theintrusions in real time and should block those intrusionsinstantaneously.IV.
 
P
ROPOSED
F
RAMEWORK
 The proposed framework for efficient intrusion detection-protection system is an integration of SOM based intrusiondetection system working in coherence with netfilter-iptablebased firewall. Self Organizing maps being an unsupervisedway of learning are one of the best choices for intrusiondetection because it clearly identifies the “odd” phenomenoneven in vast amount of observations, which is its coreproperty. Apart from this, it does not require a prioriknowledge inputs.The DARPA 1998 Intrusion Detection Evaluation data setconsists of about 5 million connections of labeled training dataand 2 million connections of test data [23]. This data consistsof the values of all 41 features of a data packet along with itslabeling into categories of normal, smurf, Neptune etc. These41 features consist of Basic TCP features, Content features,Time-based traffic features; and Host-based traffic features[24]. Since the proposed work is data driven unsupervisedfrom of learning hence out of those 41 features only 6 havingbasic TCP information are required, namely-duration of connection, protocol type (tcp/udp), service(HTTP etc.),destination bytes, source bytes and the value of flag. HenceSOM based IDS will have 6 inputs and classifies packets intothree clusters-normal, smurf and Neptune, the latter two beingthe attacks. Once this network gets trained with this data, it isready for detecting the malicious packets.
 
Why SOM for intrusion detection?
Intrusions done by an unknown program leads to disastersbecause of their unknown behavior & characteristics.Although we can find out its characteristics but they remain amystery for us. So we need to classify it into the normal andthe abnormal states [11]. Now the problem gets reduced todefining normal and the abnormal states.The architecture of Self organizing maps was developed byTeuvo Kohonen at the University of Helsinki. Self organizingmaps are provided only with a series of input patterns and itlearns for itself how to group these together so that similarpatterns produce similar outputs
.
It consists of a single layerof cells, all of which are connected to a series of inputs. Theinputs themselves are not cells and do no processing - they are just the points where the input signal enters the system [14] asshown in Figure 1.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 4, July 2010230http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 
.
 This network involves unsupervised learning and hence ititself finds, what it needs to learn, without any external help.In the area of intrusion detection systems, the use of unsupervised learning algorithms supports the detection of anomalies [10, 12]. Moreover a learning algorithm can betuned totally to the specific network it operates into, which isalso an important feature to reduce the number of falsepositives and optimize the detection rate [12].
 
Training the SOM 
The training of self organizing map involves sampling,similarity matching and updating apart from the basicinitialization of weights to very small values of the range 0 to0.01 [13]. The learning process of SOM is as follows:1) During initialization, the only restriction is that
w
 j
(0) bedifferent for
 j=1,2,…l,
where
l
is the number of neurons in thelattice.2) It is followed by sampling where a sample vector x(representing activation pattern) is drawn from the input spacewith certain probability and presented to the lattice. In theproposed work, out of previously mentioned 41 features, the 6basic TCP information are presented to the network.3) In similarity matching every node is examined to calculatewhich one's weights are most like the input vector. Thewinning node is commonly known as the Best Matching Unit(BMU)/neuron. BMU is calculated by iterating through all thenodes and calculating the Euclidean distance between eachnode's weight vector and the current input vector. Hence theBMU
i
(x) at time step
n
by using the minimum –distanceEuclidean criterion is:
i
(x)=arg min
 j
||
x
(
n
) –
w
 
 j
||,
 j
=1,2,…, l
 ---------------- Formula 1The node with a weight vector closest to the input vector istagged as the BMU. As the learning proceeds and new inputvectors are given to the lattice, the learning rate graduallydecreases to zero according to the specified learning ratefunction type [15]. Along with the learning rate, theneighborhood radius decreases as well.4) In the updating phase the synaptic weight vectors of all theneurons is updated by using the formula
w
 
 j
(
n
+ 1) =
w
 
 j
(
n
) +
n
(
n
)
 h
 
 j ,i
(x)
(
n
) (
x
(
n
) -
w
 
 j
(
n
)) --------------- Formula 2where
n
(
n
) is the learning-rate parameter, which has been setto 0.1 and
 h
 
 j ,i
(x)
(
n
) is the neighborhood function centeredaround the winning neuron
i
(x); both
n
(
n
) and
 h
 
 j ,i
(x)
(
n
) arevaried dynamically during learning for best results [14].5) We continue with step 2 until no noticeable changes in thefeature map are observed or for given number of iterations(generally is fixed, in our case it is 50000).After training, SOM becomes ready to categorize the packetsin three different categories, namely-smurf, Neptune andNormal. After this phase the work of Intrusion preventionsystem starts. The efficiency of IPS gets decreased because of certain limitations in its basis principles. IPS performs packetfiltering based on predefined rules, what if there is a novelattack? IPS has passive characteristics such that it can preventonly the predefined rules and filter some kinds of packets [18].Apart from this, it is also not able to detect an attack carriedout from the internal network of an organization. We proposeto use Netfilter-Iptables for overcoming many such drawbacksof intrusion prevention systems.
 
 Netfilter-Iptable
 
Netfilter is a set of hooks inside the Linux kernel [18].Netfilter is a framework that enables packet filtering, network address [and port] translation and other packet mangling. Itperforms packet filtering based on rules saved in packetfiltering tables in kernel space. The rules are grouped inchains, according to the types of packets they deal with. Rulesdealing with incoming packets are added to the INPUT chain,rules dealing with outgoing packets are added to the OUTPUTchain and rules dealing with packets being forwarded areadded to the FORWARD chain [20]. Other than these threechains there are other chains also like prerouting &postrouting and user defined chains. As soon as a packetcomes to a chain, its next action is decided on that chain.When a packet perfectly matches with a rule, action performedis ACCEPT and packet is allowed to go wherever it is destinedto(-j ACCEPT), DROP-packet will be blocked and no furtherprocessing will be done on it (-j DROP), REJECT(similar todrop) but doesn’t leave dead sockets & sends back errormessage (-j REJECT) as shown in Figure 2 [21]. There arefew more actions that can be performed on the packets.x
1
 x
N
 InputsFigure 1 (Self Organizing Map)
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 4, July 2010231http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->