This action might not be possible to undo. Are you sure you want to continue?
With the rapid development of computer technology and network technology, network security become more important for the aim of protects network information from variety kind of attack. In order to enable the network from a variety of possible abuse, the use of only a single feather firewall cannot meet the requirements, but also needs real-time monitoring on Networks, as far as possible to attack the intrusion before the attack happens.
Intrusion Detection System is developed and grew up against this background. As a new active securitydefensive mechanism, Intrusion Detection System can provide the host and network dynamic protection, it can not only monitor the implementation of internal network attacks, external attacks and disoperation of the real-time protection, but also in combination with other network security products to protect the network in full range. The characteristics of real-time and initiative are important complement to the firewall. Today, in the overall network security solutions, intrusion detection has become an indispensable component. However, with the continuous expansion of network scale and the complexity of the means of attack, Distributed Intrusion Detection System
Computer systems have been made increasingly secure over the past decades. However, new attacks and the spread of harmful viruses have shown that better methods must be used. One approach gaining increasing popularity in the computer community is to use Intrusion Detection Systems (IDSs). Intrusion Detection Systems identify attacks against a system or users performing illegitimate actions. Using a common analogy, having an Intrusion Detection System is like having a ”burglar alarm” in your house. The alarm will not prevent the burglar from breaking into your house, but it will detect and warn you of the problem. Following the publication of the first research in Intrusion Detection Systems, a large number of diverse applications have been developed. One method of accomplishing this type of detection is the use of file system integrity tools. When a system is compromised, an attacker will often alter certain key files to provide continued access and to prevent detection. The changes could target any portion of the system software, e.g. the kernel, libraries, log files, or other sensitive files.
DEPT. OF CSE / B.T.L.I.T 1
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
1.1 FILE SYSTEM INTEGRITY
File system integrity checkers detect those changes and trigger a corresponding alert. To guarantee the integrity of the file system, two approaches can be followed.
The first approach is to create a secure database, which is usually composed of hashes. The stored hash will be periodically checked against a newly computed hash. This method is used with tools such as Tripwire, Aide and others
The second, more recent approach is to create digital signatures of sensitive data, such as executable files using asymmetric cryptography, and use these signatures to check the integrity of the signed file.
Both approaches have advantages and drawbacks, but they share a common flaw: the auditing relies on the validity of the operating system. All the previous applications have made the assumption that the OS itself is not corrupted. Once the operating system is compromised the intruder can easily defeat integrity tools. As an example, in the Linux operating system, redirecting system calls using kernel modules can potentially compromise the system.
Also, since the binary of the Integrity Tool resides in the machine to be audited, the attacker may be able to corrupt the binary or the configuration files of the tool. This work develops a novel way to overcome the problems of traditional Integrity Tools. Our approach is to use a Distributed Intrusion Detection System Based on Protocol Analysis, to perform the integrity detection checks.
The area of distributed computing systems provides a promising domain for applications of machine learning methods. One of the most interesting aspects of such applications is that learning algorithms that are embedded in a distributed computing infrastructure are themselves part of that infrastructure and must respect its inherent local computing constraints (e.g., constraints on bandwidth, latency, reliability, etc.), while attempting to aggregate information across the infrastructure so as to improve system performance (or, availability) in a global sense.
DEPT. OF CSE / B.T.L.I.T
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
Consider, for example, the problem detecting anomalies in a wide-area network. While it is straightforward to embed learning algorithms at local nodes to attempt to detect node-level anomalies, these anomalies may not be indicative of network-level problems. Indeed, in recent work, demonstrated a useful role for Principal Component Analysis (PCA) to detect network anomalies. They showed that the minor components of PCA (the subspace obtained after removing the components with largest eigen values) revealed anomalies that were not detectable in any single node-level trace. While their work did not face the distributed data analysis problem (it involved centralized, off-line analysis of blocks of data), it does provide clear motivation for attempting to design a distributed PCA-based system for analyzing network anomalies in real time. The development of such a design involves facing several challenging problems that have not been addressed in previous work. Naive solutions that continuously push all data to a central analysis site simply cannot scale to large networks or massive data streams. Instead, viable solutions need to process data .in-network. To intelligently control the frequency and size of data communications.
The key underlying problem is that of developing a mathematical understanding of how to trade off quantization arising from local bandwidth restrictions against delay of the data analysis. We also need to understand how this trade off impacts overall detection accuracy. Finally, the implementation needs to be simple if it is to have impact on developers.
DEPT. OF CSE / B.T.L.I.T
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
TRADITIONAL INTRUSION DETECTION SYSTEM
A Traditional intrusion detection system (TIDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers TIDS to produce an alarm. False Positive: An event signaling TIDS to produce an alarm when no attack has taken place. False Negative: A failure of TIDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of TIDS.
DEPT. OF CSE / B.T.L.I.T
I. Misfeasor: They are commonly internal users and can be of two types: 1. DEPT. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. or network tap. there are two main types of IDS: 2. 2. Alarm filtering: The process of categorizing attack alerts produced from a TIDS in order to distinguish false positives from actual attacks. 2.2 TYPES For the purpose of dealing with IT. Masquerader: A user who does not have the authority to a system. A user with full permissions and who misuses their powers. An authorized user with limited permissions. OF CSE / B.2. They are generally outside users. but tries to access the information as an authorized user. often in the demilitarized zone (DMZ) or at network borders.T 5 . sensors are located at choke points in the network to be monitored.1 Network intrusion detection system (NIDS) It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. network switch configured for port mirroring. Confidence value: A value an organization places on a TIDS based on past performance and analysis to help determine its ability to effectively identify an attack. An example of a NIDS is Snort.L. inflict harm or engage in other malicious activities. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information.T. Network intrusion detection systems gain access to network traffic by connecting to a network hub. Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. In a NIDS.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Site policy awareness: The ability a TIDS has to dynamically change its rules and configurations in response to changing environmental activity.
The term IDPS is commonly used where this can happen automatically or at the command of an operator. an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening.L.I. OF CSE / B. This is traditionally achieved by examining network communications. 2. An example of a HIDS is OSSEC. Some application-based IDS are also part of this category. In a reactive system.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 2.3 PASSIVE AND/OR REACTIVE SYSTEMS In a passive system. Access control lists. capability databases. also known as an intrusion prevention system (IPS).2 Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls. Intrusion detection systems can also be systemspecific using custom tools and honey pots. the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. and taking action to alert operators. systems that both "detect" (alert) and/or "prevent. the intrusion detection system (IDS) sensor detects a potential security breach. password files. filesystem modifications (binaries. and is another form of an application layer firewall. application logs." 2.T. identifying heuristics and patterns (often known as signatures) of common computer attacks.T 6 . logs the information and signals an alert on the console and or owner. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.4 COMPARISON WITH FIREWALLS Though they both relate to network security. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. etc. sensors usually consist of a software agent.) and other host activities and state. An IDS also watches for attacks that originate from within a system. DEPT.2. In a HIDS. A system that terminates connections is called an intrusion prevention system.
Real-time/rear real-time analysis Analyze information sources gathered by the IDS sensor as soon as possible. what protocols are used. 2. Minimal resource Use the minimal resource in the systems when monitoring. what ports and devices generally connect to each other. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat.L. DEPT.6 TRADITIONAL IDS MODEL Detection of known attacks Should have the ability to determine the malicious attackers.1 Statistical anomaly-based IDS A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used.I.5 STATISTICAL ANOMALY AND SIGNATURE BASED IDSEs All Intrusion Detection Systems use one of two detection techniques: 2.5. 2.T.and alert the administrator or user when traffic is detected which is anomalous(not normal). High accuracy Make sure the detection is correct and lower the false alarms. During this lag time your IDS will be unable to identify the threat.2 Signature-based IDS Signature based IDS monitor’s packets in the Network and compares with preconfigured and predetermined attack patterns known as signatures.5.T 7 .DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 2. OF CSE / B.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 3 THE ROLES AND RELATIONSHIPS IN TIDS Hackers People who attempt to gain unauthorized access to a computer system.1: Relationship in TIDs DEPT. System Manager (SM) The person who takes charge to minimize the use of excess. These people are often malicious and have many tools for breaking into a system. and system maintenance costs. they have to make efforts to find out where the problem is. Fig.L.I. 3. network management.T. If a system under some attacks results IDSs alarms.T 8 . OF CSE / B.
intrusion detection has become an indispensable component. in the overall network security solutions. OF CSE / B. but also in combination with other network security products to protect the network in full range. Today.L. Intrusion Detection System can provide the host and network dynamic protection It can not only monitor the implementation of internal network attacks. However. The intrusion is a major aspect of every network and can be harmful to the entire system.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Detection System (DS) The system that monitors the events occurring in protected hosts or networks and analyze them for signs of intrusions. Thus we need a detection system to detect the intrusion beyond their early stages of damage to the network. Distributed Intrusion Detection System DEPT. with the continuous expansion of network scale and the complexity of the means of attack. The characteristics of real-time and initiative are important complement to the firewall. external attacks and disoperation of the real-time protection.I.T 9 .
but only applied to relatively simple attacks. and can be detected. Since protocol analysis technology guide the search packet clearly part of specific rather than the entire payload reducing the search space. Anomaly Detection Intrusion Detection System is the main research direction. good scalability.L. but also on the application layer protocol decoding. Protocol analysis is the main technology means of new generation of IDS systems to detect attacks. It is characterized by simple. The key question of the anomaly detection is the establishment of normal usage patterns and how to use the model to the current system /user behavior compared with the normal in order to judge the degree of deviation from the model. DEPT. Misuse detection technology is based on the known methods of intrusion attacks to match and identify attacks. it is widely used. which is characterized by abnormal behavior of the detection system and found that unknown attack patterns. configuration. maintenance is very convenient. Protocol decoding not only decodes on the bottom protocol. OF CSE / B. but those inconsistent with normal behavior patterns of users on the case be considered aggression. Using these two methods of IDS systems do not have the intelligence to determine the true intention of these models but finally the results of protocol analysis and the advantages are being here. Anomaly detection system is user's normal pre-stored patterns of behavior. Although simple patternmatching on performance is a big problem. because system implementation.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 4 PROTOCOL ANALYSIS TECHNOLOGY Intrusion Detection System early detection technology are misuse detection technology and anomaly detection technology commonly used. which use a high degree of regularity corresponding to the reported location of the first protocol to analyze information only useful for detection of the intrusion detection field. they are able to improve the efficiency of intrusion detection. This detection technique commonly used is a simple patternmatching technology.T 10 . and high false alarm rate. detection efficiency.T.I.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 4.I.2 REAL WORLD ANOMALIES • • Credit Card Fraud – An abnormally high purchase made on a credit card Cyber Intrusions – A web server involved in ftp traffic Fig. etc. peculiarities.1: Cyber intrusion Fig 4. exceptions.L. surprise. Anomalies translate to significant (often critical) real life entities – Cyber intrusions – Credit card fraud 4.2: Credit card fraud DEPT.T 11 . 4. OF CSE / B.1 ANOMALY DETECTION INTRUSION DETECTION SYSTEM • • • Anomaly is a pattern in the data that does not conform to the expected behaviour Also referred to as outliers.T.
T.r.An individual data instance is anomalous w. DEPT.I. 4.L.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 4.4 TYPE OF ANOMALY Point Anomalies. the data Fig.T 12 .t.3 KEY CHALLENGES • • • • • • • Defining a representative normal region is challenging The boundary between normal and outlying behavior is often not precise The exact notion of an outlier is different for different application domains Availability of labelled data for training/validation Malicious adversaries Data might contain noise Normal behaviour keeps evolving 4.An individual data instance is anomalous within a context.3: Point Anomalies Contextual Anomalies.Requires a notion of context and also referred to as conditional anomalies. OF CSE / B.
L.Requires a relationship among data instances -Sequential Data -Spatial Data -Graph Data Anomalous Subsequence Fig. OF CSE / B.I.T 13 .T.5: Collective Anomalies DEPT. 4. 4.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Normal Anomaly Fig.4: Contextual Anomalies Collective Anomalies-A collection of related data instances is anomalous.
3. the upper protocol including IP. They are able to improve the efficiency of intrusion detection. 5. but also on the application layer protocol decoding. Ethernet V2 format is often used in current MAC frame.L. 5. and the other is the IEEE standard 802. NetBUI. ARP.2: Ethernet Frame Format DEPT. OF CSE / B.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 5 THE FUNDAMENTAL STRUCTURE OF PROTOCOL Protocol decoding not only decodes on the bottom protocol. Fig 5.SNMP. one is DIX Ethernet V2.I. IPX.1 Fig. there are two different standards. its frame format as shown in fig.T 14 .1: Protocol Structure Ethernet MAC frame format.
T 15 . It is using the communication of bit DEPT. such as protocol field value of 6.1. which is transmitted by segments.1.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 5.3 Fig. flag. destination IP address. service type. UDP. header length.1 TWO IMPORTANT STAGES OF PROTOCOL ANALYSIS 5. TL. indicating that part of their data using a TCP protocol.2 TCP datagram Transmission Control Protocol is a reliable connection oriented transmission service. ICMP. TCP. TTL. IP header contains the version. 5. fragment offset. and a conversation must be built when exchange data.L. IGMP data are based on IP data transmission format. type.T.1 IP datagram In the transmission protocol.3: IP Datagram Format Protocol field accounted for 8 bit. field values indicate that the data of this protocol IP datagram carries is which kind use of protocol. header checksum. identifier. OF CSE / B. 5. source IP address.I. Reference fig. 5. IP datagram is divided into IP header and IP data.
OF CSE / B. 5.T 16 . that is. destination port. serial number. for reliability. used by the receiver to reply. Destination Port The 16-bit destination port number. Sequence Number The sequence number of the first data byte in this segment. Acknowledgment Number If the ACK control bit is set.L. The header contains the source port.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS stream. unstructured data as byte stream. 5. TCP datagram is divided into TCP header and TCP data.3 Fig. If the SYN control bit is set. and confirmation number and so on as shown in fig.4: TCP Segment Format Where: Source Port The 16-bit source port number. Each TCP transmitted sequence number is specified. the sequence number is the initial sequence number (n) and the first data byte is n+1.I.T. DEPT. this field contains the value of the next sequence number that the receiver is expecting to receive.
must be zero.T. 5.T 17 . It specifies the number of data bytes beginning with the one indicated in the acknowledgment number field which the receiver (= the sender of this segment) is willing to accept. It indicates where the data begins.L.5: Pseudo-IP Header DEPT. URG Indicates that the urgent pointer field is significant in this segment. with the format shown in fig. Checksum The 16-bit one's complement of the one's complement sum of all 16-bit words in a pseudo-header. RST Resets the connection. PSH Push function. SYN Synchronizes the sequence numbers. The pseudo-header is the same as that used by UDP for calculating the checksum. It is a pseudo-IPheader. ACK Indicates that the acknowledgment field is significant in this segment. FIN No more data from sender. OF CSE / B. 5. only used for the checksum calculation. Reserved Six bits reserved for future use.4 Fig. Window Used in ACK segments.I.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Data Offset The number of 32-bit words in the TCP header. the TCP header and the TCP data.
get the Ethernet header. SYN. we have only the IP(0800) protocol for further analysis. their corresponding number of protocol:6. protocol analysis module. such as TCP connection is always in communication through the exchange of SYN packets to the two sides to begin to create a new connection. IPX. OF CSE / B. 6byte source Ethernet address and the 2-byte frame type components. the frame type gives data frame included in the protocol type. Where there is no select items. TCP header length is 20 bytes. etc. TCP. the main contents include source port. Ethernet header length is l4 byte. and protocol type of IP load (length of one byte). and then sent the data to the analysis part of the protocol. It contains two parts: data capture module. serial number and ACK and so on. PSH. 8l37. flag. each of which is the 6-byte destination Ethernet address.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 6 DISTRIBUTED INTRUSION DETECTION ON PROTOCOL ANALYSIS 6. DEPT. and IP and IPX are network layer protocol. destination IP address. RST. 0800.T 18 .17 and 1.T. where there is no select items. the type of protocol within the IP packet indicate the protocol type of IP packet load. 8035. Their corresponding number of protocol: 0806.1 DETECTOR UNIT MODEL The most important part of the system is the design and work patterns of the Detect Module based on the principle of the Protocol Analysis. the main contents include the following: source IP address. Data capture module. one of ARP/RARP are data link protocol.I. fragment flag and offset. such as ARP. IP. TCP header contains six flag: URG. that is. destination port. FIN. the six flags reflect the status of the TCP connection.The major role of data capture module is to capture data on the Internet. ACK. whose role is more simple and easy to achieve.Protocol analysis is the focus of this module. it will parse captured data its working principle is as follows: from the Ethernet frame. IP header length is 20 bytes. Protocol analysis module. In the transport layer. UDP or ICMP. RARP.L.
EMAIL port 25 and so on. OF CSE / B. such as FTP.2 Ethernet 802. also referred to as Ethernet type.T 19 . Comparing detector modules at the top of these keywords.L. we will be able to determine whether there is network intrusion happened.3 format of an Ethernet frame is shown on the IEEE 802. In the application layer. After doing this protocol analysis. TELNET. contains a lot of the protocol. An 802. as shown on the Ethernet V2 Frame Format Diagram. WWW and so on. It has a Length field instead of a Type field.2: IEEE 802.1. Fig 6. protocol analysis module extracts data packets from the application of the protocol of the protocol keyword.T. the LLC header DSAP field indicates the protocol being carried and steers the frame to the appropriate process in the Network Layer.I. such as TELNET port 23.1: Ethernet V2 Frame Format 6. and an 802. the packet types can be got according to the source port and destination port of TCP packet.3 Ethernet frame format in that a Type field.3 Length field will always have a value of less than 0x0600.3 The 802. we only analyze some daily applications.3 Ethernet Frame Format DEPT. is used in place of the Length field (also 2 bytes). As mentioned in the previous lesson.3 Ethernet Frame Format Diagram.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS and through the adoption of FIN . STOR (PUT operation) and other protocol keywords. RST to terminate a connection.1. such as FTP at the package.2 LLC header (not shown) in the Information field. 6. E-MAIL.1 Ethernet Version 2 The original Ethernet Version 2 frame varies slightly from the 802. Fig 6. you can extract the RETR (GET operation).
1Q tag follows the standard MAC header in Ethernet frames. That is. If Length-encoded: 8100 0020 01A6--The 8100h and 0020h are the 4 additional VLAN bytes.T.1Q VLAN Frames With the establishment of the 802. That is.3 Length field or Version 2 Type value that the frame would have carried had it not been tagged. Another way of looking at this is that Ethernet frames have either a Length or a Type field. the field is Type-encoded. and the 12-bit VLAN ID.1Q-tagged Type-encoded frame carrying IP. followed by the LLC header as the first part of the Information field. When using LLC. the field is Length-encoded. The 802. frames travelling from switch-to-switch between VLANs carry VLAN membership information that all equipment meeting the standard recognize.L.1.T 20 . These 16 bits contain the 3-bit frame priority.1Q Type-Encoded Frame Format Diagram. If the frame is VLAN-tagged. The VLAN-tag format uses the next 2 bytes after the 0x8100 Type field for the VLAN tag. the LLC header would follow in the Information field.1Q VLAN standard. Fig 6. If the original frame was Length-encoded. If not using LLC. the 2 bytes following the VLAN tag would be a Length field.I. indicating IP is being carried.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 6.3 length.4: Type-Encoded Frame Format DEPT. OF CSE / B. the Type field contains a value of 0x8100.3. the 01A6 is an example of a valid 802. This concept is illustrated on the 802. Following the VLAN tag would be the original 802. Fig 6. This concept is illustrated on the 802. if this is an 802. 802.3: Length-Encoded Frame Format If Type-encoded: 8100 0020 0800--The 0800h is in the Type field. the canonical format indicator (CFI). it is now possible to mix vendor switch equipment and have the VLANs interoperate. the 2 bytes after the VLAN tag will be 0x0800.1Q Length-Encoded Frame Format Diagram.
The changes could target any portion of the system software.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 6. So putting a number of intrusion detection system agent on the network. The alarm will not prevent the burglar from breaking into your house.5 In this model. a large number of diverse applications have been developed. having an Intrusion Detection System is like having a ”burglar alarm” in your house. Using a common analogy. DEPT. Following the publication of the first research in Intrusion Detection Systems. This system is divided into Detect Module. OF CSE / B. they will get through the analysis of data reported through the High speed link to send to process module. Each detection module is a micro-data analysis system. as the intrusion has become more and more complex.L. this is the Distributed Intrusion Detection System. or other sensitive files. abuse or computer and network systems of misuse. Process Module and Response Module. One method of accomplishing this type of detection is the use of file system integrity tools. to determine whether the attack happens. Computer systems have been made increasingly secure over the past decades. In the Response Module to determine whether there is intrusion.2 DISTRIBUTED INTRUSION DETECTION SYSTEM MODEL Although the Intrusion Detection System can identify non authorized use.T 21 . setting up a process module to deal with the keyword data carried from intrusion detection system agent. new attacks and the spread of harmful viruses have shown that better methods must be used. an attacker will often alter certain key files to provide continued access and to prevent detection. Detect Module and Process Module make up a complete intrusion detection system. However. doing comprehensive analysis. the relationship between the various modules shown in Figure 6. individual intrusion detection system has been unable to deal with complex security issues. When a system is compromised. libraries. log files. the kernel.I.g. but it will detect and warn you of the problem.T. After the network intrusion detection Process Module set the signal of the intrusion to Response Module to alarm the user. Internet data on the Detect Module and the Process Module can arrives at a user computer after the detection. One approach gaining increasing popularity in the computer community is to use Intrusion Detection Systems (IDSs). Intrusion Detection Systems identify attacks against a system or users performing illegitimate actions. e.
Detect Module will send the keywords and rule base for comparison. 6. allowing users to take timely preventive measures to avoid losses. DEPT. as well as to advise users the attack means and the aim of being attacked. and with the emergence of a new intrusion technology and expanding the size of rule base. Process Module contains a rule base.L. and the keywords can deleted .T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig. if we find the matching of string of arrived words with the rules of rule.I. OF CSE / B. Response Module responses the user the intrusion. there is the keyword set of current often intrusion mode. then the intrusion has happened.T 22 .5: Model of Distributed Intrusion Detection System.
In this case. This paper provides an overview of the motivation behind DIDS.I. Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network. and gain access to. IDS’s are based on the belief that an intruder’s behavior will be noticeably different from that of a legitimate user. Namely.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 7 CHARACTERISTICS OF THE DIDS SYSTEM Intrusion detection is the problem of identifying unauthorized use. A main problem considered in this paper is the Network. and abuse of computer systems by both system insiders and external penetrators. A simple example of such an attack is the so-called doorknob attack. The proliferation of heterogeneous computer networks provides additional implications for the intrusion detection problem. and then repeatedly tried to gain access to several different computers at the external site. OF CSE / B. which is concerned with tracking a user moving across the network.1 SCENARIOS The detection of certain attacks against a networked system of computers requires information from multiple sources. 7.T. insufficiently-protected hosts on a system. Even if the behavior is recognized as DEPT. As a case in point. which means that an IDS on each host may not flag the attack. possibly with a new user-id on each computer. the system architecture and capabilities. This approach is unique among current IDS’s. the intruder used telnet to make the connection from a university computer system.user Identification problem. and a discussion of the early prototype. In cases like these. and makes it easier for intruders to avoid detection. the intruder tries only a few logins on each machine (usually with different account names). These simple attacks can be remarkably successful. misuse. In a doorknob attack the intruder’s goal is to discover.L.T 23 . The intruder generally tries a few common account and password combinations on each of a number of computers. UC Davis’ NSM recently observed an attacker of this type gaining super-user access to an external computer which did not require a password for the super-user account. The designing and implementing of a prototype Distributed Intrusion Detection System (DIDS) that combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers. the increased connectivity of computer systems gives greater access to outsiders.
Because DIDS aggregates and correlates data from multiple hosts and the network. for example.g. OF CSE / B.T 24 ..I. DIDS would also report that user "guest" was really. In an incident such as this. The browsing activity level on any single host may not be sufficiently high enough to raise any alarm by itself. This occurs when a (network) user is looking through a number of files on several different computers within a short period of time. our NSM recently observed an intruder gaining access to a computer using a guest account which did not require a password. and at least as effective as the stand-alone NSM. user "smith" on the source machine. In another incident.L. Note that DIDS should be at least as effective as host-based IDS’s (if we implement all of their functionality in the DIDS host monitor). while most IDS’s would report the occurrence of an incident involving user "guest" on the target machine. It may also be possible to go even further back and identify all of the different user accounts in the "chain" to find the initial launching point of the attack. DIDS would not only report the attack. Some of the attack configurations which have been hypothesized include chain and parallel attacks. he exhibited behavior which would have alerted most existing IDS’s (e. it is in a position to recognize the doorknob attack by detecting the pattern of repeated failed logins even though there may be too few on a single host to alert that host’s monitor. changing passwords and failed events). However. The expert system can then aggregate such information from multiple hosts to determine that all of the browsing activity corresponds to the same network user. DIDS combats these inherent vulnerabilities of the network by using the very same connectivity to help track and detect the intruder. aggregated browsing activity level may be high enough to raise suspicion on this user. the network-wide. This scenario presents a key challenge for DIDS: the tradeoffs between sending all audit records to the director versus missing attacks because thresholds on each host are not exceeded. Another possible scenario is what we call network browsing. thus they cannot recognize the doorknob attack as such. there are a number of general ways that an intruder can use the connectivity of the network to hide his trail and to enhance his effectiveness.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS an attack on the individual host. In addition to the specific scenarios outlined above. assuming that the source machine was in the monitored domain. Each host monitor will report that a particular user is browsing on that system. That is.T. current IDS’s are generally unable to correlate reports from multiple hosts. Network browsing can be detected as follows. even if the corresponding degree of browsing is small. Once the attacker had access to the system. but may also be able to identify the source of the attack. DEPT.
g.. It may be that a single intruder uses multiple accounts to launch an attack. can aid in recognizing this type of behavior and tracking an intruder to their source.2 THE NETWORK-USER IDENTIFICATION (NID) One of the most interesting challenges for intrusion detection in a networked environment is to track users and objects (e.1: Network User Identification (NID) DEPT.L..T. For example. it is not particularly noteworthy if a user inquires about who is using a particular computer (e. perhaps with different account names. using the UNIX who or finger command). Correlating data from several independent sources. 7. OF CSE / B.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 7. and that the behavior can be recognized as suspicious only if one knows that all of the activity emanates from a single source. an intruder may use several different accounts on different machines during the course of an attack. files) as they move across the network. Fig. to a single source. an intruder may often choose to employ the interconnectivity of the computers to hide his true identity and location. Detecting this type of behavior requires attributing multiple sessions. In a networked environment.T 25 . However. including the network itself.I. it may be indicative of an attack if a user inquires about who is using each of the computers on a LAN and then subsequently logs into one of the hosts.g. For example.
we must be able to determine that "smith@host1" is the same user as "jones@host2". In particular. DEPT.. and label. The contents of the Sun C2 audit record are: record type. Certain critical audit records are always passed directly to the expert system (i. Actions characterize the dynamic aspect of the audit records. process executions. if in fact they are.. time. process ID.e. The action and domain are abstractions which are used to minimize operating system dependencies at higher levels. effective user ID. notable events).3. which are sequences of noteworthy events which indicate the symptoms of attacks) and only summary reports are sent to the expert system. These transactions include file accesses.0. In most cases. the operating system produces audit records for virtually every transaction on the system. error code. Since processes can also be objects of an audit record. real user ID. audit user ID. Domains characterize the objects of the audit records. others are processed locally by the host monitor (i. return value. In order to do this. system calls. All evidence about the behavior of any instance of the user is then accountable to the single NID. real group ID. In the following subsections we examine each of the components of DIDS in the context of the creation and use of the NID.L. Since the network-user identification problem involves the collection and evaluation of data from both the host and LAN monitors. in this case by their function.I.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS This problem is unique to the network environment and has not been dealt with before in this context.T 26 . they are also assigned to domains. Through the C2 security package. THE HOST MONITOR The host monitor is currently installed on Sun SPARC stations running SunOS 4. Thus. and logins.x with the Sun C2 security package. The actions are: session start. record event. profiles and attack signatures. The event includes any significant data provided by the original audit record plus two new fields: the action and the domain. OF CSE / B. The host monitor examines each audit record to determine if it should be forwarded to the expert system for further evaluation. 7.e. the HEG creates a more abstract object called an event. The solution to the multiple user identity problem is to create a network-user identification (NID) the first time a user enters the monitored environment. examining it is a useful method to understand the operation of DIDS. the objects are files or devices and their domain is determined by the characteristics of the object or its location in the file system. one of the design objectives is to push as much of the processing operations down to the low-level monitors as possible. and then to apply that NID to any further instances of the user.
Similarly. we not only remove operating system dependencies.g. The concept of the domain is one of the keys to detecting abuses. simplicity. Although we lose some details provided by the raw audit information. delete (a file or (virtual) device). device. and change_user_id.. However. utility. They are also relative to a user. Owned objects are relative to the user. move (rename a file or device). they capture most of the interesting behavior for intrusion detection and correspond reasonably well with what other researchers in this field have found to be of interest. or process can be tagged (e. owned. An event reported by a host monitor is called a host audit record (har). The utility objects are the bulk of the programs run by the users (e. thus. and that all of these are treated simply as objects. sys_info.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS session end. change rights. read (a file or device). again exclusive of those objects already assigned to previously considered domains. Network objects are the processes and files not covered in the previous domains which relate to the use of the network. The record syntax is: DEPT. All possible transactions fall into one of a finite number of events formed by the cross product of the actions and the domains. The choice of these domains and actions is somewhat arbitrary in that one could easily suggest both finer and coarser grained partitions. directories or devices. write (a file or device).I. System objects are primarily those which are concerned with the execution of the operating system itself. By mapping an infinite number of transactions to a finite number of events.g. compilers and editors).T 27 . OF CSE / B. every object not assigned to a previous domain. audit.. Authentication objects are the processes and files which are used to provide access control on the system (e.g. that is more than made up for by the increase in portability. user_info. and not_owned. Note that no distinction is made between files. the execution of an object in the utility domain is not interesting (except when the use is excessive). and generality.. Tagged objects Are Ones which are thought a priori to be particularly interesting in terms of detecting intrusions. the terminate action is applicable only to processes. audit objects relate to the accounting and security auditing processes and files. but also restrict the number of permutations that the expert system will have to deal with. terminate (a process). execute (a process). Using the domain allows us to make assertions about the nature of a user’s behavior in a straightforward and systematic way. authentication. create (a file or (virtual) device). network.L. In general. system. for example. /etc/passwd). speed. the password file). Any file. Not_owned objects are. files in the owned domain relative to "smith" are in the not_owned domain relative to "Jones". and each event may also succeed or fail.T. The domains are prioritized so that an object is assigned to the first applicable domain. by exclusion. respectively. Sys_info and user_info objects provide information about the system and about the users of the system. but the creation or modification of one is. The domains are: tagged. Not every action is applicable to every object.
Host-ID. These include all the events with session_start actions. Because they relate to events rather than to the audit records themselves.7. Of all the possible events. the tables and the modules of the HEG which use them are portable across operating systems. These latter events capture such transactions as executing the rlogin. PID. Fig. only a subset are forwarded to the expert system. telnet. Real-UID. which are built by hand. to determine which events should be forwarded to the expert system.I.2: DIDS target environment DEPT. The only portion of the HEG which is operating system dependent is the module which creates the events. Error Code).L. Parent Process. The HEG consults external tables. rsh. Object. as well as ones with an execute action applied to the network domain. Transaction. Time.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS har(Monitor-ID. Domain.T. Effective-UID.T 28 . Audit-UID. Action. OF CSE / B. and rexec UNIX programs. Return Value. For the creation and application of the NID. it is the events which relate to the creation of user sessions or to a change in an account that are important.
it audits host-to-host connections. Similar to the host monitor.I.2 shows a generalized DIDS target environment.T. the level of authentication required for each of the services. The LAN monitor also uses heuristics in an attempt to identify the likelihood that a particular connection represents intrusive behavior. a single host monitor per host and a single LAN monitor for each broadcast LAN segment in the network which is monitored. the security level for each machine on the network. Reports are sent independently and asynchronously from the host and LAN monitors to the DIDS director through a communications architecture shown in figure 7. The DIDS architecture combines distributed monitoring and data reduction with centralized data analysis. and service requests using the TCP/IP or UDP/IP protocols. a PC without a host monitor).2. from these packets. and volume of traffic per connection. The host and LAN monitors are responsible for the collection of evidence of suspicious activity and DIDS director is responsible for its evaluation.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig 7. This architecture provides accountability by trying the users with their actions. For high level communication protocols between the components are based on Common Management Information Protocol (CMIP) recommendations.T 29 . services used. 7.g.4 THE LAN MONITOR The LAN monitor is currently a subset of UC Davis’ Network Security Monitor..g. rlogin and telnet) as well as activity by certain classes of hosts (e. OF CSE / B.g. The abnormality of a connection is based on the probability of that particular connection occurring and the behavior of the DEPT. DIDS architecture consists of DIDS director. In DIDS. which systems are expected to establish communication paths to which other systems. what a typical telnet. mail. and signatures of past attacks. and by which service) and service profiles (e.. the LAN monitor uses several simple analysis techniques to identify significant events. it is able to construct higher-level objects such as connections (logical circuits). The LAN monitor observes each and every packet on its segment of the LAN and. The events include the use of certain services (e. to a centrally-located DIDS director. These heuristics consider the capabilities of each of the network services. The architecture provides a bidirectional communication between the DIDS director and any monitor in the configuration.L. The LAN monitor builds its own "LAN audit trail". The LAN monitor also uses and maintains profiles of expected network behavior.. which possibly lead to intrusive activity. The profiles consist of expected data paths (e. In particular. the host and LAN monitors report events. or finger is expected to look like). The director employs an expert system to detect the possible intrusion attacks.g..
I. Dest_Host. The LAN monitor is responsible for detecting any connections related to rlogin and telnet sessions.e. Once these connections are detected. Service. OF CSE / B. Domain.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS connection itself. An event reported by a LAN monitor is called a network audit record (nar). The LAN monitor has several responsibilities with respect to the creation and use of the NID. the LAN monitor forwards relevant security information to the director through its LAN agent. The SSO can also ask for a wire-tap on a certain network connection to monitor a particular user’s behavior. The record syntax is: nar(Monitor-ID. Upon request.T 30 .L. The LAN monitor can also be used to help track tagged objects moving across the network. the LAN monitor is also able to provide a more detailed examination of any connection. a wire-tap).. Like the host monitor.T. This capability can be used to support a directed investigation of a particular subject or object. A large amount of low level filtering and some analysis is performed by the host monitor to minimize the use of network bandwidth in passing evidence to the director. including capturing every character crossing the network (i. Time. the LAN monitor can be used to verify the owner of a connection. DEPT. Source_Host. Status).
it is also able to send the requests to the host and LAN monitors for more information regarding a particular subject. The architecture also provides for bidirectional communication between the DIDS director and any monitor in the configuration. Its main responsibility is to observe all of the traffic on its segment of the LAN to monitor host-to-host connections. allowing for future inclusion of CMIP management tools as they become useful.T. The DIDS director consists of three major components that are all located on the same dedicated workstation. and volume of traffic. High level communication protocols between the components are based on the ISO Common Management Information Protocol (CMIP) recommendations.I.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 8 DISTRIBUTED INTRUSION DETECTION SYSTEM ARCHITECTURE The DIDS architecture combines distributed monitoring and data reduction with centralized data analysis. and issue commands to have the distributed monitors modify their monitoring capabilities via a "SET" directive.L.T 31 . the use of security-related services. The director can also make requests for more detailed information from the distributed monitors via a "GET" directive. a single host monitor per host. Because the components are logically independent processes. The communications manager is responsible for the transfer of data between the director and each of the host and the LAN monitors. The LEG is currently a subset of UC Davis’ NSM. The LAN monitor reports on such network activity as rlogin and telnet connections. This approach is unique among current IDS’s. It accepts the notable event records from each of the host and LAN monitors and sends them to the expert system. DEPT. And a single LAN monitor for each broadcast LAN segment in the monitored network. the LAN monitor consists of a LAN event generator (LEG) and a LAN agent. The host and LAN monitors are primarily responsible for the collection of evidence of unauthorized or suspicious activity. while the DIDS director is primarily responsible for its evaluation. DIDS can potentially handle hosts without monitors since the LAN monitor can report on the network activities of such hosts. OF CSE / B. services used. This communication consists primarily of notable events and anomaly reports from the monitors. Like the host monitor. On behalf of the expert system or user interface. they could be distributed as well. and changes in network traffic patterns. The components of DIDS are the DIDS director. Reports are sent independently and asynchronously from the host and LAN monitors to the DIDS director through a communications infrastructure.
T 32 . This will give the SSO the ability to actively respond to attacks against the system in real-time. OF CSE / B. The expert system is a rule-based system with simple learning capabilities. Network-management tools that are able to perform network mapping would also be useful. and request more specific types of information from the monitors. It receives the reports from the host and the LAN monitors. including incident-handling tools and network-management tools. Incident-handling tools may consist of possible courses of action to take against an attacker. 8. based on these reports. it makes inferences about the security of each individual host.I. and. Fig. 8. The SSO is able to watch activities on each host. watch network traffic (by setting "wire-taps").DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The expert system is responsible for evaluating and reporting on the security state of the monitored system.1: Communication Architecture DEPT. The director’s user interface allows the System Security Officer (SSO) interactive access to the entire system. will be used in conjunction with the intrusion-detection functions of DIDS. as well as the system as a whole.1 COMMUNICATION ARCHITECTURE Anticipating that a growing set of tools. etc. such as cutting off network access.L. a directed investigation of a particular user.T. removal of system access.
T. in which. an expert system and a user interface.L. A central console is used to collect the alarms from multiple sensors. The agent generator collects and analysis audit records from the host operating system. 8. The director makes requests for more detailed information from the distributed monitors. 8. The expert system is responsible for evaluating and reporting the security state of the monitored system and it receives the reports from the hosts and the LAN monitors. The sensor is usually a stand-alone machine or network device. It also sends request to the host and LAN monitors for information regarding a particular user.2 A STANDARD NETWORK INTRUSION DETECTION ARCHITECTURE Fig. The communication manager is used to transfer data between the director and it accepts the notable event records from each host and LAN monitors and sends them to the expert system. off the network through a sensor that president on a network segment located somewhere between the two communicating computers. The LAN event generator is a subset of NSM and is responsible to observe all the traffic on its segment of the LAN. The notable events are sent to the director of the next analysis. in real time. However.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The architecture provides bidirectional communication between the DIDS director and any monitor in the configuration and the communication consists of notable events and anomaly reports. OF CSE / B. The LAN monitor consists of a LAN event generator and a LAN agent. services used and volume of traffic. in order to better understand the traditional sensor-based architecture.2 shows traditional sensor-based network intrusion detection architecture. The DIDS director consists of three major components namely a communication manager. the audit records are scanned for notable events. DEPT. These sensors are distributed to various mission-critical segments of the network.I. the lifecycle of a network packet should be examined. The packet is read. in order to monitor host-to-host connections. A sensor is used to “sniff” packets off of the network where they are fed into a detection engine which will set off an alarm if any misuse is detected. This makes inferences about the security of each individual host and the expert system is having simple learning capabilities. The host monitor consists of host event generator and host agent.T 33 .
The security officer is notified about the misuse. If a pattern is detected. visual. The alert is stored for correlation and review at a later time. DEPT. Data forensics is used to detect long-term trends.I. Reports are generated that summarize the alert activity. The response subsystem matches alerts to predefined responses or can take responses from the security officer. OF CSE / B. or through any other different method. Some systems allow archiving of the original traffic to replay sessions.T 34 .2: A Standard Network Intrusion Detection Architecture The network packet is created when one computer communicates with another. 8. A sensor-resident detection engine is used to identify predefined patterns of misuse. A response to the misuse is generated.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig. an alert is generated.L.T. pager. email. This can be done through a variety of methods including audible.
A new architecture for network intrusion detection was created that dealt with the performance problem on high speed networks by distributing sensors to every computer on the network. 8.T. OF CSE / B. In network-node intrusion detection each sensor is concerned only with packets directed at the target in which the sensor resides. A network packet is created.I.3 represents the network-node intrusion detection architecture. The sensors then communicate with each other and the main console to aggregate and correlate alarms. Reports are generated summarizing alert activity.3 DISTRIBUTED HOST RESIDENT INTRUSION DETECTION Fig. A response is generated. 8. The security officer is notified. these technologies were subject to packet loss on high speed networks. The packet is then fed into the detection engine located on the target machine.T 35 . DEPT. this network-node architecture has added to the confusion over the difference between network and host-based intrusion detection. A detection engine is used to identify pre-defined patterns of misuse. Network node agents communicate with each other on the network to correlate alarms at the console.L. A network sensor that is running on a host machine does not make it a host-based sensor. However. However. The alert is stored for later review and correlation. The packet is read in real-time off the network through a sensor resident on the destination machine. An agent is used to read packets off the TCP/IP stack layer where the packets have been reassembled. Data forensics is then used to look for long-term trends. Network packets directed to a host and sniffed at a host are still considered network intrusion detection. an alert is generated and forwarded to a central console or to other sensors in the network.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS A few years ago all commercial network intrusion detection systems used promiscuous-mode sensors. If a pattern is detected.
surveillance takes place when misuse has already been suspected.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig.T. DEPT. targets are observed more closely for patterns of misuse. Surveillance is characterized by an increased observance of the behavior of a small set of subjects.3: A Distributed Host Resident Intrusion Detection Architecture However. During surveillance. This is the traditional context for intrusion detection systems. the architectures require operational modes in order to operate.T 36 . Surveillance results from a tip-off from either the intrusion detection system or another indicator. OF CSE / B. Operational modes describe the manner the intrusion detection system will operate and partially describe the end goals of monitoring.I. There are two primary operational modes to use network-based intrusion detection: tip-off and surveillance.L. suspicious behavior can be detected to “tip off” the officer that misuse may be occurring. Unlike tip-off. The system is used to detect misuse as it is happening. The defining characteristic for tip-off is that the system is detecting patterns that have not been detected before. 8. By observing patterns of behavior.
they take time to delete or disable. administrative or some other privilege and uses it in an unauthorized manner. There are advantages and disadvantages to each method. DEPT. 8. including operating system event logs. Another scenario involves contractors with elevated privileges. Host-based intrusion detection systems analyze data that originates on computers.L. Most security policies restrict nonemployees from having root or administrator privileges. A third attack scenario involves ex-employees utilizing their old accounts.5 represents distributed real-time host based intrusion detection architecture.T.4 the raw data is forwarded to a central location before it is analyzed and. That is when a user has root. This usually happens when an administrator gives a contractor elevated privileges to install an application. such as kernel logs. If protected correctly. 8. There have been many cases. These host event logs contain information about file accesses and program executions associated with inside users. And Fig. 8. 8. such as application and operating system event logs and file attributes. that result in uncomplimentary remarks posted on web sites. In the centralized architecture. the raw data is analyzed in real time on the target first and then only alerts are sent to the command console. However.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS In order for there to be a tip-off a data source needs to be searched for suspicious behavior. however it might be easier to elevate the user and reduce privileges later. in Fig.T 37 . While these attacks originate from outside the network. data is forwarded to an analysis engine running independently from the target. Another scenario involves modifying web site data. With a review of what attacks host-based intrusion detection systems prevent. it’s important to examine the architecture to see how it prevents those attacks. event logs may be entered into court to support the prosecution of computer criminals. Fig. the best systems offer both types of processing. OF CSE / B. One of these scenarios is the abuse of privilege attack scenario. There are many attack scenarios that host-based intrusion detection guards against. and application logs such as syslog. The difference between the two is that in Fig. However. Most organizations have policies in place to delete or disable accounts when individuals leave. leaving a window for a user to log back in.5. However. the administrator might forget to remove the privileges. Host data sources are numerous and varied. against government agencies in particular. they are perpetrated on the machine itself through alteration of data.4 represents the typical life cycle of an event record running through this type of architecture.I.
8. processes the file. such as a file is opened or a program is executed like the text editor like Microsoft Word. This happens at predetermined time intervals over a secure connection. configured to match patterns of misuse. DEPT.4 A CENTRALIZED HOST-BASED INTRUSION DETECTION Fig.L. This occurs when an action happens. A log is created that becomes the data archive for all the raw data that will be used in prosecution.T 38 . OF CSE / B. The record is written into a file that is usually protected by the operating system trusted computing base.4: A Centralized Host-Based Intrusion Detection Architecture An even record is created. The detection engine. The target agent transmits the file to the command console.I.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 8.
A response is generated. this capacity is limited. or disabling an account.T. The security officer is notified. The response subsystem matches alerts to predefined responses or can take response commands from the security officer. shutting down a target. response. Responses include reconfiguring the system. When a predefined pattern is recognized. The lifecycle of an event record through a distributed real-time architecture is similar.L. Data forensics is used to search for long-term trends. Reports are generated. Some systems store statistical data as well as alerts. DEPT. except that the record is discarded after the target detection engine analyzes it. Reports are generated.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS An alert is generated. This archive is cleared periodically to reduce the amount of disk space used. and storage. Data forensics is used to locate long-term trends and behavior is analyzed using both the stored data in the database and the raw event log archive. The storage is usually in the form of a database. However. The alert is stored. The advantage to this approach is that everything happens in real-time.I.T 39 . logging off a user. The raw data is transferred to a raw data archive. such as access to a mission critical file. because there is no raw data archive and no statistical data. Reports can be a summary of the alert activity. an alert is forwarded to a number of various subsystems for notification. OF CSE / B. The disadvantage is that the end users suffer from system performance degradation.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 8. The response may be generated from the target or console. 8. Statistical behavioral data outside alert data are not usually available in this architecture. A response is generated.5: A Distributed Real-Time Host-Based Intrusion Detection Architecture An event record is created.T 40 . An alert is generated then sent to a central console. while others notify from a central console. OF CSE / B.I. The alert is stored. The security officer is notified.T. The file is read in real-time and processed by a target resident detection engine.L. Some systems notify directly from the target.5 A DISTRIBUTED REAL-TIME HOST-BASED INTRUSION DETECTION Fig. DEPT.
above this level. This introduces a single identification for a user across many hosts on the network. it describes the transformation from the distributed raw audit data to high level hypotheses about intrusions and about the overall security of the monitored environment. It serves both as a description of the function of the rule base. Upper layers of the model treat the network-user as a single entity. the model builds a virtual machine which consists of all the connected hosts as well as the network itself. each layer representing the result of a transformation performed on the data (see Table 9. and as a touchstone for the actual development of the rules.1) The objects at the first level of the model are the audit records provided by the host operating system. the event (which has already been discussed in the context of the host and LAN monitor) is both syntactically and semantically independent of the source standard format for events.T 41 . The objects at this level are both syntactically and semantically dependent on the source. DEPT. This unified view of the distributed system simplifies the recognition of intrusive behavior which spans individual hosts. At the second level. That is. The model is also applicable to the trivial network of a single computer. The expert system is currently written in Prolog. The IDM consists of 6 layers. At this level. The third layer of the IDM creates a subject. In abstracting and correlating data from the distributed sources.I.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 9 THE EXPERT SYSTEM DIDS utilizes a rule-based (or production) expert system.L. Similarly. or by a third party auditing package. OF CSE / B. The IDM describes the data abstractions used in inferring an attack on a network of computers.T. all of the activity on the host or LAN is represented. essentially ignoring the local identification on each host. by the LAN monitor. The model is the basis of the rule base. the collection of hosts on the LAN is generally treated as a single distributed system with little attention being paid to the individual hosts. It is the subject who is identified by the NID. and much of the form of the rule base comes from Prolog and the logic notation that Prolog implies. The expert system uses rules derived from the hierarchical Intrusion Detection Model (IDM).
I. allows for the application of information about wall clock time to the events it is considering.1: Intrusion Detection Model The fourth layer of the model introduces the event in context. Spatial context implies the relative importance of the source of events. the expert system uses time windows to correlate events occurring in temporal proximity. a user moving from a low-security machine to a high-security machine may be of greater concern than a user moving in the opposite direction. In addition to the consideration of external temporal context. behavior which is unremarkable during standard working hours may be highly suspicious during off hours. or events from a particular host.L. Wall-clock time refers to information about the time of day. therefore. That is. as well as periods when an increase in activity is expected. In both of these cases. events related to a particular user. The model also allows for the correlation of multiple events from the same user or source. For instance.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Table 9. As an example of temporal context. may be more likely to represent an intrusion than similar events from a different source. There are two kinds of context: temporal and spatial. multiple events are more noteworthy when they have a common element than when they do not. OF CSE / B.T 42 . The IDM. weekdays versus weekends and holidays. This notion of temporal proximity implements the heuristic that a call to the UNIX who command followed closely by a login or logout is more likely to be related to an intrusion than either of those events occurring alone.T. DEPT.
what is the intruder doing. while active objects are essentially running processes. Misuses represent out-of-policy behavior in which the state of the machine is not affected.T. The generation of the first two of these has already been discussed. User objects are owned by non-privileged users and/or reside within a non-privileged user’s directory hierarchy. In general. That is. These rule values are manipulated using a negative reinforcement training method which allows the expert system to continually lower the number of false attack reports. This Rule Value (RV) represents our confidence that the rule is useful in detecting intrusions. In other words. and the subject. Although representing the security level of the system as a single value seems to imply some loss of information. the creation of the subject is the focus of the following subsection. it provides a quick reference point for the SSO. including executable binaries. Attacks represent abuses in which the state of the machine is changed. and the SSO has access to that database. In the context of the network-user identification problem we are concerned primarily with the lowest three levels of the model: the audit data. Events in context are combined to create threats. The expert system is responsible for applying the rules to the evidence provided by the monitors. misuses. no information is lost since the expert system maintains all the evidence used in calculating the security state in its internal database. commands which provide information about the state of the system may be suspicious.L. For example. the rules do not change during the execution of the expert system. The higher the number the less secure the network. When a potential DEPT. in the current implementation. The threats are partitioned by the nature of the abuse and the nature of the target. What does change is a numerical value associated with each rule. This value is a function of all the threats for all the subjects on the system. and what is he doing it to? Abuses are divided into attacks. thus. System objects are the complement of user objects. and suspicious acts. are of interest to IDS.I. the model produces a numeric value between one and 100 which represents the overall security state of the network. Here again we treat the collection of hosts as a single distributed system.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The fifth layer of the model considers the threats to the network and the hosts connected to it. At the highest level. the event. OF CSE / B. while not a violation of policy. Passive objects are files. In fact.T 43 . The targets of abuse are characterized as being either system objects or user objects and as being either passive or active. the file system or process state is different after the attack than it was prior to the attack. ` Suspicious acts are events which.
If the report was deemed faulty. A is the single antecedent.r. Logically the rules have the form: Antecedent => consequence Where the antecedent is either a fact reported by one of the distributed monitors. This recovery algorithm allows the system to adapt to changes in the environment as well as recover from faulty training. many facts at the bottom of the tree will lead to a few conclusions at the top of the tree. The syntax for rules is: rule(n. Process Module and Response Module. the system also automatically increases the RV’s of all the rules on a regular basis.A2. The antecedent may also be a conjunction of these.L.A3]).r.T 44 .I. attempting to apply the rules to the facts and hypotheses in the Prolog database. The shell is responsible for reading new facts reported by the distributed monitors.T. Thus. Disjunctive rules are not allowed.(C))). The expert system shell consists of approximately a hundred lines of Prolog source code. that situation is dealt with by having multiple rules with the same consequence. 9. then the expert system lowers the RV’s associated with the rules that were used to draw that conclusion. This makes data transmission between the modules do not need too much middle layer. The system consists of three modules: Detect Module. where A1. r is the initial RV. the SSO determines the validity of the report and gives feedback to the expert system.(and. which may lower some rule values.(single.A2.A3 are the antecedents and C is the consequence. reporting suspected intrusions.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS attack is reported by the expert system. The overall structure of the rule base is a tree rooted at the top. Conjunctive rules have the form: rule(n. OF CSE / B. and C is the consequence. or a consequence of some previously satisfied rule.1 ADVANTAGES The distributed Intrusion Detection Model based on Protocol analysis has the following advantages: System structure is simple.(C))). enhance the DEPT.[A1. where n is the rule number.[A]). In addition to this directed training. and maintaining the various dynamic values associated with the rules and hypotheses.
L. Detected speed is fast. Because the rule base of the central part is constituted by the characteristics of these intrusion data. the hackers can mix intrusion data packets with litter data packages falling through the openings in the packet. When there is more data traffic on the network. not only saves resources of detection part. but also in the unit time greatly improves the characteristics of the packet transmission rate when transmitted.I. In the Detect Module part.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS transfer rate between the modules.2 COMPARISON OF DIFFERENT ARCHITECTURES Table 9. enhance the detection rate. There is little impact in performance on the target machine because all the analysis happens elsewhere. undetected rate of general intrusion detection systems will increase sharply. Multi-host signatures are possible because the centralized engine has access to data from all targets. which can be taken in some way to send a large number of flooded packets littering the network.T 45 . so the matching speed can be greatly enhanced. which give a hacker an opportunity. which greatly improve the data transmission speed. then there is a large part of the data will certainly not be detected. OF CSE / B. the system can also achieve matching tasks. so as to achieve their sinister purposes. Its length is often only a small percentage of the length of all the data packets. At this point the flow of large data networks. detect intrusion timely. 9. DEPT. but also saves resources of Process Module.2 summarizes the advantages and disadvantages of centralized detection architecture. extraction is only the important characteristics of packet into Process Module to process. Finally. at this time if there is some delays of detected part and processed part or the matching time is too long between the rule base processed and the data sent. even if there is a lot of data that need to be processed at the same time.T. intrusion detection has great advantages. And the strings of characteristics is short. the centralized raw data can be used for prosecution provided the integrity of the data is preserved. This model uses high-speed link.
L.2: Advantages and Disadvantages of a Centralized Detection Architecture Table 9.3 illustrates the advantages and disadvantages of a real-time distributed intrusion detection system. OF CSE / B.I.4: Comparing Network. Table 9. deterrence. Table 9.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Table 9. damage assessment.2 with a few minor additions. attack anticipation and prosecution support are available at different degrees from the different technologies.T 46 .T. response. Detection. This table is a mirror image of Table 9.and Host-Based Benefits DEPT. Table 9.3 Advantages and Disadvantages of a Distributed Real-Time Architecture Host-based and network-based systems are both required because they provide significantly different benefits.4 summarizes these differences.
and must have some practical significance for the future of the Distributed Intrusion Detection System. DEPT. the diversity of network intrusion make detection system impossible. safe in resources.T. the system must be able to change with the trend of network data to make adaptive changes. etc.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CONCLUSION Intrusion detection technology based on protocol analysis has become one of the technologies for the intrusion detection system of next generation. OF CSE / B. and is an affordable intrusion detection system.I. However. This paper presents the Distributed Intrusion Detection System based on protocol analysis which is simple in structure. However. with the development of technology. this paper presents the protocol analysis have a certain stimulating function to improve the existing distributed intrusion detection system performance. However. which make the system have the function of self-learning and adaptive. the Distributed Intrusion Detection research study is at the initial stage. fast in detection speed.T 47 . resulting some missed detection. efficient in detection. especially because the rule base can only extract the invaded.L. so that there is failure to recognize the intrusion undetected..
Intrusion detection systems designed for a network environment will become increasingly important as the number and size of LAN’s increase.L. Work continues on the design.T 48 . OF CSE / B. The prototype has demonstrated the viability of our distributed architecture in solving the network-user identification problem. Most current IDS’s do not consider the impact of the LAN structure when attempting to monitor user behavior for attacks against the system. DEPT. and refinement of rules.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS FUTURE WORK The Distributed Intrusion Detection System (DIDS) is being developed to address the shortcomings of current single host IDS’s by generalizing the target environment to multiple hosts connected via a network (LAN).T. but it is currently being ported to CLIPS due to the latter’s superior performance characteristics and easy integration with the C programming language. who is designed to detect attacks on general purpose multi-user computers. In support of the ongoing development of DIDS there is a plan to extend the model to a hierarchical Wide Area Network environment.I. The initial prototype expert system has been written in Prolog. the intension to develop monitors for application specific hosts such as file servers and gateways. development. The designing of a signature analysis component for the host monitors to detect events and sequences of events that are known to be indicative of an attack. The tested system on a sub-network of Sun SPARC stations and it has correctly identified network users in a variety of scenarios. In addition to the current host monitor. particularly those which can take advantage of knowledge about particular kinds of attacks. based on a specific context.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.